From a94c30e1c6d7ee3d27e4b8bf1b7148691d033785 Mon Sep 17 00:00:00 2001
From: Nithin Chandran Rajashankar <rajashan@amazon.com>
Date: Wed, 6 May 2026 04:46:56 +0000
Subject: [PATCH 1/5] feat: Add DynamoDB cross-account replication pattern

First pattern for DynamoDB Global Tables cross-account replication
(Q1 2026 launch). Creates Global Table with replica in us-west-2
and cross-account IAM role for secure read access.

Deployed and tested - write to source, read from replica confirmed.
---
 .../README.md                                 | 60 +++++++++++++++++++
 .../bin/app.ts                                | 12 ++++
 .../cdk.json                                  |  3 +
 .../example-pattern.json                      | 40 +++++++++++++
 ...ynamodb-cross-account-replication-stack.ts | 52 ++++++++++++++++
 .../package.json                              | 16 +++++
 .../tsconfig.json                             |  8 +++
 7 files changed, 191 insertions(+)
 create mode 100644 dynamodb-cross-account-replication-cdk/README.md
 create mode 100644 dynamodb-cross-account-replication-cdk/bin/app.ts
 create mode 100644 dynamodb-cross-account-replication-cdk/cdk.json
 create mode 100644 dynamodb-cross-account-replication-cdk/example-pattern.json
 create mode 100644 dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
 create mode 100644 dynamodb-cross-account-replication-cdk/package.json
 create mode 100644 dynamodb-cross-account-replication-cdk/tsconfig.json

diff --git a/dynamodb-cross-account-replication-cdk/README.md b/dynamodb-cross-account-replication-cdk/README.md
new file mode 100644
index 000000000..cd51675ac
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/README.md
@@ -0,0 +1,60 @@
+# Amazon DynamoDB Cross-Account Replication with Global Tables
+
+This pattern deploys a DynamoDB Global Table with cross-account replication and an IAM role for secure cross-account read access.
+
+Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/dynamodb-cross-account-replication-cdk
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details.
+
+## Requirements
+
+* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+* [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/cli.html) installed
+* [Node.js](https://nodejs.org/en/download/) installed
+* Two AWS accounts (source and replica)
+
+## Deployment Instructions
+
+1. Clone and navigate to the pattern:
+    ```
+    cd serverless-patterns/dynamodb-cross-account-replication-cdk
+    npm install
+    ```
+2. Deploy with the replica account ID:
+    ```
+    cdk deploy --parameters ReplicaAccountId=123456789012 --parameters ReplicaRegion=us-west-2
+    ```
+
+## How it works
+
+- A DynamoDB Global Table is created with a replica in the specified region
+- DynamoDB automatically replicates all writes to the replica with sub-second latency
+- A cross-account IAM role allows the replica account to assume and read from the table
+- Point-in-time recovery is enabled for data protection
+
+## Testing
+
+```bash
+# Write an item to the source table
+aws dynamodb put-item --table-name $(aws cloudformation describe-stacks \
+  --stack-name DynamodbCrossAccountReplicationStack \
+  --query 'Stacks[0].Outputs[?OutputKey==`TableName`].OutputValue' --output text) \
+  --item '{"PK":{"S":"user#123"},"SK":{"S":"profile"},"name":{"S":"test"}}'
+
+# Read from replica region (same account)
+aws dynamodb get-item --table-name <TableName> \
+  --key '{"PK":{"S":"user#123"},"SK":{"S":"profile"}}' \
+  --region us-west-2
+```
+
+## Cleanup
+
+```
+cdk destroy
+```
+
+---
+
+Copyright 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0
diff --git a/dynamodb-cross-account-replication-cdk/bin/app.ts b/dynamodb-cross-account-replication-cdk/bin/app.ts
new file mode 100644
index 000000000..37003429d
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/bin/app.ts
@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { DynamodbCrossAccountReplicationStack } from '../lib/dynamodb-cross-account-replication-stack';
+
+const app = new cdk.App();
+new DynamodbCrossAccountReplicationStack(app, 'DynamodbCrossAccountReplicationStack', {
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT || '123456789012',
+    region: process.env.CDK_DEFAULT_REGION || 'us-east-1',
+  },
+});
diff --git a/dynamodb-cross-account-replication-cdk/cdk.json b/dynamodb-cross-account-replication-cdk/cdk.json
new file mode 100644
index 000000000..a6700a2ff
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/cdk.json
@@ -0,0 +1,3 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/app.ts"
+}
diff --git a/dynamodb-cross-account-replication-cdk/example-pattern.json b/dynamodb-cross-account-replication-cdk/example-pattern.json
new file mode 100644
index 000000000..6bbea31f7
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/example-pattern.json
@@ -0,0 +1,40 @@
+{
+  "title": "Amazon DynamoDB Cross-Account Replication with Global Tables",
+  "description": "Deploy a DynamoDB Global Table with cross-account replication and IAM role for secure cross-account read access.",
+  "language": "TypeScript",
+  "level": "300",
+  "framework": "CDK",
+  "introBox": {
+    "headline": "How it works",
+    "text": [
+      "This pattern creates a DynamoDB Global Table that replicates data across AWS accounts and regions.",
+      "A cross-account IAM role enables the replica account to read from the table securely.",
+      "DynamoDB handles replication automatically with sub-second latency between regions.",
+      "Point-in-time recovery is enabled for data protection."
+    ]
+  },
+  "gitHub": {
+    "template": {
+      "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/dynamodb-cross-account-replication-cdk",
+      "templateURL": "serverless-patterns/dynamodb-cross-account-replication-cdk",
+      "projectFolder": "dynamodb-cross-account-replication-cdk",
+      "templateFile": "lib/dynamodb-cross-account-replication-stack.ts"
+    }
+  },
+  "resources": {
+    "bullets": [
+      { "text": "DynamoDB Global Tables Cross-Account Replication", "link": "https://aws.amazon.com/blogs/database/amazon-dynamodb-global-tables-now-support-replication-across-aws-accounts/" },
+      { "text": "DynamoDB Global Tables Documentation", "link": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GlobalTables.html" }
+    ]
+  },
+  "deploy": { "text": ["cdk deploy --parameters ReplicaAccountId=123456789012"] },
+  "testing": { "text": ["See the README for testing instructions."] },
+  "cleanup": { "text": ["cdk destroy"] },
+  "authors": [
+    {
+      "name": "Nithin Chandran R",
+      "bio": "Technical Account Manager at AWS, passionate about serverless and AI/ML.",
+      "linkedin": "nithin-chandran-r"
+    }
+  ]
+}
diff --git a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
new file mode 100644
index 000000000..ca137777e
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
@@ -0,0 +1,52 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { Construct } from 'constructs';
+
+export class DynamodbCrossAccountReplicationStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const replicaAccountId = new cdk.CfnParameter(this, 'ReplicaAccountId', {
+      type: 'String',
+      description: 'AWS Account ID for the replica table',
+    });
+
+    const table = new dynamodb.TableV2(this, 'SourceTable', {
+      partitionKey: { name: 'PK', type: dynamodb.AttributeType.STRING },
+      sortKey: { name: 'SK', type: dynamodb.AttributeType.STRING },
+      billing: dynamodb.Billing.onDemand(),
+      pointInTimeRecovery: true,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      replicas: [
+        {
+          region: 'us-west-2',
+        },
+      ],
+    });
+
+    // IAM role for cross-account access to the replica
+    const crossAccountRole = new iam.Role(this, 'CrossAccountReplicaRole', {
+      assumedBy: new iam.AccountPrincipal(replicaAccountId.valueAsString),
+      description: 'Allows replica account to read from the global table replica',
+    });
+
+    crossAccountRole.addToPolicy(new iam.PolicyStatement({
+      actions: [
+        'dynamodb:GetItem',
+        'dynamodb:Query',
+        'dynamodb:Scan',
+        'dynamodb:BatchGetItem',
+      ],
+      resources: [
+        table.tableArn,
+        `${table.tableArn}/index/*`,
+      ],
+    }));
+
+    new cdk.CfnOutput(this, 'TableName', { value: table.tableName });
+    new cdk.CfnOutput(this, 'TableArn', { value: table.tableArn });
+    new cdk.CfnOutput(this, 'CrossAccountRoleArn', { value: crossAccountRole.roleArn });
+    new cdk.CfnOutput(this, 'ReplicaRegion', { value: 'us-west-2' });
+  }
+}
diff --git a/dynamodb-cross-account-replication-cdk/package.json b/dynamodb-cross-account-replication-cdk/package.json
new file mode 100644
index 000000000..dab05a14e
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/package.json
@@ -0,0 +1,16 @@
+{
+  "name": "dynamodb-cross-account-replication-cdk",
+  "version": "1.0.0",
+  "bin": { "app": "bin/app.ts" },
+  "scripts": { "build": "tsc", "cdk": "cdk" },
+  "dependencies": {
+    "aws-cdk-lib": "^2.180.0",
+    "constructs": "^10.0.0",
+    "source-map-support": "^0.5.21"
+  },
+  "devDependencies": {
+    "typescript": "~5.4.0",
+    "ts-node": "^10.9.0",
+    "@types/node": "^20.0.0"
+  }
+}
diff --git a/dynamodb-cross-account-replication-cdk/tsconfig.json b/dynamodb-cross-account-replication-cdk/tsconfig.json
new file mode 100644
index 000000000..a4f77b1b2
--- /dev/null
+++ b/dynamodb-cross-account-replication-cdk/tsconfig.json
@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "target": "ES2020", "module": "commonjs", "lib": ["es2020"],
+    "declaration": true, "strict": true, "outDir": "build",
+    "rootDir": ".", "skipLibCheck": true, "forceConsistentCasingInFileNames": true
+  },
+  "exclude": ["node_modules", "build"]
+}

