IAM User Permisions

0

I am trying to create an IAM user where I can restrict each account to be able to create a thing and a certificate and register them but whenever I want to list the things available and certificates I want only to list his own generated certificates and things how is this possible ? The below rule template that I have generated allows me to create a thing and a certificate and to register them but when it comes to listing things and certificates it tells me that permission is denied cannot do the following action unless I add the "iot:ListThings", and "iot:ListCertificates" under the list of actions having full access on resources () but in this case it lists all the things and certificates available on my root account. IAM Rule: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:CreateKeysAndCertificate", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:CreateThing", "iot:DescribeThing", "iot:UpdateThing", "iot:DeleteThing", "iot:ListThings", "iot:AttachThingPrincipal", "iot:DetachThingPrincipal", "iot:ListThingGroupsForThing", "iot:ListCertificates"
], "Resource": [ "arn:aws:iot:<region>:<account ID>:thing/${aws:username}_
", "arn:aws:iot:<region>:<account ID>:thinggroup/", "arn:aws:iot:<region>:<account ID>:cert/" ] }, { "Effect": "Allow", "Action": [ "iot:CreateKeysAndCertificate", "iot:RegisterThing", "iot:ListThingPrincipals", ], "Resource": "*" } ] }

1 Answer
0

Hello.

As far as I can see from the document below, I don't think it is possible to restrict the display based on the user who created the resource.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html

This is because the "Resource types" listed in the document for "iot:ListThings" and "iot:ListCertificates" is blank, so nothing can be displayed unless it is set to "*".
Therefore, I think it will not work unless the IAM policy is set as follows.

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "iot:CreateKeysAndCertificate", 
                "iot:DescribeCertificate", 
                "iot:UpdateCertificate", 
                "iot:CreateThing", 
                "iot:DescribeThing", 
                "iot:UpdateThing", 
                "iot:DeleteThing", 
                "iot:AttachThingPrincipal", 
                "iot:DetachThingPrincipal", 
                "iot:ListThingGroupsForThing"
            ], 
            "Resource": [ 
                "arn:aws:iot:<region>:<account ID>:thing/${aws:username}_", 
                "arn:aws:iot:<region>:<account ID>:thinggroup/*", 
                "arn:aws:iot:<region>:<account ID>:cert/*" 
            ] 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "iot:CreateKeysAndCertificate", 
                "iot:RegisterThing", 
                "iot:ListThingPrincipals",
                "iot:ListThings",
                "iot:ListCertificates"
            ], 
            "Resource": "*" 
        }
    ] 
}
profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • Then the IAM user will have access to all the things and certificates found in the root user, isn't there a way I can limit the access to only the certificates and things created by him ?

  • You can display the list, but since "iot:DescribeThing" can be restricted to "thing*", you should not be able to display details. In other words, I think it can be restricted by ARN.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions