我正在尝试制定一个Cognito身份的AWS IoT策略,以便能够与AWS IoT事物进行通信。但是,根据AWS IoT审核检查,该策略过于宽松:“该策略允许广泛访问IoT数据平面操作:[iot:Subscribe,iot:Connect,iot:Publish]。”我该如何解决?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-east-1:<aws account id>:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*/shadow/get"
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/connected/*",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/disconnected/*",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/update/accepted",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/get/accepted"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*"
}
]
}
答案 0 :(得分:0)
这意味着您正在尝试一个曝光过度的策略,因为您没有提到确切的用例,我认为该策略是特权最低的策略,即如果不是这种情况,则用例不允许您的策略更具限制性请将您的政策限制为:
arn:aws:iot:region:account-id:client / * 至 arn:aws:iot:region:account-id:client / $ {iot:ClientId}
其中iot:ClientId是一个策略变量,它引用mqtt连接的clientId 也请参考
https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-iot-policy-permissive.html