From 8e72ec4339d27f0d4b61446e24686ffe1320dacc Mon Sep 17 00:00:00 2001
From: Nithin Chandran Rajashankar <rajashan@amazon.com>
Date: Fri, 5 Jun 2026 14:51:23 +0000
Subject: [PATCH 2/5] fix: reframe as cross-account-read, fix IAM region
 scoping, add ReplicaRegion context

---
 .../README.md                                 | 60 +++++++++++++------
 .../example-pattern.json                      | 10 ++--
 ...ynamodb-cross-account-replication-stack.ts | 25 ++++----
 3 files changed, 62 insertions(+), 33 deletions(-)

diff --git a/dynamodb-cross-account-replication-cdk/README.md b/dynamodb-cross-account-replication-cdk/README.md
index cd51675ac..a7938db9d 100644
--- a/dynamodb-cross-account-replication-cdk/README.md
+++ b/dynamodb-cross-account-replication-cdk/README.md
@@ -1,6 +1,6 @@
-# Amazon DynamoDB Cross-Account Replication with Global Tables
+# Amazon DynamoDB Global Tables with Cross-Account Read Access
 
-This pattern deploys a DynamoDB Global Table with cross-account replication and an IAM role for secure cross-account read access.
+This pattern deploys a DynamoDB Global Table (same-account, multi-region) and an IAM role that grants a separate AWS account read-only access to the table in both regions.
 
 Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/dynamodb-cross-account-replication-cdk
 
@@ -10,27 +10,48 @@ Important: this application uses various AWS services and there are costs associ
 
 * [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
 * [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/cli.html) installed
-* [Node.js](https://nodejs.org/en/download/) installed
-* Two AWS accounts (source and replica)
+* [Node.js](https://nodejs.org/en/download/) 20.x or later
+* Two AWS accounts (one owns the table, the other reads from it)
+
+## How it works
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│  Owner Account                                                   │
+│                                                                   │
+│  ┌─────────────────┐   Global Tables    ┌─────────────────┐     │
+│  │ DynamoDB Table   │ ─────────────────▶ │ DynamoDB Replica │     │
+│  │ (us-east-1)      │   auto-replicate   │ (us-west-2)      │     │
+│  └─────────────────┘                    └─────────────────┘     │
+│           │                                       │              │
+│           └───────────── IAM Role ───────────────┘              │
+│                              │                                    │
+└──────────────────────────────┼────────────────────────────────────┘
+                               │ AssumeRole
+┌──────────────────────────────┼────────────────────────────────────┐
+│  Reader Account              ▼                                    │
+│              GetItem / Query / Scan                               │
+└───────────────────────────────────────────────────────────────────┘
+```
+
+- A DynamoDB Global Table is created with a replica in the specified region (same account)
+- An IAM role is created that can be assumed by the reader account
+- The role grants read-only access (`GetItem`, `Query`, `Scan`, `BatchGetItem`) to the table in **both** regions
+- DynamoDB handles replication automatically with sub-second latency
+
+**Note:** This is same-account multi-region replication (Global Tables) with cross-account read access via IAM. For true cross-account Global Tables replication, use `TableV2MultiAccountReplica` in a separate stack deployed to the replica account.
 
