问题描述
基于设备用于身份验证的证书,试图将设备限制为仅位于AWS IOT内部的资源(影子)。
Device1附加到Cert1-我想要一个通用策略,该策略只能让Device1更新设备1的影子,而不更新Device2的影子
但所有这些都是从设备用来进行身份验证的证书触发的。
以下政策似乎无效-有帮助吗?
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "iot:Connect","Resource": "*","Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
}
}
},{
"Effect": "Allow","Action": [
"iot:Publish","iot:Receive"
],"Resource": [
"arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}","arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
]
},"Action": [
"iot:Subscribe"
],"Resource": [
"arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}","arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
解决方法
这就是我最终使用的,将设备限制为它自己的资源,并且让 ClientID 也是 AWS Thing 的名称
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "iot:Connect","Resource": "*","Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
},"ForAnyValue:StringEquals": {
"iot:ClientId": [
"${iot:Connection.Thing.ThingName}"
]
}
}
},{
"Effect": "Allow","Action": "iot:Publish","Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
},"Action": "iot:Subscribe","Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
},"Action": "iot:Receive","Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
}
]
}