This is the second installment of a three-part technical series detailing the end-to-end observability and log tracking architecture deployed at Red Oak Strategic to go from Step Function orchestration to Amazon Quick dashboard. By breaking this comprehensive case study into modular segments, we provide a targeted look at the specific orchestration, replication, and visualization layers that comprise our "dev vertical" monitoring framework.
The architecture uses DynamoDB Zero-ETL integration to continuously replicate DynamoDB table data into Redshift Serverless. This native integration eliminates the need for custom ETL pipelines between DynamoDB and Redshift, replacing the earlier pattern of DynamoDB Streams, Lambda normalization, and S3 Parquet export.
1.1 How Zero-ETL Works -
DynamoDB Zero-ETL integration requires Point-in-Time Recovery (PITR) to be enabled on the source table. Once the integration is created, DynamoDB continuously streams changes to Redshift. Data arrives in Redshift as a SUPER data type, with each DynamoDB item stored in a column named value. The SUPER column preserves the full DynamoDB attribute map structure, including type descriptors (S for string, N for number, etc.).
To extract individual fields from the SUPER column, queries use the pattern:
1.2 Prerequisites -
1.3 Namespace Registration -
The Redshift namespace must be registered with LakeFormation to participate in Zero-ETL replication. This registration includes the namespace name, workgroup name, and consumer account identifiers.
Sample: Namespace Registration YAML -
1.4 Replicated Tables
No custom Lambda normalization code to maintain. The Zero-ETL integration handles replication natively.
Near real-time replication without managing DynamoDB Streams, batch sizes, or S3 write logic.
Eliminates the intermediate S3 layer and Athena federated query connector, reducing both complexity and cost.
Automatic handling of schema changes. New DynamoDB attributes appear in the SUPER column without pipeline modifications.
The analytics layer runs on Amazon Redshift Serverless, which removes the need to manage cluster sizing and provides automatic scaling based on query workload. However, it is important to note that Redshift Serverless involves specific infrastructure costs associated with VPC and networking components. Additionally, because it utilizes reserved capacity models to ensure performance, it generally incurs higher operational costs than Amazon Athena.
2.1 Namespace and Workgroup -
The Redshift service role assumes trust for both redshift.amazonaws.com and redshift-serverless.amazonaws.com. It carries the AmazonRedshiftAllCommandsFullAccess managed policy plus scoped inline policies for Glue catalog read access (limited to specific databases), S3 data lake read access, and KMS decrypt permissions for encrypted objects.
2.3 Log Exports -
Three log types are exported from the Redshift namespace: connection logs (tracking who connects and when), user activity logs (capturing every SQL statement executed), and user logs (recording user creation, modification, and privilege changes). These logs ship to CloudWatch Logs for retention and alerting.
Four stored procedures transform Zero-ETL replicated DynamoDB data into flat analytics tables within Redshift. Each procedure extracts fields from the SUPER data type value column and uses a watermark pattern to process only new or changed records since the last refresh.
3.1 Watermark Strategies -
Timestamp watermark: The job tracking and access log procedures track _record_create_time, a metadata column automatically added by the Zero-ETL integration, and compared against a locally stored watermark timestamp.
Transaction sequence watermark: The failed jobs and workflows procedures use padb_internal_txn_seq_col, an internal Redshift column that provides a monotonically increasing sequence number.
3.2 Stored Procedure Details/Security Model for Scheduled Procedures -
The security context is critical for stored procedures. Redshift stored procedures default to SECURITY INVOKER (running with the caller's privileges), which is why the dedicated Redshift service role (used by the scheduler, as referenced in Section 7.2) must be explicitly granted GRANT EXECUTE on the procedure.
Because the procedures in this architecture are designed to run with elevated privileges (to update tables they do not own), they are created using SECURITY DEFINER (as shown in Section 8.3).
For the Scheduled Query to run successfully, the Redshift service role must also satisfy these IAM requirements:
3.3 SUPER Column Extraction -
Each procedure uses SECURITY DEFINER context and enables case-sensitive identifiers. The core extraction pattern pulls fields from the SUPER column:
Sample: Incremental Refresh Stored Procedure (Redshift SQL) -
Each procedure applies consistent transformations:
3.5 Scheduled Refresh -
The stored procedures are invoked on a schedule through EventBridge-triggered Lambda functions. These schedulers call the Redshift Data API to execute each procedure asynchronously. Dev defaults are set between 15 and 30 minutes depending on the vertical, with a maximum event age of 3,600 seconds and up to 3 retries.