 ## Deployment Instructions
 
 1. Clone and navigate to the pattern:
-    ```
+    ```bash
     cd serverless-patterns/dynamodb-cross-account-replication-cdk
     npm install
     ```
-2. Deploy with the replica account ID:
+2. Deploy with the reader account ID and replica region:
+    ```bash
+    cdk deploy --parameters ReplicaAccountId=123456789012 -c replicaRegion=us-west-2
     ```
-    cdk deploy --parameters ReplicaAccountId=123456789012 --parameters ReplicaRegion=us-west-2
-    ```
-
-## How it works
-
-- A DynamoDB Global Table is created with a replica in the specified region
-- DynamoDB automatically replicates all writes to the replica with sub-second latency
-- A cross-account IAM role allows the replica account to assume and read from the table
-- Point-in-time recovery is enabled for data protection
 
 ## Testing
 
@@ -41,15 +62,20 @@ aws dynamodb put-item --table-name $(aws cloudformation describe-stacks \
   --query 'Stacks[0].Outputs[?OutputKey==`TableName`].OutputValue' --output text) \
   --item '{"PK":{"S":"user#123"},"SK":{"S":"profile"},"name":{"S":"test"}}'
 
-# Read from replica region (same account)
+# Read from replica region (same account, verifies replication)
 aws dynamodb get-item --table-name <TableName> \
   --key '{"PK":{"S":"user#123"},"SK":{"S":"profile"}}' \
   --region us-west-2
+
+# Cross-account read (from reader account, assuming the role)
+aws sts assume-role --role-arn <CrossAccountRoleArn> \
+  --role-session-name reader-test
+# Use returned credentials to read from either region
 ```
 
 ## Cleanup
 
-```
+```bash
 cdk destroy
 ```
 
diff --git a/dynamodb-cross-account-replication-cdk/example-pattern.json b/dynamodb-cross-account-replication-cdk/example-pattern.json
index 6bbea31f7..f74e23da1 100644
--- a/dynamodb-cross-account-replication-cdk/example-pattern.json
+++ b/dynamodb-cross-account-replication-cdk/example-pattern.json
@@ -1,14 +1,14 @@
 {
-  "title": "Amazon DynamoDB Cross-Account Replication with Global Tables",
-  "description": "Deploy a DynamoDB Global Table with cross-account replication and IAM role for secure cross-account read access.",
+  "title": "Amazon DynamoDB Global Tables with Cross-Account Read Access",
+  "description": "Deploy a DynamoDB Global Table with a cross-account IAM role for secure read-only access from another AWS account.",
   "language": "TypeScript",
   "level": "300",
-  "framework": "CDK",
+  "framework": "AWS CDK",
   "introBox": {
     "headline": "How it works",
     "text": [
-      "This pattern creates a DynamoDB Global Table that replicates data across AWS accounts and regions.",
-      "A cross-account IAM role enables the replica account to read from the table securely.",
+      "This pattern creates a DynamoDB Global Table (same-account, multi-region) with an IAM role for cross-account read access.",
+      "The reader account assumes the IAM role and can query the table in either region.",
       "DynamoDB handles replication automatically with sub-second latency between regions.",
       "Point-in-time recovery is enabled for data protection."
     ]
diff --git a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
index ca137777e..c3ca65f57 100644
--- a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
+++ b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
@@ -9,26 +9,25 @@ export class DynamodbCrossAccountReplicationStack extends cdk.Stack {
 
     const replicaAccountId = new cdk.CfnParameter(this, 'ReplicaAccountId', {
       type: 'String',
-      description: 'AWS Account ID for the replica table',
+      description: 'AWS Account ID that will assume the cross-account read role',
     });
 
+    // Replica region must be a literal (TableV2 does not accept tokens for replica regions)
+    const replicaRegion = this.node.tryGetContext('replicaRegion') || 'us-west-2';
+
     const table = new dynamodb.TableV2(this, 'SourceTable', {
       partitionKey: { name: 'PK', type: dynamodb.AttributeType.STRING },
       sortKey: { name: 'SK', type: dynamodb.AttributeType.STRING },
       billing: dynamodb.Billing.onDemand(),
-      pointInTimeRecovery: true,
+      pointInTimeRecoverySpecification: { pointInTimeRecoveryEnabled: true },
       removalPolicy: cdk.RemovalPolicy.DESTROY,
-      replicas: [
-        {
-          region: 'us-west-2',
-        },
-      ],
+      replicas: [{ region: replicaRegion }],
     });
 
