AWS IoT - Restrict topic to user's Cognito ID

0
votes

I've been trying to restrict Publish/Receive permissions to a IoT topics to a user's Cognito ID.

In my application, I'm creating topics that look something like messenger/{cognitoUserId} (e.g. messenger/us-east-1:fa610fd5-4fab-4511-834b-8f1198744efb).

So in my IAM Policy I'd like to specify that only users whose Cognito ID is contained in the topic have Publish/Receive permissions for that topic.

This is what my IAM Policy currently look like: 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iot:Connect",
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iot:Receive",
                "iot:Publish"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/${cognito-identity.amazonaws.com:sub}"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:us-east-1:123456789:topicfilter/messenger/${cognito-identity.amazonaws.com:sub}"
        },
        {
            "Effect": "Deny",
            "Action": [
                "iot:Receive",
                "iot:Publish"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789:topic/messenger/*",
            "Condition": {"StringNotLike": {"iot:topicfilter": [
                "messenger/${cognito-identity.amazonaws.com:sub}"
              ]}}
        }
    ]
}

Any help would be greatly appreciated. I've already spent 2 full days of digging into AWS docs, blog posts, and what not. This seems to me like such a normal, regular use case for AWS IoT topics, and yet so hard to get right.

1
amazon-web-servicesamazon-iamaws-iot
Have you got a working solution? - Tejaskumar

1 Answers

0
votes

There are 2 cases when using cognito with AWSIoT:

  1. Cognito Authenticated Pool: In this case, you can define a policy at pool level which is less restrictive. Now, you need to attach a policy to every cognito user(IoT's AttachPolicy call) to give specific permissions to the cognito user.

Note: If you don't specify any IoT policy, everything is considered deny which seems to be the case if you are using authenticated pool cognito identities.

  1. Cognito Unauthenticated Pool: In this case, IoT does not do any scopedown(IoT's AttachPolicy call in not required) and policy at the pool level will determine what user can do with IoT resources.

Details of this are present at: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cognito http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html

Another Similar thread you might be interested in https://stackoverflow.com/a/47838529/962545