aws-iot - 使用策略将 AWS IOT 设备限制为自身
问题描述
根据设备用于身份验证的证书,希望将设备限制为 AWS IOT 内部的资源(影子)。
Device1 附加到 Cert1 - 我想要一个通用策略,只让 Device1 更新 Device 1 的影子,而不是 Device2
但所有这些都被设备用来进行身份验证的证书触发。
下面的政策似乎不起作用 - 有什么帮助吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
解决方案
这就是我最终使用的,将设备限制为它自己的资源,并将 ClientID 也是 AWS Thing 的名称
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
},
"ForAnyValue:StringEquals": {
"iot:ClientId": [
"${iot:Connection.Thing.ThingName}"
]
}
}
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
}
]
}
推荐阅读
- javascript - 提交后如何清空表单
- wordpress - Woocommerce 获取订单项元
- android - 如何在 Modal Bottomsheet android 中动态更改内容
- java - java去除汉字的方法
- java - 如何使用带有 AWS 临时凭证的 java 从 s3 存储桶下载文件
- notepad++ - notepad++ 更改 URL
- azure-devops - POST 请求的 VSTS REST API 权限
- ballerina - 运行 Ballerina 代码时找不到包
- java - 如何在 github 上正确扩展现有的 android 模块?
- python - 使用ansible时如何从dict获取值返回