通过策略将AWS IOT设备限制为自身

问题描述

基于设备用于身份验证的证书,试图将设备限制为仅位于AWS IOT内部的资源(影子)。

Device1附加到Cert1-我想要一个通用策略,该策略只能让Device1更新设备1的影子,而不更新Device2的影子

但所有这些都是从设备用来进行身份验证的证书触发的。

以下政策似乎无效-有帮助吗?

{
  "Version": "2012-10-17","Statement": [
    {
      "Effect": "Allow","Action": "iot:Connect","Resource": "*","Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        }
      }
    },{
      "Effect": "Allow","Action": [
        "iot:Publish","iot:Receive"
      ],"Resource": [
        "arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}","arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
      ]
    },"Action": [
        "iot:Subscribe"
      ],"Resource": [
        "arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}","arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

解决方法

这就是我最终使用的,将设备限制为它自己的资源,并且让 ClientID 也是 AWS Thing 的名称

{
  "Version": "2012-10-17","Statement": [
    {
      "Effect": "Allow","Action": "iot:Connect","Resource": "*","Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        },"ForAnyValue:StringEquals": {
          "iot:ClientId": [
            "${iot:Connection.Thing.ThingName}"
          ]
        }
      }
    },{
      "Effect": "Allow","Action": "iot:Publish","Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
    },"Action": "iot:Subscribe","Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
    },"Action": "iot:Receive","Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
    }
  ]
}