AWS IOT policy document

2
votes

I have an application where each client has its own thing, for each thing I am creating a certificate and attaching it to the thing, I am also attaching the following policy to the certificate.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
    "Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
    }
  ]
}

What I want to do is limit a client from accessing other clients' things, and each client can have full access to its thing topic.

The above policy isn't working, clients aren't able to connect at all. However the following is working (in terms of functionality), but clients are able to publish to all topics.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

Also the following connects successfully but fails to publish:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:us-east-1:******:topic/${iot:Connection.Thing.ThingName}"
      ]
    }
  ]
}

Finally the following connects and publishes successfully.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": [
        "arn:aws:iot:us-east-1:******:topic/*"
      ]
    }
  ]
}

MQTTBox client configs: client configs

Publisher: publisher settings

What am I doing wrong?

2
amazon-web-servicesiotaws-iot

2 Answers

1
votes

The policy needs an explicit iot:Connect statement to allow connections to a client resource.

The relevant client resource is documented at https://docs.aws.amazon.com/iot/latest/developerguide/action-resources.html as

A client ID ARN - arn:aws:iot:us-east1:123456789012:client/myClientId

For a thing that is registered in the AWS IoT registry, you can use:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": ["arn:aws:iot:us-east-1:*********:client/${iot:Connection.Thing.ThingName}"]
    },
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": ["arn:aws:iot:us-east-1:*********:topic/${iot:Connection.Thing.ThingName}"]
    }
  ]
}

e.g. This example will allow a thing with client id of ThingId123 to publish to a topic named ThingId123.

See also https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html for an example that appears to closely align to your needs.

0
votes

after struggling with fine-grained policies myself, the accepted answer should be is that that you just forgot the /* at the end of the topic, since AWS uses more nesting to the topic resource, 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}",
            ]
        }
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
            ]
        }
    ]
}

you can read about is here:

also instead of 

"Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"

you can do

 "Resource": [ "arn:aws:iot:us-east-1:123456789012:*/${iot:Connection.Thing.ThingName}/*"

this will help you also for subscribing