aws-cloudformation-dynamodb
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS CloudFormation DynamoDB
AWS CloudFormation DynamoDB
Overview
概述
Create production-ready NoSQL database infrastructure using AWS CloudFormation templates. This skill covers DynamoDB tables, primary keys, secondary indexes (GSI/LSI), capacity modes, auto-scaling, encryption, TTL, streams, and best practices for parameters, outputs, and cross-stack references.
使用AWS CloudFormation模板创建生产就绪的NoSQL数据库基础设施。本技能涵盖DynamoDB表、主键、二级索引(GSI/LSI)、容量模式、自动扩缩容、加密、TTL、流,以及参数、输出和跨栈引用的最佳实践。
When to Use
适用场景
Use this skill when:
- Creating new DynamoDB tables with CloudFormation
- Configuring primary keys (partition key, sort key)
- Creating Global Secondary Indexes (GSI) and Local Secondary Indexes (LSI)
- Setting up capacity modes (on-demand or provisioned)
- Implementing auto-scaling with Application Auto Scaling
- Enabling point-in-time recovery and backup
- Configuring encryption at rest and in transit
- Setting up TTL for automatic data expiration
- Enabling DynamoDB Streams for change data capture
- Organizing templates with Parameters, Outputs, Mappings, Conditions
- Implementing cross-stack references with export/import
- Using Transform for macros and reuse
在以下场景中使用本技能:
- 使用CloudFormation创建新的DynamoDB表
- 配置主键(分区键、排序键)
- 创建全局二级索引(GSI)和本地二级索引(LSI)
- 设置容量模式(按需或预置)
- 通过Application Auto Scaling实现自动扩缩容
- 启用时间点恢复和备份
- 配置静态加密和传输加密
- 设置TTL以实现数据自动过期
- 启用DynamoDB Streams用于变更数据捕获
- 使用Parameters、Outputs、Mappings、Conditions组织模板
- 通过导出/导入实现跨栈引用
- 使用Transform实现宏和复用
CloudFormation Template Structure
CloudFormation模板结构
Base Template with Standard Format
标准格式基础模板
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with GSI and auto-scaling
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Table Configuration
Parameters:
- TableName
- BillingMode
- PrimaryKeyName
- PrimaryKeyType
- Label:
default: Capacity Settings
Parameters:
- ReadCapacityUnits
- WriteCapacityUnits
- MinReadCapacity
- MaxReadCapacity
- TargetUtilizationPercent
Parameters:
TableName:
Type: String
Default: my-dynamodb-table
Description: Name of the DynamoDB table
BillingMode:
Type: String
Default: PAY_PER_REQUEST
AllowedValues:
- PAY_PER_REQUEST
- PROVISIONED
Description: Billing mode for the table
PrimaryKeyName:
Type: String
Default: pk
Description: Name of the partition key attribute
PrimaryKeyType:
Type: String
Default: S
AllowedValues:
- S (String)
- N (Number)
- B (Binary)
Description: Type of the partition key attribute
ReadCapacityUnits:
Type: Number
Default: 5
Description: Read capacity units (required for PROVISIONED mode)
WriteCapacityUnits:
Type: Number
Default: 5
Description: Write capacity units (required for PROVISIONED mode)
MinReadCapacity:
Type: Number
Default: 5
Description: Minimum read capacity for auto-scaling
MaxReadCapacity:
Type: Number
Default: 100
Description: Maximum read capacity for auto-scaling
TargetUtilizationPercent:
Type: Number
Default: 70
Description: Target utilization percentage for auto-scaling
Mappings:
CapacityConfig:
dev:
ReadCapacity: 5
WriteCapacity: 5
MinRead: 5
MaxRead: 20
MinWrite: 5
MaxWrite: 20
staging:
ReadCapacity: 10
WriteCapacity: 10
MinRead: 10
MaxRead: 50
MinWrite: 10
MaxWrite: 50
production:
ReadCapacity: 25
WriteCapacity: 25
MinRead: 25
MaxRead: 200
MinWrite: 25
MaxWrite: 200
Conditions:
IsProvisioned: !Equals [!Ref BillingMode, PROVISIONED]
IsDev: !Equals [!Ref Environment, dev]
Resources:
# DynamoDB Table
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Ref TableName
BillingMode: !Ref BillingMode
AttributeDefinitions:
- AttributeName: !Ref PrimaryKeyName
AttributeType: !Ref PrimaryKeyType
- AttributeName: sk
AttributeType: S
- AttributeName: gsi_pk
AttributeType: S
- AttributeName: gsi_sk
AttributeType: S
KeySchema:
- AttributeName: !Ref PrimaryKeyName
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: GSI
KeySchema:
- AttributeName: gsi_pk
KeyType: HASH
- AttributeName: gsi_sk
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput: !If
- IsProvisioned
- ReadCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, ReadCapacity]
WriteCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, WriteCapacity]
- !Ref AWS::NoValue
ProvisionedThroughput: !If
- IsProvisioned
- ReadCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, ReadCapacity]
WriteCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, WriteCapacity]
- !Ref AWS::NoValue
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TimeToLiveSpecification:
AttributeName: ttl
Enabled: true
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
SSESpecification:
SSEEnabled: true
SSEType: AES256
Tags:
- Key: Environment
Value: !Ref Environment
- Key: Project
Value: !Ref ProjectName
Outputs:
TableName:
Description: Name of the DynamoDB table
Value: !Ref MyDynamoDBTable
Export:
Name: !Sub "${AWS::StackName}-TableName"
TableArn:
Description: ARN of the DynamoDB table
Value: !GetAtt MyDynamoDBTable.Arn
Export:
Name: !Sub "${AWS::StackName}-TableArn"
TableStreamArn:
Description: ARN of the DynamoDB table stream
Value: !GetAtt MyDynamoDBTable.StreamArn
Export:
Name: !Sub "${AWS::StackName}-TableStreamArn"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with GSI and auto-scaling
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Table Configuration
Parameters:
- TableName
- BillingMode
- PrimaryKeyName
- PrimaryKeyType
- Label:
default: Capacity Settings
Parameters:
- ReadCapacityUnits
- WriteCapacityUnits
- MinReadCapacity
- MaxReadCapacity
- TargetUtilizationPercent
Parameters:
TableName:
Type: String
Default: my-dynamodb-table
Description: Name of the DynamoDB table
BillingMode:
Type: String
Default: PAY_PER_REQUEST
AllowedValues:
- PAY_PER_REQUEST
- PROVISIONED
Description: Billing mode for the table
PrimaryKeyName:
Type: String
Default: pk
Description: Name of the partition key attribute
PrimaryKeyType:
Type: String
Default: S
AllowedValues:
- S (String)
- N (Number)
- B (Binary)
Description: Type of the partition key attribute
ReadCapacityUnits:
Type: Number
Default: 5
Description: Read capacity units (required for PROVISIONED mode)
WriteCapacityUnits:
Type: Number
Default: 5
Description: Write capacity units (required for PROVISIONED mode)
MinReadCapacity:
Type: Number
Default: 5
Description: Minimum read capacity for auto-scaling
MaxReadCapacity:
Type: Number
Default: 100
Description: Maximum read capacity for auto-scaling
TargetUtilizationPercent:
Type: Number
Default: 70
Description: Target utilization percentage for auto-scaling
Mappings:
CapacityConfig:
dev:
ReadCapacity: 5
WriteCapacity: 5
MinRead: 5
MaxRead: 20
MinWrite: 5
MaxWrite: 20
staging:
ReadCapacity: 10
WriteCapacity: 10
MinRead: 10
MaxRead: 50
MinWrite: 10
MaxWrite: 50
production:
ReadCapacity: 25
WriteCapacity: 25
MinRead: 25
MaxRead: 200
MinWrite: 25
MaxWrite: 200
Conditions:
IsProvisioned: !Equals [!Ref BillingMode, PROVISIONED]
IsDev: !Equals [!Ref Environment, dev]
Resources:
# DynamoDB Table
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Ref TableName
BillingMode: !Ref BillingMode
AttributeDefinitions:
- AttributeName: !Ref PrimaryKeyName
AttributeType: !Ref PrimaryKeyType
- AttributeName: sk
AttributeType: S
- AttributeName: gsi_pk
AttributeType: S
- AttributeName: gsi_sk
AttributeType: S
KeySchema:
- AttributeName: !Ref PrimaryKeyName
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: GSI
KeySchema:
- AttributeName: gsi_pk
KeyType: HASH
- AttributeName: gsi_sk
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput: !If
- IsProvisioned
- ReadCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, ReadCapacity]
WriteCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, WriteCapacity]
- !Ref AWS::NoValue
ProvisionedThroughput: !If
- IsProvisioned
- ReadCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, ReadCapacity]
WriteCapacityUnits: !FindInMap [CapacityConfig, !Ref Environment, WriteCapacity]
- !Ref AWS::NoValue
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TimeToLiveSpecification:
AttributeName: ttl
Enabled: true
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
SSESpecification:
SSEEnabled: true
SSEType: AES256
Tags:
- Key: Environment
Value: !Ref Environment
- Key: Project
Value: !Ref ProjectName
Outputs:
TableName:
Description: Name of the DynamoDB table
Value: !Ref MyDynamoDBTable
Export:
Name: !Sub "${AWS::StackName}-TableName"
TableArn:
Description: ARN of the DynamoDB table
Value: !GetAtt MyDynamoDBTable.Arn
Export:
Name: !Sub "${AWS::StackName}-TableArn"
TableStreamArn:
Description: ARN of the DynamoDB table stream
Value: !GetAtt MyDynamoDBTable.StreamArn
Export:
Name: !Sub "${AWS::StackName}-TableStreamArn"Best Practices for Parameters
参数最佳实践
AWS-Specific Parameter Types
AWS特定参数类型
yaml
Parameters:
# AWS-specific types for validation
TableName:
Type: String
Description: Name of the DynamoDB table
TableArn:
Type: AWS::DynamoDB::Table::Arn
Description: ARN of existing DynamoDB table
TableStreamArn:
Type: AWS::DynamoDB::Table::StreamArn
Description: Stream ARN of DynamoDB table
KMSKeyArn:
Type: AWS::KMS::Key::Arn
Description: KMS key for server-side encryption
IAMRoleArn:
Type: AWS::IAM::Role::Arn
Description: IAM role for DynamoDB accessyaml
Parameters:
# AWS-specific types for validation
TableName:
Type: String
Description: Name of the DynamoDB table
TableArn:
Type: AWS::DynamoDB::Table::Arn
Description: ARN of existing DynamoDB table
TableStreamArn:
Type: AWS::DynamoDB::Table::StreamArn
Description: Stream ARN of DynamoDB table
KMSKeyArn:
Type: AWS::KMS::Key::Arn
Description: KMS key for server-side encryption
IAMRoleArn:
Type: AWS::IAM::Role::Arn
Description: IAM role for DynamoDB accessParameter Constraints
参数约束
yaml
Parameters:
TableName:
Type: String
Default: my-table
Description: DynamoDB table name
ConstraintDescription: Must be 3-255 characters, alphanumeric and underscores
MinLength: 3
MaxLength: 255
AllowedPattern: "[a-zA-Z0-9_]+"
ReadCapacityUnits:
Type: Number
Default: 5
Description: Read capacity units
MinValue: 1
MaxValue: 40000
ConstraintDescription: Must be between 1 and 40000
WriteCapacityUnits:
Type: Number
Default: 5
Description: Write capacity units
MinValue: 1
MaxValue: 40000
ConstraintDescription: Must be between 1 and 40000
BillingMode:
Type: String
Default: PAY_PER_REQUEST
Description: Billing mode
AllowedValues:
- PAY_PER_REQUEST
- PROVISIONEDyaml
Parameters:
TableName:
Type: String
Default: my-table
Description: DynamoDB table name
ConstraintDescription: Must be 3-255 characters, alphanumeric and underscores
MinLength: 3
MaxLength: 255
AllowedPattern: "[a-zA-Z0-9_]+"
ReadCapacityUnits:
Type: Number
Default: 5
Description: Read capacity units
MinValue: 1
MaxValue: 40000
ConstraintDescription: Must be between 1 and 40000
WriteCapacityUnits:
Type: Number
Default: 5
Description: Write capacity units
MinValue: 1
MaxValue: 40000
ConstraintDescription: Must be between 1 and 40000
BillingMode:
Type: String
Default: PAY_PER_REQUEST
Description: Billing mode
AllowedValues:
- PAY_PER_REQUEST
- PROVISIONEDOutputs and Cross-Stack References
输出与跨栈引用
Export/Import Patterns
导出/导入模式
yaml
undefinedyaml
undefinedStack A - Database Stack
Stack A - Database Stack
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table infrastructure stack
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
SSESpecification:
SSEEnabled: true
Outputs:
TableName:
Description: Name of the DynamoDB table
Value: !Ref MyDynamoDBTable
Export:
Name: !Sub "${AWS::StackName}-TableName"
TableArn:
Description: ARN of the DynamoDB table
Value: !GetAtt MyDynamoDBTable.Arn
Export:
Name: !Sub "${AWS::StackName}-TableArn"
TableStreamArn:
Description: Stream ARN for Lambda triggers
Value: !GetAtt MyDynamoDBTable.StreamArn
Export:
Name: !Sub "${AWS::StackName}-TableStreamArn"
```yamlAWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table infrastructure stack
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
SSESpecification:
SSEEnabled: true
Outputs:
TableName:
Description: Name of the DynamoDB table
Value: !Ref MyDynamoDBTable
Export:
Name: !Sub "${AWS::StackName}-TableName"
TableArn:
Description: ARN of the DynamoDB table
Value: !GetAtt MyDynamoDBTable.Arn
Export:
Name: !Sub "${AWS::StackName}-TableArn"
TableStreamArn:
Description: Stream ARN for Lambda triggers
Value: !GetAtt MyDynamoDBTable.StreamArn
Export:
Name: !Sub "${AWS::StackName}-TableStreamArn"
```yamlStack B - Application Stack (imports from Stack A)
Stack B - Application Stack (imports from Stack A)
AWSTemplateFormatVersion: 2010-09-09
Description: Application stack using DynamoDB table
Parameters:
DatabaseStackName:
Type: String
Default: database-stack
Description: Name of the database stack
Resources:
Lambda function that uses DynamoDB
DataProcessorFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-processor"
Runtime: python3.11
Handler: handler.handler
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/processor.zip
Environment:
Variables:
TABLE_NAME: !ImportValue
!Sub "${DatabaseStackName}-TableName"
Policies:
- DynamoDBReadPolicy:
TableName: !ImportValue
!Sub "${DatabaseStackName}-TableName"
- DynamoDBWritePolicy:
TableName: !ImportValue
!Sub "${DatabaseStackName}-TableName"
Lambda trigger from DynamoDB Streams
StreamProcessorFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-stream-processor"
Runtime: python3.11
Handler: stream_handler.handler
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/stream-processor.zip
EventSourceMapping:
EventSourceArn: !ImportValue
!Sub "${DatabaseStackName}-TableStreamArn"
FunctionName: !Ref StreamProcessorFunction
StartingPosition: LATEST
undefinedAWSTemplateFormatVersion: 2010-09-09
Description: Application stack using DynamoDB table
Parameters:
DatabaseStackName:
Type: String
Default: database-stack
Description: Name of the database stack
Resources:
Lambda function that uses DynamoDB
DataProcessorFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-processor"
Runtime: python3.11
Handler: handler.handler
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/processor.zip
Environment:
Variables:
TABLE_NAME: !ImportValue
!Sub "${DatabaseStackName}-TableName"
Policies:
- DynamoDBReadPolicy:
TableName: !ImportValue
!Sub "${DatabaseStackName}-TableName"
- DynamoDBWritePolicy:
TableName: !ImportValue
!Sub "${DatabaseStackName}-TableName"
Lambda trigger from DynamoDB Streams
StreamProcessorFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-stream-processor"
Runtime: python3.11
Handler: stream_handler.handler
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/stream-processor.zip
EventSourceMapping:
EventSourceArn: !ImportValue
!Sub "${DatabaseStackName}-TableStreamArn"
FunctionName: !Ref StreamProcessorFunction
StartingPosition: LATEST
undefinedNested Stacks for Modularity
嵌套栈实现模块化
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Main stack with nested DynamoDB stacks
Resources:
# Nested stack for tables
TablesStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/dynamodb-tables.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
TableNamePrefix: !Ref TableNamePrefix
# Nested stack for auto-scaling
AutoScalingStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/dynamodb-autoscaling.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
TableName: !GetAtt TablesStack.Outputs.MainTableName
ReadCapacityUnits: !GetAtt TablesStack.Outputs.ReadCapacity
WriteCapacityUnits: !GetAtt TablesStack.Outputs.WriteCapacityyaml
AWSTemplateFormatVersion: 2010-09-09
Description: Main stack with nested DynamoDB stacks
Resources:
# Nested stack for tables
TablesStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/dynamodb-tables.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
TableNamePrefix: !Ref TableNamePrefix
# Nested stack for auto-scaling
AutoScalingStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/dynamodb-autoscaling.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
