[英]AWS IoT Policy overly permissive
我正在尝试为 Cognito Identity 制定 AWS IoT 策略,以便能够与 AWS IoT Thing 进行通信。 但是,根据 AWS IoT 审计检查,该策略过于宽松:“策略允许广泛访问 IoT 数据平面操作:[iot:Subscribe, iot:Connect, iot:Publish]。” 我怎样才能解决这个问题?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-east-1:<aws account id>:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*/shadow/get"
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/connected/*",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/disconnected/*",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/update/accepted",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/get/accepted"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*"
}
]
}
这意味着你正在尝试一个过度暴露的政策,因为你没有提到确切的用例我想这个政策是最低特权政策即用例不允许你的政策更严格如果不是这种情况请限制你政策类似于:
arn:aws:iot:region:account-id:client/* 到 arn:aws:iot:region:account-id:client/${iot:ClientId}
其中 iot:ClientId 是策略变量,指的是mqtt连接的clientId 另请参考
https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-iot-policy-permissive.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.