i'm trying to configure generic policy for all my IOT devices. I would like that each IOT's device will be able to publish, consume and subscribe to his own topic only (include sub topics). for example client "myclient" is able to consume, publish and subscribe to the following topics: myclient/ myclient/a myclient/a/b/c etc.. what am i missing ?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-central-1:11111111:client/${iot:Connection.Thing.ThingName}"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:eu-central-1:11111111:topic/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:eu-central-1:11111111:topic/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:eu-central-1:11111111:topicfilter/${iot:Connection.Thing.ThingName}/*"
}
]
}
From your policy, it seems like you’re on the right track. You’ve set up permissions for your IoT devices to connect, publish, receive, and subscribe to their own topics. However, you might be missing the wildcard at the end of the Resource ARN for the
iot:Publishandiot:Receiveactions.Here’s an example of a policy:
This policy should now correctly restrict each IoT device to only its own topics and subtopics for publishing, receiving, and subscribing. Try to review and test this policy in your environment to ensure it works as expected.
For more information on IoT policies, you may want to check out some resources on:
These resources might provide additional insights for your use case.