TableName: !GetAtt TablesStack.Outputs.MainTableName
ReadCapacityUnits: !GetAtt TablesStack.Outputs.ReadCapacity
WriteCapacityUnits: !GetAtt TablesStack.Outputs.WriteCapacityDynamoDB Tables with Advanced Configurations
高级配置的DynamoDB表
Table with GSI and LSI
包含GSI和LSI的表
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with multiple GSIs and LSIs
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# DynamoDB Table with indexes
OrdersTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-orders"
BillingMode: PROVISIONED
AttributeDefinitions:
# Primary key attributes
- AttributeName: customer_id
AttributeType: S
- AttributeName: order_date
AttributeType: S
# GSI attributes
- AttributeName: status
AttributeType: S
- AttributeName: order_total
AttributeType: N
- AttributeName: created_at
AttributeType: S
# LSI attributes
- AttributeName: ship_date
AttributeType: S
KeySchema:
- AttributeName: customer_id
KeyType: HASH
- AttributeName: order_date
KeyType: RANGE
# Global Secondary Indexes
GlobalSecondaryIndexes:
# GSI for status-based queries
- IndexName: StatusIndex
KeySchema:
- AttributeName: status
KeyType: HASH
- AttributeName: order_date
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
# GSI for total-based queries
- IndexName: TotalIndex
KeySchema:
- AttributeName: status
KeyType: HASH
- AttributeName: order_total
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
# Local Secondary Indexes
LocalSecondaryIndexes:
- IndexName: ShipDateIndex
KeySchema:
- AttributeName: customer_id
KeyType: HASH
- AttributeName: ship_date
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 20
WriteCapacityUnits: 20
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
SSESpecification:
SSEEnabled: true
Tags:
- Key: Environment
Value: !Ref Environment
- Key: DataClassification
Value: confidentialyaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with multiple GSIs and LSIs
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# DynamoDB Table with indexes
OrdersTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-orders"
BillingMode: PROVISIONED
AttributeDefinitions:
# Primary key attributes
- AttributeName: customer_id
AttributeType: S
- AttributeName: order_date
AttributeType: S
# GSI attributes
- AttributeName: status
AttributeType: S
- AttributeName: order_total
AttributeType: N
- AttributeName: created_at
AttributeType: S
# LSI attributes
- AttributeName: ship_date
AttributeType: S
KeySchema:
- AttributeName: customer_id
KeyType: HASH
- AttributeName: order_date
KeyType: RANGE
# Global Secondary Indexes
GlobalSecondaryIndexes:
# GSI for status-based queries
- IndexName: StatusIndex
KeySchema:
- AttributeName: status
KeyType: HASH
- AttributeName: order_date
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
# GSI for total-based queries
- IndexName: TotalIndex
KeySchema:
- AttributeName: status
KeyType: HASH
- AttributeName: order_total
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
# Local Secondary Indexes
LocalSecondaryIndexes:
- IndexName: ShipDateIndex
KeySchema:
- AttributeName: customer_id
KeyType: HASH
- AttributeName: ship_date
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 20
WriteCapacityUnits: 20
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
SSESpecification:
SSEEnabled: true
Tags:
- Key: Environment
Value: !Ref Environment
- Key: DataClassification
Value: confidentialOn-Demand Capacity Table
按需容量模式表
yaml
Resources:
# On-demand capacity table
EventsTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-events"
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: event_id
AttributeType: S
- AttributeName: event_type
AttributeType: S
- AttributeName: timestamp
AttributeType: S
KeySchema:
- AttributeName: event_id
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: TypeTimestampIndex
KeySchema:
- AttributeName: event_type
KeyType: HASH
- AttributeName: timestamp
KeyType: RANGE
Projection:
ProjectionType: ALL
StreamSpecification:
StreamViewType: KEYS_ONLY
SSESpecification:
SSEEnabled: true
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: trueyaml
Resources:
# On-demand capacity table
EventsTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-events"
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: event_id
AttributeType: S
- AttributeName: event_type
AttributeType: S
- AttributeName: timestamp
AttributeType: S
KeySchema:
- AttributeName: event_id
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: TypeTimestampIndex
KeySchema:
- AttributeName: event_type
KeyType: HASH
- AttributeName: timestamp
KeyType: RANGE
Projection:
ProjectionType: ALL
StreamSpecification:
StreamViewType: KEYS_ONLY
SSESpecification:
SSEEnabled: true
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: trueAuto-Scaling Configuration
自动扩缩容配置
Application Auto Scaling for Provisioned Tables
预置模式表的Application Auto Scaling
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with auto-scaling
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# DynamoDB Table
MyTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
- AttributeName: gsi_pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: GSI
KeySchema:
- AttributeName: gsi_pk
KeyType: HASH
