Policy Verification for notify.py

Required Policies (from notify.py code analysis)

Requirement	Used In	Policy Type	Status
CreditCardNotifyTable - Write	save() method (line 106)	DynamoDBWritePolicy	✅ PRESENT (line 311-312)
CardPaymentRecordTable - Read (Query on chargeId-index GSI)	card_payment_record property (line 168)	DynamoDBCrudPolicy	✅ PRESENT (line 319-320)
CardPaymentRecordTableMaster - Read (Query on chargeId-index GSI)	card_payment_record fallback (line 175)	DynamoDBCrudPolicy	✅ PRESENT (line 321-322)
PaymentErrorLogTable - Write	log_error() function (line 209)	DynamoDBWritePolicy	✅ PRESENT (line 323-324)
DelayedNotify - Invoke Lambda	callDelayedNotify() (line 42)	LambdaInvokePolicy	✅ PRESENT (line 329-330)
ProcessPaidOrder - Invoke Lambda	process_paid_order() (line 139)	LambdaInvokePolicy	✅ PRESENT (line 325-326)

Template.yaml Configuration (Lines 310-330)

Policies:
  - DynamoDBWritePolicy:
      TableName: !Ref CreditCardNotifyTable                    # ✅ Required
  - DynamoDBReadPolicy:
      TableName: order-table-dev                                # (Not used by notify.py, but OK)
  - DynamoDBWritePolicy:
      TableName: !Ref CreditCardCallbackTable                   # (Not used by notify.py, but OK)
  - DynamoDBWritePolicy:
      TableName: !Ref QRCallbackRecordTable                     # (Not used by notify.py, but OK)
  - DynamoDBCrudPolicy:
      TableName: !Ref CardPaymentRecordTable                    # ✅ Required (Query on GSI)
  - DynamoDBCrudPolicy:
      TableName: payment3-card-payment-record-master           # ✅ Required (Query on GSI)
  - DynamoDBWritePolicy:
      TableName: !Ref PaymentErrorLogTable                      # ✅ Required
  - LambdaInvokePolicy:
      FunctionName: !Ref ProcessPaidOrder                      # ✅ Required
  - LambdaInvokePolicy:
      FunctionName: !Ref ProcessPaidOrderInternal              # (Not used by notify.py, but OK)
  - LambdaInvokePolicy:
      FunctionName: !Ref DelayedNotify                          # ✅ Required

Verification Result

✅ ALL REQUIRED POLICIES ARE PRESENT

All 6 policies required by notify.py are correctly included in the template.yaml file:

• 4 DynamoDB policies (3 tables + 1 error log table)
• 2 Lambda invoke policies (DelayedNotify + ProcessPaidOrder)

The additional policies (order-table-dev, CreditCardCallbackTable, QRCallbackRecordTable, ProcessPaidOrderInternal) are not used by notify.py but are present for other callback functions, which is fine.

Notes

1. DynamoDBCrudPolicy includes both read and write permissions, which covers the Query operations needed for the chargeId-index GSI on both CardPaymentRecordTable and CardPaymentRecordTableMaster.

2. GSI Access: The DynamoDBCrudPolicy automatically grants permissions to query Global Secondary Indexes on the specified tables.

3. Function References: All !Ref statements correctly reference the resource names defined elsewhere in the template.yaml.

4. Master Table: The master table name is hardcoded as payment3-card-payment-record-master (no BRANCH variable), which matches the code in notify.py.