chore(release): 1.84.0

.github/workflows/issue-label-assign.yml

@@ -181,5 +181,7 @@ jobs:
            {"keywords":["(@aws-cdk/custom-resources)","(custom-resources)","(custom resources)"],"labels":["@aws-cdk/custom-resources"],"assignees":["rix0rrr"]},
            {"keywords":["(@aws-cdk/cx-api)","(cx-api)","(cx api)"],"labels":["@aws-cdk/cx-api"],"assignees":["rix0rrr"]},
            {"keywords":["(@aws-cdk/pipelines)","(pipelines)","(cdk pipelines)","(cdk-pipelines)"],"labels":["@aws-cdk/pipelines"],"assignees":["rix0rrr"]},
-           {"keywords":["(@aws-cdk/region-info)","(region-info)","(region info)"],"labels":["@aws-cdk/region-info"],"assignees":["RomainMuller"]}
+           {"keywords":["(@aws-cdk/region-info)","(region-info)","(region info)"],"labels":["@aws-cdk/region-info"],"assignees":["RomainMuller"]},
+           {"keywords":["(aws-cdk-lib)","(cdk-v2)", "(v2)", "(ubergen)"],"labels":["aws-cdk-lib"],"assignees":["nija-at"]},
+           {"keywords":["(monocdk)","(monocdk-experiment)"],"labels":["monocdk"],"assignees":["nija-at"]}
            ]

.mergify.yml

@@ -6,7 +6,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(eladb|RomainMuller|garnaat|nija-at|shivlaks|skinny85|rix0rrr|NGL321|Jerry-AWS|SomayaB|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar)$
+      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:
@@ -118,4 +118,4 @@ pull_request_rules:
       - "#approved-reviews-by>=1"
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
-      - status-success=validate-pr
+      - status-success=validate-pr

CHANGELOG.md

@@ -2,6 +2,37 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.84.0](https://github.com/aws/aws-cdk/compare/v1.83.0...v1.84.0) (2021-01-12)
+
+
+### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
+
+* **apigatewayv2:** `subnets` prop in `VpcLink` resource now takes `SubnetSelection` instead of `ISubnet[]`
+
+### Features
+
+* **aws-lambda-nodejs:** add esbuild `define` bundling option ([#12424](https://github.com/aws/aws-cdk/issues/12424)) ([581f6af](https://github.com/aws/aws-cdk/commit/581f6af3d1f71737ca93b6ecb9b004bdade149a8)), closes [#12423](https://github.com/aws/aws-cdk/issues/12423)
+* **cdk-assets:** add external asset support ([#12259](https://github.com/aws/aws-cdk/issues/12259)) ([05a9980](https://github.com/aws/aws-cdk/commit/05a998065b3333854715c456b20b7cc5d5daac67))
+* **cli:** `--quiet` does not print template in `cdk synth` ([#12178](https://github.com/aws/aws-cdk/issues/12178)) ([74458a0](https://github.com/aws/aws-cdk/commit/74458a0e9eebce4ee254673aad8933d39588d843)), closes [#11970](https://github.com/aws/aws-cdk/issues/11970)
+* **codebuild:** support Standard 5.0 ([#12434](https://github.com/aws/aws-cdk/issues/12434)) ([422dc8e](https://github.com/aws/aws-cdk/commit/422dc8e9d50105af4e710d409a4f301079d43f3f)), closes [#12433](https://github.com/aws/aws-cdk/issues/12433)
+* **core:** validate maximum amount of resources in a stack ([#12193](https://github.com/aws/aws-cdk/issues/12193)) ([26121c8](https://github.com/aws/aws-cdk/commit/26121c81abf0fb92de97567c758a1ecf60f85f63)), closes [#276](https://github.com/aws/aws-cdk/issues/276)
+* **eks:** spot interruption handler can be disabled for self managed nodes ([#12453](https://github.com/aws/aws-cdk/issues/12453)) ([6ac1f4f](https://github.com/aws/aws-cdk/commit/6ac1f4fdef5853785d8e57652ec4c4e1d770844d)), closes [#12451](https://github.com/aws/aws-cdk/issues/12451)
+* **synthetics:** Update Cloudwatch Synthetics canaries NodeJS runtimes ([#11866](https://github.com/aws/aws-cdk/issues/11866)) ([4f6e377](https://github.com/aws/aws-cdk/commit/4f6e377ae3f35c3fa010e1597c3d71ef6e6e9a04)), closes [#11870](https://github.com/aws/aws-cdk/issues/11870)
+
+
+### Bug Fixes
+
+* **apigatewayv2:** vpclink - explicit subnet specification still causes private subnets to be included ([#12401](https://github.com/aws/aws-cdk/issues/12401)) ([336a58f](https://github.com/aws/aws-cdk/commit/336a58f06a3b3a9f5db2a79350f8721244767e3b)), closes [#12083](https://github.com/aws/aws-cdk/issues/12083)
+* **cli:** CLI doesn't read context from ~/.cdk.json ([#12394](https://github.com/aws/aws-cdk/issues/12394)) ([2389a9b](https://github.com/aws/aws-cdk/commit/2389a9b5742583f1d58c66a4f513ee4d833baab5)), closes [#10823](https://github.com/aws/aws-cdk/issues/10823) [#4802](https://github.com/aws/aws-cdk/issues/4802)
+* **core:** DefaultStackSynthesizer bucket prefix missing for template assets ([#11855](https://github.com/aws/aws-cdk/issues/11855)) ([50a3d3a](https://github.com/aws/aws-cdk/commit/50a3d3acf3e413d9b4e51197d2be4ea1349c0955)), closes [#10710](https://github.com/aws/aws-cdk/issues/10710) [#11327](https://github.com/aws/aws-cdk/issues/11327)
+* **dynamodb:** missing grantRead for ConditionCheckItem ([#12313](https://github.com/aws/aws-cdk/issues/12313)) ([e157007](https://github.com/aws/aws-cdk/commit/e1570072440b07b6b82219c1a4371386c541fb1c))
+* **ec2:** interface endpoint AZ lookup does not guard against broken situations ([#12033](https://github.com/aws/aws-cdk/issues/12033)) ([80f0bfd](https://github.com/aws/aws-cdk/commit/80f0bfd167430a015e71b00506e0ecc280068e86))
+* **eks:** nodegroup synthesis fails when configured with an AMI type that is not compatible to the default instance type ([#12441](https://github.com/aws/aws-cdk/issues/12441)) ([5f6f0f9](https://github.com/aws/aws-cdk/commit/5f6f0f9d46dbd460ac03dd5f9f4874eaa41611d8)), closes [#12389](https://github.com/aws/aws-cdk/issues/12389)
+* **elasticsearch:** domain fails due to log publishing keys on unsupported cluster versions ([#11622](https://github.com/aws/aws-cdk/issues/11622)) ([e6bb96f](https://github.com/aws/aws-cdk/commit/e6bb96ff6bae96e3167c82f6de97807217ddb3be))
+* **elbv2:** can't import two application listeners into the same scope ([#12373](https://github.com/aws/aws-cdk/issues/12373)) ([6534dcf](https://github.com/aws/aws-cdk/commit/6534dcf3e04a55f5c6d28203192cbbddb5d119e6)), closes [#12132](https://github.com/aws/aws-cdk/issues/12132)
+* **logs:** custom resource Lambda uses old NodeJS version ([#12228](https://github.com/aws/aws-cdk/issues/12228)) ([29c4943](https://github.com/aws/aws-cdk/commit/29c4943466f4a911f65a2a13cf9e776ade9b8dfe))
+* **stepfunctions-tasks:** EvaluateExpression does not support JSON paths with dash ([#12248](https://github.com/aws/aws-cdk/issues/12248)) ([da1ed08](https://github.com/aws/aws-cdk/commit/da1ed08a6a2de584f5ddf43dab4efbb530541419)), closes [#12221](https://github.com/aws/aws-cdk/issues/12221)
+
 ## [1.83.0](https://github.com/aws/aws-cdk/compare/v1.82.0...v1.83.0) (2021-01-06)
 
 

allowed-breaking-changes.txt

@@ -52,3 +52,7 @@ incompatible-argument:@aws-cdk/aws-ecs.FargateTaskDefinition.<initializer>
 incompatible-argument:@aws-cdk/aws-ecs.FargateTaskDefinition.addVolume
 incompatible-argument:@aws-cdk/aws-ecs.TaskDefinition.<initializer>
 incompatible-argument:@aws-cdk/aws-ecs.TaskDefinition.addVolume
+
+# We made properties optional and it's really fine but our differ doesn't think so.
+weakened:@aws-cdk/cloud-assembly-schema.DockerImageSource
+weakened:@aws-cdk/cloud-assembly-schema.FileSource

packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json

@@ -675,6 +675,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",

packages/@aws-cdk/app-delivery/package.json

@@ -64,7 +64,7 @@
     "@types/nodeunit": "^0.0.31",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
-    "fast-check": "^2.7.0",
+    "fast-check": "^2.11.0",
     "nodeunit": "^0.11.3",
     "pkglint": "0.0.0"
   },

packages/@aws-cdk/aws-apigateway/README.md

@@ -109,7 +109,7 @@ item.addMethod('DELETE', new apigateway.HttpIntegration('http://amazon.com'));
 ### Breaking up Methods and Resources across Stacks
 
 It is fairly common for REST APIs with a large number of Resources and Methods to hit the [CloudFormation
-limit](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) of 200 resources per
+limit](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) of 500 resources per
 stack.
 
 To help with this, Resources and Methods for the same REST API can be re-organized across multiple stacks. A common

packages/@aws-cdk/aws-apigatewayv2/lib/http/vpc-link.ts

@@ -39,7 +39,7 @@ export interface VpcLinkProps {
    *
    * @default - private subnets of the provided VPC. Use `addSubnets` to add more subnets
    */
-  readonly subnets?: ec2.ISubnet[];
+  readonly subnets?: ec2.SubnetSelection;
 
   /**
    * A list of security groups for the VPC link.
@@ -99,11 +99,8 @@ export class VpcLink extends Resource implements IVpcLink {
 
     this.vpcLinkId = cfnResource.ref;
 
-    this.addSubnets(...props.vpc.privateSubnets);
-
-    if (props.subnets) {
-      this.addSubnets(...props.subnets);
-    }
+    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE });
+    this.addSubnets(...subnets);
 
     if (props.securityGroups) {
       this.addSecurityGroups(...props.securityGroups);

packages/@aws-cdk/aws-apigatewayv2/test/http/vpc-link.test.ts

@@ -51,20 +51,14 @@ describe('VpcLink', () => {
     // WHEN
     new VpcLink(stack, 'VpcLink', {
       vpc,
-      subnets: [subnet1, subnet2],
+      subnets: { subnets: [subnet1, subnet2] },
       securityGroups: [sg1, sg2, sg3],
     });
 
     // THEN
     expect(stack).toHaveResource('AWS::ApiGatewayV2::VpcLink', {
       Name: 'VpcLink',
       SubnetIds: [
-        {
-          Ref: 'VPCPrivateSubnet1Subnet8BCA10E0',
-        },
-        {
-          Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A',
-        },
         {
           Ref: 'subnet1Subnet16A4B3BD',
         },

packages/@aws-cdk/aws-applicationautoscaling/package.json

@@ -76,7 +76,7 @@
     "@types/nodeunit": "^0.0.31",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",
-    "fast-check": "^2.7.0",
+    "fast-check": "^2.11.0",
     "nodeunit": "^0.11.3",
     "pkglint": "0.0.0"
   },

packages/@aws-cdk/aws-appsync/test/integ.api-import.expected.json

@@ -81,6 +81,7 @@
                   "dynamodb:Query",
                   "dynamodb:GetItem",
                   "dynamodb:Scan",
+                  "dynamodb:ConditionCheckItem",
                   "dynamodb:BatchWriteItem",
                   "dynamodb:PutItem",
                   "dynamodb:UpdateItem",

packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.expected.json

@@ -64,6 +64,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",

packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.expected.json

@@ -93,6 +93,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",

packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.expected.json

@@ -63,6 +63,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",

packages/@aws-cdk/aws-appsync/test/integ.graphql.expected.json

@@ -141,6 +141,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",
@@ -227,6 +228,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",
@@ -324,6 +326,7 @@
                 "dynamodb:Query",
                 "dynamodb:GetItem",
                 "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
                 "dynamodb:BatchWriteItem",
                 "dynamodb:PutItem",
                 "dynamodb:UpdateItem",

packages/@aws-cdk/aws-autoscaling-common/package.json

@@ -68,7 +68,7 @@
     "@types/nodeunit": "^0.0.31",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
-    "fast-check": "^2.7.0",
+    "fast-check": "^2.11.0",
     "nodeunit": "^0.11.3",
     "pkglint": "0.0.0"
   },

packages/@aws-cdk/aws-chatbot/test/integ.chatbot-logretention.expected.json

@@ -170,7 +170,7 @@
             "Arn"
           ]
         },
-        "Runtime": "nodejs10.x"
+        "Runtime": "nodejs12.x"
       },
       "DependsOn": [
         "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",

packages/@aws-cdk/aws-cloudfront-origins/package.json

@@ -73,7 +73,7 @@
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
-    "aws-sdk": "^2.822.0",
+    "aws-sdk": "^2.824.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "pkglint": "0.0.0"

packages/@aws-cdk/aws-cloudfront/package.json

@@ -74,7 +74,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
-    "aws-sdk": "^2.822.0",
+    "aws-sdk": "^2.824.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-cloudtrail/package.json

@@ -74,7 +74,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
-    "aws-sdk": "^2.822.0",
+    "aws-sdk": "^2.824.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -1436,6 +1436,8 @@ export class LinuxBuildImage implements IBuildImage {
   public static readonly STANDARD_3_0 = LinuxBuildImage.codeBuildImage('aws/codebuild/standard:3.0');
   /** The `aws/codebuild/standard:4.0` build image. */
   public static readonly STANDARD_4_0 = LinuxBuildImage.codeBuildImage('aws/codebuild/standard:4.0');
+  /** The `aws/codebuild/standard:5.0` build image. */
+  public static readonly STANDARD_5_0 = LinuxBuildImage.codeBuildImage('aws/codebuild/standard:5.0');
 
   public static readonly AMAZON_LINUX_2 = LinuxBuildImage.codeBuildImage('aws/codebuild/amazonlinux2-x86_64-standard:1.0');
   public static readonly AMAZON_LINUX_2_2 = LinuxBuildImage.codeBuildImage('aws/codebuild/amazonlinux2-x86_64-standard:2.0');

packages/@aws-cdk/aws-codebuild/package.json

@@ -80,7 +80,7 @@
     "@aws-cdk/aws-sns": "0.0.0",
     "@aws-cdk/aws-sqs": "0.0.0",
     "@types/nodeunit": "^0.0.31",
-    "aws-sdk": "^2.822.0",
+    "aws-sdk": "^2.824.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codecommit/package.json

@@ -80,7 +80,7 @@
     "@aws-cdk/assert": "0.0.0",
     "@aws-cdk/aws-sns": "0.0.0",
     "@types/nodeunit": "^0.0.31",
-    "aws-sdk": "^2.822.0",
+    "aws-sdk": "^2.824.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codepipeline-actions/package.json

@@ -70,7 +70,7 @@
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
     "@aws-cdk/aws-cloudtrail": "0.0.0",
-    "@types/lodash": "^4.14.165",
+    "@types/lodash": "^4.14.167",
     "@types/nodeunit": "^0.0.31",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",

packages/@aws-cdk/aws-dynamodb/lib/perms.ts

@@ -5,6 +5,7 @@ export const READ_DATA_ACTIONS = [
   'dynamodb:Query',
   'dynamodb:GetItem',
   'dynamodb:Scan',
+  'dynamodb:ConditionCheckItem',
 ];
 export const KEY_READ_ACTIONS = [
   'kms:Decrypt',

packages/@aws-cdk/aws-dynamodb/package.json

@@ -75,7 +75,7 @@
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
     "@types/jest": "^26.0.15",
-    "aws-sdk": "^2.822.0",
+    "aws-sdk": "^2.824.0",
     "aws-sdk-mock": "^5.1.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",

packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts

@@ -765,6 +765,7 @@ test('if an encryption key is included, encrypt/decrypt permissions are also add
                   'dynamodb:Query',
                   'dynamodb:GetItem',
                   'dynamodb:Scan',
+                  'dynamodb:ConditionCheckItem',
                   'dynamodb:BatchWriteItem',
                   'dynamodb:PutItem',
                   'dynamodb:UpdateItem',
@@ -1837,7 +1838,7 @@ describe('grants', () => {
 
   test('"grantReadData" allows the principal to read data from the table', () => {
     testGrant(
-      ['BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan'], (p, t) => t.grantReadData(p));
+      ['BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan', 'ConditionCheckItem'], (p, t) => t.grantReadData(p));
   });
 
   test('"grantWriteData" allows the principal to write data to the table', () => {
@@ -1848,7 +1849,7 @@ describe('grants', () => {
   test('"grantReadWriteData" allows the principal to read/write data', () => {
     testGrant([
       'BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan',
-      'BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem',
+      'ConditionCheckItem', 'BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem',
     ], (p, t) => t.grantReadWriteData(p));
   });
 
@@ -2009,6 +2010,7 @@ describe('grants', () => {
               'dynamodb:Query',
               'dynamodb:GetItem',
               'dynamodb:Scan',
+              'dynamodb:ConditionCheckItem',
             ],
             'Effect': 'Allow',
             'Resource': [
@@ -2160,6 +2162,7 @@ describe('import', () => {
               'dynamodb:Query',
               'dynamodb:GetItem',
               'dynamodb:Scan',
+              'dynamodb:ConditionCheckItem',
             ],
             'Effect': 'Allow',
             'Resource': [
@@ -2201,6 +2204,7 @@ describe('import', () => {
               'dynamodb:Query',
               'dynamodb:GetItem',
               'dynamodb:Scan',
+              'dynamodb:ConditionCheckItem',
               'dynamodb:BatchWriteItem',
               'dynamodb:PutItem',
               'dynamodb:UpdateItem',
@@ -2346,6 +2350,7 @@ describe('import', () => {
                 'dynamodb:Query',
                 'dynamodb:GetItem',
                 'dynamodb:Scan',
+                'dynamodb:ConditionCheckItem',
               ],
               Resource: [
                 {
@@ -2479,6 +2484,7 @@ describe('global', () => {
               'dynamodb:Query',
               'dynamodb:GetItem',
               'dynamodb:Scan',
+              'dynamodb:ConditionCheckItem',
             ],
             Effect: 'Allow',
             Resource: [
@@ -2632,6 +2638,7 @@ describe('global', () => {
               'dynamodb:Query',
               'dynamodb:GetItem',
               'dynamodb:Scan',
+              'dynamodb:ConditionCheckItem',
             ],
             Effect: 'Allow',
             Resource: [

packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.expected.json

@@ -386,7 +386,8 @@
                 "dynamodb:GetShardIterator",
                 "dynamodb:Query",
                 "dynamodb:GetItem",
-                "dynamodb:Scan"
+                "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem"
               ],
               "Effect": "Allow",
               "Resource": [
@@ -408,7 +409,8 @@
                 "dynamodb:GetShardIterator",
                 "dynamodb:Query",
                 "dynamodb:GetItem",
-                "dynamodb:Scan"
+                "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem"
               ],
               "Effect": "Allow",
               "Resource": [