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
# Scalable Target for Table Read Capacity
ReadScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !FindInMap [CapacityConfig, !Ref Environment, MaxReadCapacity]
MinCapacity: !FindInMap [CapacityConfig, !Ref Environment, MinReadCapacity]
ResourceId: !Sub "table/${MyTable}"
RoleARN: !GetAtt AutoScalingRole.Arn
ScalableDimension: dynamodb:table:ReadCapacityUnits
ServiceNamespace: dynamodb
# Scalable Target for Table Write Capacity
WriteScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !FindInMap [CapacityConfig, !Ref Environment, MaxWriteCapacity]
MinCapacity: !FindInMap [CapacityConfig, !Ref Environment, MinWriteCapacity]
ResourceId: !Sub "table/${MyTable}"
RoleARN: !GetAtt AutoScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
# Scalable Target for GSI Read Capacity
GSIScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 100
MinCapacity: 5
ResourceId: !Sub "table/${MyTable}/index/GSI"
RoleARN: !GetAtt AutoScalingRole.Arn
ScalableDimension: dynamodb:index:ReadCapacityUnits
ServiceNamespace: dynamodb
# Scaling Policy for Read Capacity
ReadScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub "${AWS::StackName}-read-scaling"
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ReadScalingTarget
TargetTrackingScalingPolicyConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBReadCapacityUtilization
TargetValue: 70
ScaleInCooldown: 60
ScaleOutCooldown: 60
# Scaling Policy for Write Capacity
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub "${AWS::StackName}-write-scaling"
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteScalingTarget
TargetTrackingScalingPolicyConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
TargetValue: 70
ScaleInCooldown: 60
ScaleOutCooldown: 60
# Auto Scaling IAM Role
AutoScalingRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-dynamodb-autoscaling"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: application-autoscaling.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/DynamoDBAutoscaleRole
Mappings:
CapacityConfig:
dev:
MinReadCapacity: 5
MaxReadCapacity: 20
MinWriteCapacity: 5
MaxWriteCapacity: 20
staging:
MinReadCapacity: 10
MaxReadCapacity: 50
MinWriteCapacity: 10
MaxWriteCapacity: 50
production:
MinReadCapacity: 25
MaxReadCapacity: 200
MinWriteCapacity: 25
MaxWriteCapacity: 200yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with auto-scaling
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# DynamoDB Table
MyTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
- AttributeName: gsi_pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: GSI
KeySchema:
- AttributeName: gsi_pk
KeyType: HASH
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
# Scalable Target for Table Read Capacity
ReadScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !FindInMap [CapacityConfig, !Ref Environment, MaxReadCapacity]
MinCapacity: !FindInMap [CapacityConfig, !Ref Environment, MinReadCapacity]
ResourceId: !Sub "table/${MyTable}"
RoleARN: !GetAtt AutoScalingRole.Arn
ScalableDimension: dynamodb:table:ReadCapacityUnits
ServiceNamespace: dynamodb
# Scalable Target for Table Write Capacity
WriteScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !FindInMap [CapacityConfig, !Ref Environment, MaxWriteCapacity]
MinCapacity: !FindInMap [CapacityConfig, !Ref Environment, MinWriteCapacity]
ResourceId: !Sub "table/${MyTable}"
RoleARN: !GetAtt AutoScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
# Scalable Target for GSI Read Capacity
GSIScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 100
MinCapacity: 5
ResourceId: !Sub "table/${MyTable}/index/GSI"
RoleARN: !GetAtt AutoScalingRole.Arn
ScalableDimension: dynamodb:index:ReadCapacityUnits
ServiceNamespace: dynamodb
# Scaling Policy for Read Capacity
ReadScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub "${AWS::StackName}-read-scaling"
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ReadScalingTarget
TargetTrackingScalingPolicyConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBReadCapacityUtilization
TargetValue: 70
ScaleInCooldown: 60
ScaleOutCooldown: 60
# Scaling Policy for Write Capacity
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub "${AWS::StackName}-write-scaling"
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteScalingTarget
TargetTrackingScalingPolicyConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
TargetValue: 70
ScaleInCooldown: 60
ScaleOutCooldown: 60
# Auto Scaling IAM Role
AutoScalingRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-dynamodb-autoscaling"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: application-autoscaling.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/DynamoDBAutoscaleRole
Mappings:
CapacityConfig:
dev:
MinReadCapacity: 5
MaxReadCapacity: 20
MinWriteCapacity: 5
MaxWriteCapacity: 20
staging:
MinReadCapacity: 10
MaxReadCapacity: 50
MinWriteCapacity: 10
MaxWriteCapacity: 50
production:
MinReadCapacity: 25
MaxReadCapacity: 200
MinWriteCapacity: 25
MaxWriteCapacity: 200DynamoDB Streams and Lambda Integration
DynamoDB流与Lambda集成
Table with Stream for Lambda Trigger
带Lambda触发器流的表
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with stream for Lambda trigger
Resources:
# DynamoDB Table with Stream
OrdersTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-orders"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: order_id
AttributeType: S
- AttributeName: customer_id
AttributeType: S
- AttributeName: status
AttributeType: S
KeySchema:
- AttributeName: order_id
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: CustomerIndex
KeySchema:
- AttributeName: customer_id
KeyType: HASH
- AttributeName: status
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
# Lambda Function for processing stream
StreamProcessorFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-stream-processor"
Runtime: python3.11
Handler: handler.process_event
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/stream-processor.zip
Timeout: 300
Role: !GetAtt LambdaExecutionRole.Arn
# Event Source Mapping
StreamEventSource:
Type: AWS::Lambda::EventSourceMapping
Properties:
EventSourceArn: !GetAtt OrdersTable.StreamArn
FunctionName: !Ref StreamProcessorFunction
StartingPosition: TRIM_HORIZON
BatchSize: 100
MaximumBatchingWindowInSeconds: 60
DestinationConfig:
OnFailure:
Destination: !GetAtt DeadLetterQueue.Arn
Enabled: true
# Dead Letter Queue for failed events
DeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub "${AWS::StackName}-stream-dlq"
MessageRetentionPeriod: 86400
# Lambda Execution Role
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: !Sub "${AWS::StackName}-dynamodb-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:DescribeStream
- dynamodb:ListStreams
Resource: !GetAtt OrdersTable.StreamArn
- Effect: Allow
Action:
- sqs:SendMessage
Resource: !GetAtt DeadLetterQueue.Arnyaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with stream for Lambda trigger
Resources:
# DynamoDB Table with Stream
OrdersTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-orders"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: order_id
AttributeType: S
- AttributeName: customer_id
AttributeType: S
- AttributeName: status
AttributeType: S
KeySchema:
- AttributeName: order_id
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: CustomerIndex
KeySchema:
- AttributeName: customer_id
KeyType: HASH
- AttributeName: status
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
# Lambda Function for processing stream
StreamProcessorFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-stream-processor"
Runtime: python3.11
Handler: handler.process_event
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/stream-processor.zip
Timeout: 300
Role: !GetAtt LambdaExecutionRole.Arn
# Event Source Mapping
StreamEventSource:
Type: AWS::Lambda::EventSourceMapping
Properties:
EventSourceArn: !GetAtt OrdersTable.StreamArn
FunctionName: !Ref StreamProcessorFunction
StartingPosition: TRIM_HORIZON
BatchSize: 100
MaximumBatchingWindowInSeconds: 60
DestinationConfig:
OnFailure:
Destination: !GetAtt DeadLetterQueue.Arn
Enabled: true
# Dead Letter Queue for failed events
DeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub "${AWS::StackName}-stream-dlq"
MessageRetentionPeriod: 86400
# Lambda Execution Role
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: !Sub "${AWS::StackName}-dynamodb-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:DescribeStream
- dynamodb:ListStreams
Resource: !GetAtt OrdersTable.StreamArn
- Effect: Allow
Action:
- sqs:SendMessage
Resource: !GetAtt DeadLetterQueue.ArnTTL Configuration
TTL配置
Table with Time-to-Live
带生存时间的表
yaml
Resources:
# Table with TTL for automatic data expiration
SessionsTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-sessions"
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: session_id
AttributeType: S
- AttributeName: user_id
AttributeType: S
KeySchema:
- AttributeName: session_id
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: UserIndex
KeySchema:
- AttributeName: user_id
KeyType: HASH
Projection:
ProjectionType: ALL
StreamSpecification:
StreamViewType: NEW_IMAGE
TimeToLiveSpecification:
AttributeName: ttl
Enabled: true
SSESpecification:
SSEEnabled: true
# TTL for 24-hour expiration (example)
SessionCleanupFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-session-cleanup"
Runtime: python3.11
Handler: handler.cleanup
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/session-cleanup.zip
Role: !GetAtt LambdaExecutionRole.Arn
# Scheduled rule for TTL cleanup
SessionCleanupRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub "${AWS::StackName}-session-cleanup"
ScheduleExpression: "rate(1 hour)"
State: ENABLED
Targets:
- Id: !Ref SessionCleanupFunction
Arn: !GetAtt SessionCleanupFunction.Arnyaml
Resources:
# Table with TTL for automatic data expiration
SessionsTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-sessions"
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: session_id
AttributeType: S
- AttributeName: user_id
AttributeType: S
KeySchema:
- AttributeName: session_id
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: UserIndex
KeySchema:
- AttributeName: user_id
KeyType: HASH
Projection:
ProjectionType: ALL
StreamSpecification:
StreamViewType: NEW_IMAGE
TimeToLiveSpecification:
AttributeName: ttl
Enabled: true
SSESpecification:
SSEEnabled: true
# TTL for 24-hour expiration (example)
SessionCleanupFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-session-cleanup"
Runtime: python3.11
