By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT policy to restrict MQTT publish/subscribe by ThingName

0

We are using AWS IoT provisioning templates and policies to create and connect things by claim, which works fine to register the things. Once claimed, we want to apply a MQTT policy that grants the IoT thing access to certain topics, restricting what it can and cannot access. However, I'm failing to get this part to work. I want it to allow the thing to connect to various topics, restricting to only those that match the thingname:

v1/connect/<thingname>
v1/update/<thingname>
v1/status/<thingname>

our policy is:

Allow iot:Connect arn:aws:iot:<reg>:<acc>:client/${iot:Connection.Thing.ThingName}
Allow iot:Publish arn:aws:iot:<reg>:<acc>:topic/v1/+/${iot:Connection.Thing.ThingName}
Allow iot:Subscribe arn:aws:iot:<reg>:<acc>:topic/v1/+/${iot:Connection.Thing.ThingName}
Allow iot:Receive arn:aws:iot:<reg>:<acc>:topic/v1/+/${iot:Connection.Thing.ThingName}

The connect restriction works fine, but the others don't allow me to publish or subscribe. If I replace the :topic.... part with *, I can of course connect but that's not securing the topics.

I've followed the AWS Developer Guide as well as I can manage to do this, but I'm failing.

Where am I going wrong?

Topics
Internet of Things (IoT)
Tags
AWS IoT CoreInternet of Things (IoT)
Language
English
HeadCloudMonkey
asked a year ago254 views
2 Answers
1
Accepted Answer

Hi. At least in regards to the Subscribe action, you're using an incorrect resource. It should be topicfilter, not topic:

https://docs.aws.amazon.com/iot/latest/developerguide/iot-action-resources.html

profile pictureAWS
EXPERT
Greg_B
answered a year ago
0

Good morning, I have a similar problem. I want to apply a MQTT policy that grants the IoT thing access to certain topic. For example, assuming that the thing name is 0R281, I would like a policy that allows the thing to publish only in a topic with the following name xgate/0R281/data

I created a policy structured like this { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-west-1:<acc>:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:eu-west-1:<acc>:topicfilter/xgate/${iot:Connection.Thing.ThingName}/data" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:eu-west-1:<acc>:topic/xgate/${iot:Connection.Thing.ThingName}/data" } ] }

but it does not work. Trying with a policy made like this obviously works,

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:", "Resource": "" } ] }

I don't understand where the mistake is

Margherita Cesetti
answered 4 months ago
  • HeadCloudMonkey
    4 months ago

    Try this. It will allow you to publish and subscribe to a topic with the thingname. I never had any luck when adding suffixes after the thingname.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-west-1:<ACC>:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:eu-west-1:<ACC>:topic/xgate/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:eu-west-1:<ACC>:topicfilter/xgate/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iot:eu-west-1:<ACC>:topic/xgate/${iot:Connection.Thing.ThingName}" } ] }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content