Pradeep Singh | 10th Mar 2017
AWS IoT Policies give your IoT Devices permission to access AWS IoT Resources. These resources may include MQTT Topics, Device Shadows, and other IoT Things.
Using Policies you can have granular control over IoT data and harden security for your IoT solution easily. Let’s explore how to create and use AWS IoT Policies.
1. Prerequisites:
Before you begin with article make sure you have an AWS account. If you don’t have any, you can create one from AWS Sign in Page.
AWS IoT relies heavily on MQTT protocol. You must understand the basics of MQTT to effectively leverage AWS IoT Platform.
Apart from this make sure you are familiar with AWS IoT specific terms like Thing, Shadow, Certificates, Policies, Rules etc. If you are new to AWS IoT, please go through AWS IoT Documentation.
2. Policy Actions and respective Resources:
With AWS IoT platform you can use following Policy action and their respective Resources-
| Policy Action / Operation | Resource | Policy Details |
| iot:Publish | topic ARN | Checked every time a PUBLISH request is sent to the broker. Used to allow clients to publish to specific topic patterns. |
| iot:Subscribe | topic filter ARN | Checked every time a SUBSCRIBE request is sent to the broker. Used to allow clients to subscribe to topics that match specific topic patterns. |
| iot:Receive | topic ARN | Checked every time a message is delivered to a client. Because the Receive permission is checked on every delivery, it can be used to revoke permissions to clients that are currently subscribed to a topic. |
| iot:Connect | client ID ARN | Checked every time a CONNECT request is sent to the broker. The message broker does not allow two clients with the same client ID to stay connected at the same time. After the second client connects, the broker detects this case and disconnects one of the clients. The Connect permission can be used to ensure only authorized clients can connect using a specific client ID. |
| iot:UpdateThingShadow | thing ARN | Checked every time a request is made to update the state of a thing shadow document. |
| iot:GetThingShadow | thing ARN | Checked every time a request is made to get the state of a thing shadow document. |
| iot:DeleteThingShadow | thing ARN | Checked every time a request is made to delete the thing shadow document. |
3. Parts of AWS IoT Policy:
- Version: Generally set as “2012-10-17“
- Effect: “Allow” or “Deny“
- Action: “iot:<action>” for ex: “iot:Publish” or “iot:Connect” etc (Refer to previous section for full action list)
- Resource: One of the following –
Client – arn:aws:iot:<region>:<accountId>:client/<clientId>
Topic ARN – arn:aws:iot:<region>:<accountId>:topic/<topicName>
Topic filter ARN – arn:aws:iot:<region>:<accountId>:topicfilter/<topicFilter>
4. Using Wildcard (*) with AWS IoT Policies:
You can use * as “anything” or “everything” character while creating Policies. For Policy Action you can use “iot:*” and for Policy Resource you can use “*“.
4.1 Policy Ex: Any IoT Action from Any MQTT Client:
The following Policy example will allow any AWS IoT Client (any MQTT Client ID) to Publish or Subscribe to any Topic in AWS account –
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
4.2 Policy Ex: Publish from Any MQTT Client to Any Topic:
The Following policy will allow all AWS IoT Clients (Any MQTT Client ID) to Publish (no subscription) to any Topic in AWS Account –
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Connect"
],
"Resource": [
"*"
]
}
]
}4. More Examples:
4.1 Allowing a specific MQTT Client to Publish to a specific MQTT Topic:
The following policy will only allow MQTT IoT Client ID “client1” to Publish data to Topic “helloTopic”.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-central-1:122126:client/client1"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:eu-central-1:122126:topic/helloTopic"
}
]
}
4.2 Allowing a specific MQTT Client to Subscribe to a specific MQTT Topic:
The following policy will allow MQTT IoT client “client2” to subscribe to Topic “helloTopic” and receive messages published to this topic.
Generally with most MQTT brokers, in order to receive messages from a Topic, all you need to do is to Subscribe that Topic. However with AWS IoT Platform by Subscribing to a Topic you will not receive messages until you have both “subscribe” and “receive” permissions defined in Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-central-1:126003692126:client/client2"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:eu-central-1:126003692126:topicfilter/helloTopic"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:eu-central-1:126003692126:topic/helloTopic"
}
]
}
4.3 Allowing a specific MQTT Client to Publish and Subscribe to specific Topics:
The following Policy will allow MQTT IoT Client “client1” to publish messages to Topic “topic1” and Subscribe/Receive messages from Topic “topic2”.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-central-1:126003692126:client/client1"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:eu-central-1:126003692126:topic/topic1"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:eu-central-1:126003692126:topicfilter/topic2"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:eu-central-1:126003692126:topic/topic2"
}
]
}
Conclusion
With these policies, you will be able to play with AWS IoT platform. For production grade solutions you may need to explore advanced policies based on Policy Variables. For more details on IoT Policies, you can refer to AWS IoT Policy Documentation.
IoT Bytes 