Handler: handler.cleanup
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/session-cleanup.zip
Role: !GetAtt LambdaExecutionRole.Arn
# Scheduled rule for TTL cleanup
SessionCleanupRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub "${AWS::StackName}-session-cleanup"
ScheduleExpression: "rate(1 hour)"
State: ENABLED
Targets:
- Id: !Ref SessionCleanupFunction
Arn: !GetAtt SessionCleanupFunction.ArnEncryption and Security
加密与安全
Table with Customer Managed KMS Key
带客户管理KMS密钥的表
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with customer-managed encryption
Resources:
# KMS Key for encryption
DynamoDBKMSKey:
Type: AWS::KMS::Key
Properties:
KeyName: !Sub "${AWS::StackName}-dynamodb-key"
Description: KMS key for DynamoDB encryption
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: Enable IAM policies
Effect: Allow
Principal:
AWS: !GetAtt IAMRole.Arn
Action:
- kms:*
Resource: "*"
- Sid: Allow DynamoDB to use the key
Effect: Allow
Principal:
Service: dynamodb.amazonaws.com
Action:
- kms:Encrypt
- kms:Decrypt
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: "*"
# DynamoDB Table with customer-managed encryption
SensitiveDataTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-sensitive-data"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: id
AttributeType: S
- AttributeName: category
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
SSESpecification:
SSEEnabled: true
SSEType: KMS
KMSMasterKeyId: !Ref DynamoDBKMSKey
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
# IAM Role for accessing encrypted table
IAMRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-data-access-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${AWS::StackName}-data-access"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- dynamodb:Query
- dynamodb:Scan
Resource: !GetAtt SensitiveDataTable.Arn
- Effect: Allow
Action:
- kms:Decrypt
- kms:GenerateDataKey
Resource: !GetAtt DynamoDBKMSKey.Arnyaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB table with customer-managed encryption
Resources:
# KMS Key for encryption
DynamoDBKMSKey:
Type: AWS::KMS::Key
Properties:
KeyName: !Sub "${AWS::StackName}-dynamodb-key"
Description: KMS key for DynamoDB encryption
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: Enable IAM policies
Effect: Allow
Principal:
AWS: !GetAtt IAMRole.Arn
Action:
- kms:*
Resource: "*"
- Sid: Allow DynamoDB to use the key
Effect: Allow
Principal:
Service: dynamodb.amazonaws.com
Action:
- kms:Encrypt
- kms:Decrypt
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: "*"
# DynamoDB Table with customer-managed encryption
SensitiveDataTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-sensitive-data"
BillingMode: PROVISIONED
AttributeDefinitions:
- AttributeName: id
AttributeType: S
- AttributeName: category
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 10
WriteCapacityUnits: 10
SSESpecification:
SSEEnabled: true
SSEType: KMS
KMSMasterKeyId: !Ref DynamoDBKMSKey
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
# IAM Role for accessing encrypted table
IAMRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-data-access-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${AWS::StackName}-data-access"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- dynamodb:Query
- dynamodb:Scan
Resource: !GetAtt SensitiveDataTable.Arn
- Effect: Allow
Action:
- kms:Decrypt
- kms:GenerateDataKey
Resource: !GetAtt DynamoDBKMSKey.ArnConditions and Transform
条件与转换
Conditions for Environment-Specific Resources
环境特定资源的条件
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB with conditional resources
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
EnableEncryption:
Type: String
Default: true
AllowedValues:
- true
- false
Conditions:
IsProduction: !Equals [!Ref Environment, production]
IsDev: !Equals [!Ref Environment, dev]
EnableEncryption: !Equals [!Ref EnableEncryption, true]
EnablePITR: !Not [!Equals [!Ref Environment, dev]]
EnableStream: !Or [!Equals [!Ref Environment, staging], !Equals [!Ref Environment, production]]
Resources:
# Main table
MyTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"
BillingMode: !If [IsProduction, PROVISIONED, PAY_PER_REQUEST]
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput: !If
- IsProduction
- ReadCapacityUnits: 25
WriteCapacityUnits: 25
- !Ref AWS::NoValue
StreamSpecification: !If
- EnableStream
- StreamViewType: NEW_AND_OLD_IMAGES
- !Ref AWS::NoValue
SSESpecification: !If
- EnableEncryption
- SSEEnabled: true
SSEType: AES256
- !Ref AWS::NoValue
PointInTimeRecoverySpecification: !If
- EnablePITR
- PointInTimeRecoveryEnabled: true
- !Ref AWS::NoValueyaml
AWSTemplateFormatVersion: 2010-09-09
Description: DynamoDB with conditional resources
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
EnableEncryption:
Type: String
Default: true
AllowedValues:
- true
- false
Conditions:
IsProduction: !Equals [!Ref Environment, production]
IsDev: !Equals [!Ref Environment, dev]
EnableEncryption: !Equals [!Ref EnableEncryption, true]
EnablePITR: !Not [!Equals [!Ref Environment, dev]]
EnableStream: !Or [!Equals [!Ref Environment, staging], !Equals [!Ref Environment, production]]
Resources:
# Main table
MyTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"
