AWS IoT Policy overly permissive

Question

I am trying to make an AWS IoT Policy for a Cognito Identity to be able to communicate with a AWS IoT Thing. However, the policy is overly permissive according to the AWS IoT Audit check: "Policy allows broad access to IoT data plane actions: [iot:Subscribe, iot:Connect, iot:Publish]." How can I fix this?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-1:<aws account id>:client/${iot:ClientId}"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*/shadow/get"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/connected/*",
        "arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/disconnected/*",
        "arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/update/accepted",
        "arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/get/accepted"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive"
      ],
      "Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*"
    }
  ]
}

Answer 1

This means that you are trying an overexposed policy, since you have not mentioned the exact usecase i suppose that this policy is the least privileged policy ie the use case does not allow your policy to be more restrictive if that is not the case please restrict your policy to something like:

arn:aws:iot:region:account-id:client/* to arn:aws:iot:region:account-id:client/${iot:ClientId}

where iot:ClientId is a policy variable and refers to the clientId of the mqtt connection Also please refer

https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-iot-policy-permissive.html