-    // IAM role for cross-account access to the replica
-    const crossAccountRole = new iam.Role(this, 'CrossAccountReplicaRole', {
+    // Cross-account read role — grants access to BOTH source and replica region ARNs
+    const crossAccountRole = new iam.Role(this, 'CrossAccountReadRole', {
       assumedBy: new iam.AccountPrincipal(replicaAccountId.valueAsString),
-      description: 'Allows replica account to read from the global table replica',
+      description: 'Allows another account to read from the DynamoDB Global Table in any region',
     });
 
     crossAccountRole.addToPolicy(new iam.PolicyStatement({
@@ -39,14 +38,18 @@ export class DynamodbCrossAccountReplicationStack extends cdk.Stack {
         'dynamodb:BatchGetItem',
       ],
       resources: [
+        // Source region
         table.tableArn,
         `${table.tableArn}/index/*`,
+        // Replica region (table.tableArn is source-region-scoped)
+        `arn:aws:dynamodb:${replicaRegion}:${this.account}:table/${table.tableName}`,
+        `arn:aws:dynamodb:${replicaRegion}:${this.account}:table/${table.tableName}/index/*`,
       ],
     }));
 
     new cdk.CfnOutput(this, 'TableName', { value: table.tableName });
     new cdk.CfnOutput(this, 'TableArn', { value: table.tableArn });
     new cdk.CfnOutput(this, 'CrossAccountRoleArn', { value: crossAccountRole.roleArn });
-    new cdk.CfnOutput(this, 'ReplicaRegion', { value: 'us-west-2' });
+    new cdk.CfnOutput(this, 'ReplicaRegion', { value: replicaRegion });
   }
 }

From 4f302fd0d14917b9b5e37d4293f9b923eddedc24 Mon Sep 17 00:00:00 2001
From: Nithin Chandran Rajashankar <rajashan@amazon.com>
Date: Fri, 5 Jun 2026 15:19:05 +0000
Subject: [PATCH 3/5] fix: drop Scan from least-privilege role, add cdk
 bootstrap to requirements

---
 dynamodb-cross-account-replication-cdk/README.md                 | 1 +
 .../lib/dynamodb-cross-account-replication-stack.ts              | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/dynamodb-cross-account-replication-cdk/README.md b/dynamodb-cross-account-replication-cdk/README.md
index a7938db9d..16f2f43bc 100644
--- a/dynamodb-cross-account-replication-cdk/README.md
+++ b/dynamodb-cross-account-replication-cdk/README.md
@@ -12,6 +12,7 @@ Important: this application uses various AWS services and there are costs associ
 * [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/cli.html) installed
 * [Node.js](https://nodejs.org/en/download/) 20.x or later
 * Two AWS accounts (one owns the table, the other reads from it)
+* CDK bootstrapped in the deployment account/region (`cdk bootstrap`)
 
 ## How it works
 
diff --git a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
index c3ca65f57..59c86b058 100644
--- a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
+++ b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
@@ -34,7 +34,6 @@ export class DynamodbCrossAccountReplicationStack extends cdk.Stack {
       actions: [
         'dynamodb:GetItem',
         'dynamodb:Query',
-        'dynamodb:Scan',
         'dynamodb:BatchGetItem',
       ],
       resources: [

From 156f14890cc428359194e4193f2aa2fa89e4d16d Mon Sep 17 00:00:00 2001
From: Nithin Chandran Rajashankar <rajashan@amazon.com>
Date: Fri, 5 Jun 2026 15:22:28 +0000
Subject: [PATCH 4/5] fix: expand cross-account test example, add cleanup data
 deletion warning