BillingMode: !If [IsProduction, PROVISIONED, PAY_PER_REQUEST]
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput: !If
- IsProduction
- ReadCapacityUnits: 25
WriteCapacityUnits: 25
- !Ref AWS::NoValue
StreamSpecification: !If
- EnableStream
- StreamViewType: NEW_AND_OLD_IMAGES
- !Ref AWS::NoValue
SSESpecification: !If
- EnableEncryption
- SSEEnabled: true
SSEType: AES256
- !Ref AWS::NoValue
PointInTimeRecoverySpecification: !If
- EnablePITR
- PointInTimeRecoveryEnabled: true
- !Ref AWS::NoValueTransform for SAM Template
SAM模板的转换
yaml
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Using SAM Transform for DynamoDB
Globals:
Function:
Timeout: 30
Runtime: python3.11
Environment:
Variables:
TABLE_NAME: !Ref DataTable
Resources:
# SAM Simple Table (creates table with on-demand capacity)
DataTable:
Type: AWS::Serverless::SimpleTable
Properties:
TableName: !Sub "${AWS::StackName}-data"
PrimaryKey:
Name: id
Type: String
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEEnabled: true
# Lambda function with DynamoDB access
DataHandler:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-handler"
Handler: handler.handler
CodeUri: lambda/
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref DataTable
Events:
Api:
Type: Api
Properties:
Path: /data
Method: postyaml
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Using SAM Transform for DynamoDB
Globals:
Function:
Timeout: 30
Runtime: python3.11
Environment:
Variables:
TABLE_NAME: !Ref DataTable
Resources:
# SAM Simple Table (creates table with on-demand capacity)
DataTable:
Type: AWS::Serverless::SimpleTable
Properties:
TableName: !Sub "${AWS::StackName}-data"
PrimaryKey:
Name: id
Type: String
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEEnabled: true
# Lambda function with DynamoDB access
DataHandler:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-handler"
Handler: handler.handler
CodeUri: lambda/
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref DataTable
Events:
Api:
Type: Api
Properties:
Path: /data
Method: postBest Practices
最佳实践
Security
安全
- Enable server-side encryption (SSE) for all tables
- Use customer-managed KMS keys for sensitive data
- Enable point-in-time recovery for production tables
- Use IAM policies with minimum necessary permissions
- Enable VPC endpoints for private table access
- Configure AWS CloudTrail for auditing
- 为所有表启用服务器端加密(SSE)
- 对敏感数据使用客户管理的KMS密钥
- 为生产表启用时间点恢复
- 使用权限最小化的IAM策略
- 启用VPC终端节点以实现私有表访问
- 配置AWS CloudTrail用于审计
Performance
性能
- Choose partition keys with uniform distribution
- Use GSIs for alternative access patterns
- Monitor consumed capacity and throttled requests
- Use auto-scaling for variable workloads
- Consider on-demand capacity for unpredictable traffic
- Implement proper data modeling for query patterns
- 选择分布均匀的分区键
- 使用GSI实现替代访问模式
- 监控已消耗容量和受限请求
- 为可变工作负载使用自动扩缩容
- 针对不可预测流量考虑按需容量模式
- 为查询模式实现合理的数据建模
Monitoring
监控
- Enable CloudWatch metrics with 1-minute granularity
- Create alarms for throttled requests
- Monitor table and index capacity utilization
- Use AWS DynamoDB Accelerator (DAX) for read-heavy workloads
- Implement proper error handling and retries
- 启用1分钟粒度的CloudWatch指标
- 为受限请求创建告警
- 监控表和索引的容量利用率
- 对读密集型工作负载使用AWS DynamoDB Accelerator (DAX)
- 实现合理的错误处理和重试机制
Cost Optimization
成本优化
- Use on-demand capacity when appropriate
- Right-size provisioned capacity based on metrics
- Use auto-scaling to handle peak loads
- Consider TTL for automatic data cleanup
- Archive old data to S3 with Data Pipeline or Glue
- 适当使用按需容量模式
- 根据指标调整预置容量大小
- 使用自动扩缩容应对峰值负载
- 考虑使用TTL自动清理数据
- 使用Data Pipeline或Glue将旧数据归档到S3
CloudFormation Stack Management Best Practices
CloudFormation栈管理最佳实践
Stack Policies
栈策略
yaml
Resources:
DynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"yaml
Resources:
DynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "${AWS::StackName}-table"Stack policy to protect table from deletion
Stack policy to protect table from deletion
StackPolicy:
Type: AWS::CloudFormation::StackPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: ""
Action: "Update:"
Resource: ""
- Effect: Deny
Principal: ""
Action:
- Update:Delete
Resource:
- LogicalId: DynamoDBTable
undefinedStackPolicy:
Type: AWS::CloudFormation::StackPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: ""
Action: "Update:"
Resource: ""
- Effect: Deny
Principal: ""
Action:
- Update:Delete
Resource:
- LogicalId: DynamoDBTable
undefinedDrift Detection
漂移检测
bash
undefinedbash
undefinedDetect drift on a stack
Detect drift on a stack
aws cloudformation detect-drift --stack-name my-dynamodb-stack
aws cloudformation detect-drift --stack-name my-dynamodb-stack
Get resource drift status
Get resource drift status
aws cloudformation describe-stack-resource-drifts
--stack-name my-dynamodb-stack
--stack-name my-dynamodb-stack
undefinedaws cloudformation describe-stack-resource-drifts
--stack-name my-dynamodb-stack
--stack-name my-dynamodb-stack
undefinedRelated Resources
相关资源
Additional Files
附加文件
For complete details on resources and their properties, see:
- REFERENCE.md - Detailed reference guide for all DynamoDB CloudFormation resources
- EXAMPLES.md - Complete production-ready examples
有关资源及其属性的完整详细信息,请参阅:
- REFERENCE.md - 所有DynamoDB CloudFormation资源的详细参考指南
- EXAMPLES.md - 完整的生产就绪示例