Configure DynamoDB stream trigger with insert only
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
A DynamoDB stream itself records multiple event types such as INSERT, MODIFY, and REMOVE; there is no table setting that makes the stream emit only inserts. If you want a Lambda trigger to react to inserts only, the right approach is to attach the stream normally and then filter for eventName == INSERT, either in Lambda event source filtering or inside the handler code.
What DynamoDB Streams Actually Emit
Once streams are enabled on a table, each record in the stream includes an event name that tells you what happened:
- '
INSERT' - '
MODIFY' - '
REMOVE'
A simplified event record looks like this:
So the stream itself is general-purpose. Insert-only behavior is implemented on the consumer side.
Enable the Right Stream View
If your Lambda needs to inspect the inserted item, choose a stream view that includes the new item image.
Commonly that means NEW_IMAGE or NEW_AND_OLD_IMAGES.
From the AWS CLI:
Without NEW_IMAGE, you may still know an insert occurred, but you will not have the full inserted item available in the event payload.
The Oldest and Most Portable Method: Filter in Code
The simplest approach is to let Lambda receive stream records and ignore anything that is not an insert.
This works everywhere and is easy to understand.
The downside is that Lambda still gets invoked for updates and deletes, even though your code skips them.
A Better Current Option: Event Source Filtering
AWS Lambda now supports event source filtering for some event sources, including DynamoDB Streams. That means the event source mapping can reject non-insert records before they reach your handler.
Using the CLI, an event source mapping can include a filter pattern such as:
With this approach, only INSERT records are delivered to the Lambda function.
That is cleaner and can reduce unnecessary invocations.
Lambda Handler Still Benefits from Defensive Checks
Even with event source filtering configured, it is still reasonable to keep the handler defensive.
This protects you if the mapping changes later or if the code is reused in another environment.
IAM and Trigger Wiring
Your Lambda execution role does not need broad DynamoDB table write permissions just to consume the stream. The event source mapping handles reading from the stream service side, while the function role mostly needs whatever downstream permissions your business logic requires.
The practical setup steps are:
- enable DynamoDB Streams on the table
- choose a stream view that includes the fields you need
- create the Lambda function
- add an event source mapping
- optionally apply event filtering for
INSERT
That is the actual insert-only pipeline.
Common Pitfalls
A common mistake is searching for a DynamoDB table option that makes the stream itself insert-only. That setting does not exist.
Another issue is enabling KEYS_ONLY and then expecting NewImage to appear in the Lambda event. Choose the stream view based on what your handler needs.
Developers also sometimes rely entirely on handler-side filtering and then wonder why the function is still invoked for updates and deletes. Event source filtering exists precisely to avoid that overhead.
Finally, if you add event filtering, test the exact filter JSON carefully. A malformed pattern can silently lead to unexpected behavior.
Summary
- DynamoDB Streams always capture multiple event types when enabled.
- Insert-only behavior is implemented at the consumer level, not the table level.
- Use
NEW_IMAGEif the Lambda needs the inserted item contents. - For cleaner behavior, use Lambda event source filtering on
eventName == INSERT. - Keep handler code defensive even when filtering is configured upstream.