---
 dynamodb-cross-account-replication-cdk/README.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/dynamodb-cross-account-replication-cdk/README.md b/dynamodb-cross-account-replication-cdk/README.md
index 16f2f43bc..adb05d4bd 100644
--- a/dynamodb-cross-account-replication-cdk/README.md
+++ b/dynamodb-cross-account-replication-cdk/README.md
@@ -71,11 +71,22 @@ aws dynamodb get-item --table-name <TableName> \
 # Cross-account read (from reader account, assuming the role)
 aws sts assume-role --role-arn <CrossAccountRoleArn> \
   --role-session-name reader-test
-# Use returned credentials to read from either region
+
+# Export the temporary credentials
+export AWS_ACCESS_KEY_ID=<AccessKeyId from above>
+export AWS_SECRET_ACCESS_KEY=<SecretAccessKey from above>
+export AWS_SESSION_TOKEN=<SessionToken from above>
+
+# Read from the replica region using the cross-account role
+aws dynamodb get-item --table-name <TableName> \
+  --key '{"PK":{"S":"user#123"},"SK":{"S":"profile"}}' \
+  --region us-west-2
 ```
 
 ## Cleanup
 
+> **⚠️ Warning:** `cdk destroy` with `RemovalPolicy.DESTROY` will permanently delete the table and all its data. Back up any important data before destroying.
+
 ```bash
 cdk destroy
 ```

From 830d62582f6b22af59f791f3f76fde2a5a48016d Mon Sep 17 00:00:00 2001
From: Nithin Chandran Rajashankar <rajashan@amazon.com>
Date: Fri, 5 Jun 2026 15:35:52 +0000
Subject: [PATCH 5/5] fix: fail loudly on missing account, full service name,
 document DESTROY choice

---
 dynamodb-cross-account-replication-cdk/README.md    |  2 +-
 dynamodb-cross-account-replication-cdk/bin/app.ts   | 13 +++++++++----
 .../lib/dynamodb-cross-account-replication-stack.ts |  1 +
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/dynamodb-cross-account-replication-cdk/README.md b/dynamodb-cross-account-replication-cdk/README.md
index adb05d4bd..814518a96 100644
--- a/dynamodb-cross-account-replication-cdk/README.md
+++ b/dynamodb-cross-account-replication-cdk/README.md
@@ -1,6 +1,6 @@
 # Amazon DynamoDB Global Tables with Cross-Account Read Access
 
-This pattern deploys a DynamoDB Global Table (same-account, multi-region) and an IAM role that grants a separate AWS account read-only access to the table in both regions.
+This pattern deploys an Amazon DynamoDB Global Table (same-account, multi-region) and an IAM role that grants a separate AWS account read-only access to the table in both regions.
 
 Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/dynamodb-cross-account-replication-cdk
 
diff --git a/dynamodb-cross-account-replication-cdk/bin/app.ts b/dynamodb-cross-account-replication-cdk/bin/app.ts
index 37003429d..35f7a3dc9 100644
--- a/dynamodb-cross-account-replication-cdk/bin/app.ts
+++ b/dynamodb-cross-account-replication-cdk/bin/app.ts
@@ -4,9 +4,14 @@ import * as cdk from 'aws-cdk-lib';
 import { DynamodbCrossAccountReplicationStack } from '../lib/dynamodb-cross-account-replication-stack';
 
 const app = new cdk.App();
+
+const account = process.env.CDK_DEFAULT_ACCOUNT;
+const region = process.env.CDK_DEFAULT_REGION || 'us-east-1';
+
+if (!account) {
+  throw new Error('CDK_DEFAULT_ACCOUNT is required. Run: export CDK_DEFAULT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)');
+}
+
 new DynamodbCrossAccountReplicationStack(app, 'DynamodbCrossAccountReplicationStack', {
-  env: {
-    account: process.env.CDK_DEFAULT_ACCOUNT || '123456789012',
-    region: process.env.CDK_DEFAULT_REGION || 'us-east-1',
-  },
+  env: { account, region },
 });
diff --git a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
index 59c86b058..1466df750 100644
--- a/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
+++ b/dynamodb-cross-account-replication-cdk/lib/dynamodb-cross-account-replication-stack.ts
@@ -20,6 +20,7 @@ export class DynamodbCrossAccountReplicationStack extends cdk.Stack {
       sortKey: { name: 'SK', type: dynamodb.AttributeType.STRING },
       billing: dynamodb.Billing.onDemand(),
       pointInTimeRecoverySpecification: { pointInTimeRecoveryEnabled: true },
+      // DESTROY for easy cleanup in sample patterns. Use RETAIN in production.
       removalPolicy: cdk.RemovalPolicy.DESTROY,
       replicas: [{ region: replicaRegion }],
     });