This PR allows the use of this backup solution if used in a setting where sensitive data needs to be encrypted at rest. If the keys of the DynamoDB table are not sensitive information they can be sent on the stream, the lambda can then fetch the full entry and write it to S3. No sensitive data is stored unencrypted.
The only potential issue I can think of is if an item is updated multiple times quickly the lambda may receive an item that is too new. But it's still better than nothing :)
DynamoDB Streams does not support encryption at rest. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption-before-you-start.html
This PR allows the use of this backup solution if used in a setting where sensitive data needs to be encrypted at rest. If the keys of the DynamoDB table are not sensitive information they can be sent on the stream, the lambda can then fetch the full entry and write it to S3. No sensitive data is stored unencrypted.
The only potential issue I can think of is if an item is updated multiple times quickly the lambda may receive an item that is too new. But it's still better than nothing :)
See attached sequence diagram for what I mean.