stackoom
  简体   繁体   中英

AWS IoT - Restrict topic to user's Cognito ID

 原文  2018-01-12 17:36:04       amazon-web-services/ amazon-iam/ aws-iot

Question

I've been trying to restrict Publish / Receive permissions to a IoT topics to a user's Cognito ID.

In my application, I'm creating topics that look something like messenger/{cognitoUserId} (eg messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb ).

So in my IAM Policy I'd like to specify that only users whose Cognito ID is contained in the topic have Publish / Receive permissions for that topic.

This is what my IAM Policy currently look like: 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iot:Connect",
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iot:Receive",
                "iot:Publish"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
        },
        {
            "Effect": "Deny",
            "Action": [
                "iot:Receive",
                "iot:Publish"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
            "Condition": {"StringNotLike": {"iot:topicfilter": [
                "messenger/${cognito-identity.amazonaws.com:sub}"
              ]}}
        }
    ]
}

Any help would be greatly appreciated. I've already spent 2 full days of digging into AWS docs, blog posts, and what not. This seems to me like such a normal, regular use case for AWS IoT topics, and yet so hard to get right.

1 answers

solution1
 0  2018-01-15 05:30:18

There are 2 cases when using cognito with AWSIoT:

  1. Cognito Authenticated Pool: In this case, you can define a policy at pool level which is less restrictive. Now, you need to attach a policy to every cognito user(IoT's AttachPolicy call) to give specific permissions to the cognito user.

Note: If you don't specify any IoT policy, everything is considered deny which seems to be the case if you are using authenticated pool cognito identities.

  1. Cognito Unauthenticated Pool: In this case, IoT does not do any scopedown(IoT's AttachPolicy call in not required) and policy at the pool level will determine what user can do with IoT resources.

Details of this are present at: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html

Another Similar thread you might be interested in https://stackoverflow.com/a/47838529/962545

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cognito + IoT Integration - How to restrict a client so that it can subscribe to MQTT topic with name as Cognito user id only? Restrict IoT Topic By User Attribute Cognito Identity Id in AWS IOT event handler AWS IOT - List Things Cognito user specific How to only allow AWS IoT subscriptions to topics under Cognito user id (sub)? AWS Cognito: update JWT ID token on user's attribute change AWS Cognito Per User Roles (using AWS IOT) How to attach Cognito Identity ID to the AWS IoT Policy? AWS IoT Universal Policy vs Policies by Cognito User User Id from AWS Cognito User Pool
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM