1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
As far as I can see from the document below, I don't think it is possible to restrict the display based on the user who created the resource.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html
This is because the "Resource types" listed in the document for "iot:ListThings" and "iot:ListCertificates" is blank, so nothing can be displayed unless it is set to "*".
Therefore, I think it will not work unless the IAM policy is set as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:CreateKeysAndCertificate",
"iot:DescribeCertificate",
"iot:UpdateCertificate",
"iot:CreateThing",
"iot:DescribeThing",
"iot:UpdateThing",
"iot:DeleteThing",
"iot:AttachThingPrincipal",
"iot:DetachThingPrincipal",
"iot:ListThingGroupsForThing"
],
"Resource": [
"arn:aws:iot:<region>:<account ID>:thing/${aws:username}_",
"arn:aws:iot:<region>:<account ID>:thinggroup/*",
"arn:aws:iot:<region>:<account ID>:cert/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:CreateKeysAndCertificate",
"iot:RegisterThing",
"iot:ListThingPrincipals",
"iot:ListThings",
"iot:ListCertificates"
],
"Resource": "*"
}
]
}
Relevant content
- asked 4 years ago
- asked 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
Then the IAM user will have access to all the things and certificates found in the root user, isn't there a way I can limit the access to only the certificates and things created by him ?
You can display the list, but since "iot:DescribeThing" can be restricted to "thing*", you should not be able to display details. In other words, I think it can be restricted by ARN.