Sample: Invoke Stored Procedure via Redshift Data API (Python) -
Replication Layer Secured. This second installment has demonstrated how to move from raw data capture to a performant, automated replication layer. By leveraging DynamoDB Zero-ETL and Redshift Serverless, we have successfully replaced complex, maintainable ETL pipelines with a streamlined architecture. The use of SECURITY DEFINER stored procedures ensures that data is consistently transformed and optimized for analytics. As we move to the final installment of this series, we will complete the architecture by building the visualization layer, where these insights are surfaced through interactive dashboards.
The following links point to official AWS documentation relevant to the services and configurations described in this series.
AWS Step Functions Developer Guide https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html
Step Functions: State Machine Logging https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
Step Functions: AWS SDK Service Integrations https://docs.aws.amazon.com/step-functions/latest/dg/supported-services-awssdk.html
Step Functions: DynamoDB Service Integration https://docs.aws.amazon.com/step-functions/latest/dg/connect-ddb.html
Step Functions Pricing https://aws.amazon.com/step-functions/pricing/
AWS Lambda Developer Guide https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
Lambda: Using SQS as an Event Source https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html
Lambda Pricing https://aws.amazon.com/lambda/pricing/
Amazon EventBridge Scheduler User Guide https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html
Amazon EventBridge Rules https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html
Amazon SQS FIFO Queues https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html
Amazon SQS Dead-Letter Queues https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html
Amazon SQS Visibility Timeout https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html
AWS Glue Crawler Configuration https://docs.aws.amazon.com/glue/latest/dg/define-crawler.html
AWS Glue Partition Projection https://docs.aws.amazon.com/athena/latest/ug/partition-projection.html
AWS Lake Formation Permissions https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html
Lake Formation: Granting Permissions on Redshift Resources https://docs.aws.amazon.com/lake-formation/latest/dg/redshift-granting.html
Amazon DynamoDB Developer Guide https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html
Amazon DynamoDB Pricing https://aws.amazon.com/dynamodb/pricing/
DynamoDB Zero-ETL Integration with Redshift https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/RedshiftforDynamoDB.html
DynamoDB: Enabling Point-in-Time Recovery https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery_Howitworks.html
DynamoDB On-Demand Capacity https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html
DynamoDB Time to Live (TTL) https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TTL.html
Amazon Redshift Serverless Overview https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-whatis.html
Redshift Serverless: Workgroups and Namespaces https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-workgroup-namespace.html
Redshift Serverless Pricing https://aws.amazon.com/redshift/pricing/
Redshift Enhanced VPC Routing https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html
Redshift: Querying SUPER Data Type https://docs.aws.amazon.com/redshift/latest/dg/query-super.html
Redshift Stored Procedures https://docs.aws.amazon.com/redshift/latest/dg/stored-procedure-create.html
Redshift SECURITY DEFINER Procedures https://docs.aws.amazon.com/redshift/latest/dg/stored-procedure-security.html
Redshift Data API https://docs.aws.amazon.com/redshift/latest/mgmt/data-api.html
Amazon Quick VPC Connections https://docs.aws.amazon.com/quicksight/latest/user/working-with-aws-vpc.html
QuickSight: Connecting to Amazon Redshift https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-set-redshift.html
Quick SPICE and Data Refresh https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html
Amazon Quick Pricing https://aws.amazon.com/quicksight/pricing/
QuickSight: Publishing Dashboards https://docs.aws.amazon.com/quicksight/latest/user/creating-a-dashboard.html
QuickSight: Managing SPICE Capacity https://docs.aws.amazon.com/quicksight/latest/user/managing-spice-capacity.html
Amazon Q in Quick (Chat Agents) https://docs.aws.amazon.com/quicksight/latest/user/amazon-q-in-quicksight.html
AWS CloudTrail User Guide https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
AWS CloudTrail Pricing https://aws.amazon.com/cloudtrail/pricing/
Amazon GuardDuty User Guide https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
AWS Secrets Manager User Guide https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
VPC Security Groups https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
Amazon S3 Pricing https://aws.amazon.com/s3/pricing/
AWS IAM Identity Center (SSO) https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
Redshift Stored Procedure Security Model https://docs.aws.amazon.com/redshift/latest/dg/stored-procedure-security-and-privileges.html
Scheduling Queries in Redshift Query Editor v2 https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-schedule-query.html