feat(dynamodb): resource policies for streams

[LeeroyHannigan]

Issue # (if applicable)

Closes NA

Reason for this change

The CloudFormation AWS::DynamoDB::GlobalTable L1 resource supports ReplicaStreamSpecification.ResourcePolicy on each replica, allowing users to attach resource-based policies to DynamoDB Streams. However, the TableV2 L2 construct does not expose this property, making it impossible to set a stream resource policy without escape hatches — which get
overwritten during synthesis.

Description of changes

Added streamResourcePolicy support to the DynamoDB TableV2 L2 construct:

• Added streamResourcePolicy property to TableOptionsV2 interface, which flows to both ReplicaTableProps and TableV2MultiAccountReplicaProps
• Added streamResourcePolicy field to TableV2 and TableV2MultiAccountReplica, initialized from props
• Added addToStreamResourcePolicy() method to both TableV2 and TableV2MultiAccountReplica for imperative policy construction
• Wired replicaStreamSpecification rendering in configureReplicaTable() via a new renderReplicaStreamSpecification() helper — primary region uses this.streamResourcePolicy,
  replica regions use props.streamResourcePolicy
• Wired replicaStreamSpecification rendering in TableV2MultiAccountReplica using Lazy.any to support imperative additions
• Updated README with documentation and examples

Describe any new or updated permissions being added

No new IAM permissions are introduced. This change allows users to configure resource-based policies on DynamoDB Streams, which is an existing DynamoDB capability that was not previously exposed in the L2 construct.

Description of how you validated changes

• Unit tests: 4 new tests in table-v2.test.ts covering stream resource policy via props on primary table, via props on replica, via addToStreamResourcePolicy(), and absent by default
• Integration test: integ.dynamodb-v2.stream-resource-policy.ts covering declarative (props) and imperative (addToStreamResourcePolicy) usage with replicas

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-24 08:41 UTC · Rule: default-squash
• 🚫 Left the queue — 2026-04-24 08:42 UTC · at 533586fb6ae88e53e4e1b35e3bff5b04b23ce392

This pull request spent 7 seconds in the queue, with no time running CI.

Reason

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/agent-docs-sync-reminder.yml without workflows permission

Hint

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-05 09:31 UTC · Rule: default-squash
• 🚫 Left the queue — 2026-05-05 09:31 UTC · at 71c5b305e8a3507e439dcd2be2093ce5fe57ee40

This pull request spent 8 seconds in the queue, with no time running CI.

Reason

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/pr-linter.yml without workflows permission

Hint

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-11 09:48 UTC · Rule: default-squash
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-05-11 09:48 UTC · at d6e22712a638544dd6170f28a56fb168e70486a4 · squash

This pull request spent 24 seconds in the queue, including 5 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(dynamodb): resource policies for streams #37254
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(dynamodb): resource policies for streams #37254
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.