时间戳

首页 > 解决方案 > 使用策略将 AWS IOT 设备限制为自身

aws-iot - 使用策略将 AWS IOT 设备限制为自身

问题描述

根据设备用于身份验证的证书,希望将设备限制为 AWS IOT 内部的资源(影子)。

Device1 附加到 Cert1 - 我想要一个通用策略,只让 Device1 更新 Device 1 的影子,而不是 Device2

但所有这些都被设备用来进行身份验证的证书触发。

下面的政策似乎不起作用 - 有什么帮助吗?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

标签: aws-iot

解决方案

这就是我最终使用的,将设备限制为它自己的资源,并将 ClientID 也是 AWS Thing 的名称

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        },
        "ForAnyValue:StringEquals": {
          "iot:ClientId": [
            "${iot:Connection.Thing.ThingName}"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
    }
  ]
}

推荐阅读