Cognito用户的AWS IoT通用策略与策略
[英]AWS IoT Universal Policy vs Policies by Cognito User
问题描述
I was wondering if anyone has the idea of the best practices on AWS IoT regarding the handling of policies, for example, we could have two different cases: 
我想知道是否有人对AWS IoT关于策略处理的最佳实践有所了解,例如,我们可能有两种不同的情况:
Case 1: Call a lambda(identity-id as param) which creates a policy on the fly and then attach the policy to the identity id. 情况1:调用lambda(identity-id as param),动态创建策略,然后将策略附加到身份ID。 The policy will contains hardcoded the things name like for example: 该策略将包含硬编码的名称,例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
]
}
]
}
Case 2: by using policy variables like ${iot:ClientId} , ${iot:ThingName} , we can attach one single policy to all the congito-identity-users; 案例2:通过使用${iot:ClientId} , ${iot:ThingName}等策略变量,我们可以将一个策略附加到所有congito-identity-users;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
So, the question is. 所以,问题是。 Which of then is the best practices, but also both of them are secure regarding the Cognito user only is able to interact with his own devices? 哪个是最佳实践,但是它们都是安全的,因为Cognito用户只能与自己的设备进行交互?
2 个解决方案
解决方案1
0 2017-09-22 03:29:22
Case 2 using the policy variables is the recommended way to go. 使用策略变量的情况2是推荐的方法。
It reduces the number of policies to deal with and keep them meaningful and re-usable. 它减少了要处理的策略数量,并使它们保持有意义和可重用。 On bright side it will save some extra bucks and time by not using lambda and creating policy each time! 从好的方面来说,每次不使用lambda和创建策略会节省一些额外的钱和时间!
As far as security is concerned it has nothing to do with the policy variables in a policy, its ultimately what action policy allows or denies as policy variables gets resolved on the fly depending upon who is trying to do the operation and there after it is same as your hardcoded policy. 就安全性而言,它与策略中的策略变量无关,它最终是什么动作策略允许或拒绝作为策略变量在运行时根据谁尝试进行操作而在其之后是相同的作为你的硬编码政策。
解决方案2
0 2018-12-07 12:27:43
Case 2 is better. 案例2更好。 You can also implement authentication mechanism using Cognito Federated Pool with proper IAM policy and use ${cognito-identity.amazonaws.com:sub} variable in your IoT policy with proper permissions (just remember to attach this policy to your Cognito identityId ). 您还可以使用具有适当IAM策略的Cognito Federated Pool实施身份验证机制,并在您的IoT策略中使用具有适当权限的${cognito-identity.amazonaws.com:sub}变量(只需记住将此策略附加到Cognito identityId )。
If your clients connects from browser, it is better to not use iot:ClientId as clientId must be unique so user will not be able to open multiple browser tabs. 如果您的客户端从浏览器连接,最好不要使用iot:ClientId因为clientId必须是唯一的,因此用户将无法打开多个浏览器选项卡。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.