stackoom
  简体   繁体   中英

AWS IoT Universal Policy vs Policies by Cognito User

 原文  2017-09-18 19:44:36       amazon-web-services/ iot/ aws-iot

Question

I was wondering if anyone has the idea of the best practices on AWS IoT regarding the handling of policies, for example, we could have two different cases:

Case 1: Call a lambda(identity-id as param) which creates a policy on the fly and then attach the policy to the identity id. The policy will contains hardcoded the things name like for example: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
        "arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
      ]
    }
  ]
}

Case 2: by using policy variables like ${iot:ClientId} , ${iot:ThingName} , we can attach one single policy to all the congito-identity-users; 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

So, the question is. Which of then is the best practices, but also both of them are secure regarding the Cognito user only is able to interact with his own devices?

2 answers

solution1
 0  2017-09-22 03:29:22

Case 2 using the policy variables is the recommended way to go.

It reduces the number of policies to deal with and keep them meaningful and re-usable. On bright side it will save some extra bucks and time by not using lambda and creating policy each time!

As far as security is concerned it has nothing to do with the policy variables in a policy, its ultimately what action policy allows or denies as policy variables gets resolved on the fly depending upon who is trying to do the operation and there after it is same as your hardcoded policy.

solution2
 0  2018-12-07 12:27:43

Case 2 is better. You can also implement authentication mechanism using Cognito Federated Pool with proper IAM policy and use ${cognito-identity.amazonaws.com:sub} variable in your IoT policy with proper permissions (just remember to attach this policy to your Cognito identityId ).

If your clients connects from browser, it is better to not use iot:ClientId as clientId must be unique so user will not be able to open multiple browser tabs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IoT Core connection refused with authenticated Cognito user w/ attached policy [MQTT over WSS] How to set multiple policies as policy name in aws iot provisioning template AWS IOT - List Things Cognito user specific Controlling access to AWS IoT policy actions for Cognito identities How to attach Cognito Identity ID to the AWS IoT Policy? AWS IoT Policy: subscribe vs receive actions When using Cognito, and creating a policy for AWS IOT, What is the value of the iot:ClientId policy variable? AWS Cognito Per User Roles (using AWS IOT) AWS IoT - Restrict topic to user's Cognito ID AWS IOT policy document
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM