我们希望设置一些策略,以便只有设备“所有者”才能访问设备影子(“ iot:UpdateThingShadow”,“ iot:GetThingShadow”)。
根据此文档(https://docs.aws.amazon.com/iot/latest/developerguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-view-thing-tags),应该可以定义设备TAG,并将其与IAM用户名进行比较。 像这样:
{
"Sid": "ConnectToThings",
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": "arn:aws:iot:*:*:thing/*"
}
{
"Sid": "ViewThingsIfOwner",
"Effect": "Allow",
"Action": [
"iot:GetThingShadow",
"iot:UpdateThingShadow"
],
"Resource": "arn:aws:iot:*:*:thing/*",
"Condition": {
"StringEquals": {"iot:ResourceTag/Owner": "${aws:username}"}
}
}
我们尝试使用以下配置没有运气:
物联网物->“ thing00”,标记为“ Owner = user00”
IAM用户->具有上述IAM策略的“ user00”和“ user01”。
“ user00”和“ user01”都不能访问“ thing00”的影子服务。我们错过了什么吗?
答案 0 :(得分:1)