stackoom
  简体   繁体   中英

Restrict AWS IOT Device to it's self with policy

 原文  2020-08-20 01:57:44       aws-iot

Question

Looking to limit a device to just it's resources (shadow) inside of AWS IOT, based upon the certificate it uses to authenticate.

Device1 is attached to Cert1 - I want to have a generic policy that would only let Device1 update the shadow of Device 1 and not Device2

but all being triggered off the cert the devices uses to authenticate with.

The policy below doesn't seem to work - any help?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

1 answers

solution1
 5  2021-02-06 14:20:36

This is what I ended up using, to limit the device to it's own resources and have the ClientID be the name of the AWS Thing as well

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        },
        "ForAnyValue:StringEquals": {
          "iot:ClientId": [
            "${iot:Connection.Thing.ThingName}"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
    }
  ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 policy restrict folder delete Disconnect AWS IoT device after it's connected AWS IoT Device Onboarding AWS IoT Policy overly permissive AWS IoT Policy for Shadows and Jobs AWS IoT Device online/offline check Create a self-signed certificate in Java for AWS IoT How to reject a "desired" change in AWS IoT Device Shadow How to figure out the country of a device connected to AWS IoT Core K8s network policy restrict egress for one endpoint only
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM