- Newest
- Most votes
- Most comments
In AWS IoT, the creation of a Thing is optional. A device can connect to AWS IoT just with a certificate and an attached IoT policy. Because devices can connect without an attached Thing, only the clientid, and not the thing name, is part of the lifecycle connect/disconnect event.
So to solve your problem you need to restrict using IoT policies what clients can use as a mqtt clientid. For example, the following policy only allows device to connect to AWS IoT if the clientid = Thing name:
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
]
}
If you add custom informations to your device certificates created in AWS IoT using create-certificate-from-csr , you can also use info from the certificate, like the CommanName CN to restrict the clientid by leveraging the AWS IoT X509 policy variables :
At this stage, as you control the clientid value devices set during connection, you can use the clientid in the lifecycle events payload to filter the events.
Hope that helps.
Hi.
From the lifecycle connect/disconnect event (see below), you can extract the principal identifier, which, if you are authenticating with mTLS, is your certificate id. With the certificate id, you can build your certificate ARN, and use
ListPrincipalThings
(https://docs.aws.amazon.com/iot/latest/apireference/API_ListPrincipalThings.html), and get your thing name.
You can do this in a Lambda function invoked via a rule action, or directly in the select statement of your IoT Rule: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html#iot-func-aws-lambda
{
"clientId": "xxx",
"timestamp": xxx,
"eventType": "connected",
"sessionIdentifier": "xxx",
"principalIdentifier": "xxx",
"ipAddress": "xxx",
"versionNumber": 0
}
You should ideally keep clientId and thingName aligned, if your solution allows for it.
Hope this helps!
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
I agree, but add that having your client ID and Thing name match is a best practice: https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html
If you enable fleet indexing, the connectivity status of each Thing is available. So that is a status, instead of an event, but saves you deriving the status yourself. You can then do searches such as
connectivity.connected: True
. The connectivity status of each Thing is also available in Fleet Hub.