基于设备用于身份验证的证书,试图将设备限制为仅位于AWS IOT内部的资源(影子)。
Device1附加到Cert1-我想要一个通用策略,该策略只能让Device1更新设备1的影子,而不更新Device2的影子
但所有这些都是从设备用来进行身份验证的证书触发的。
以下政策似乎无效-有帮助吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:us-east-1:xxxxxx:topic/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:us-east-1:xxxxxx:topicfilter/${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
答案 0 :(得分:1)
这就是我最终使用的,将设备限制为它自己的资源,并且让 ClientID 也是 AWS Thing 的名称
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*",
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [
"true"
]
},
"ForAnyValue:StringEquals": {
"iot:ClientId": [
"${iot:Connection.Thing.ThingName}"
]
}
}
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:xxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:xxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/*"
}
]
}