What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal

0

What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal when configuring permissions for a lambda? When I try to follow THIS DOCUMENT it tells me that there are none, but you have to specify something or it fails. I could just specify ["*"] and for creating the CSR that sort of makes sense but for attach and detach shouldn't I specify something like:

`arn:aws:iot:*:${props?.env?.account}:thing/*`;

Instead of resource: ["*"] can I at least specify arn:aws:iot:*:${props?.env?.account}:* (somehow)?

profile picture
wz2b
gefragt vor 8 Monaten204 Aufrufe
1 Antwort
1
Akzeptierte Antwort

As described in the documentation both AttachThingPrincipal and DetachThingPricipal accept only the wildcard * as resource.

You can verify the same by creating an new Policy in the IAM console including the above mentioned actions.

However, you can restrict the policy to a specific region using the aws;RequestedRegion condition key. This workshop explains how to use it in a policy: https://www.wellarchitectedlabs.com/cost/200_labs/200_2_cost_and_usage_governance/2_ec2_restrict_region/

Similarly you can restrict access to only resources in an account by using aws:ResourceAccount global condition key

AWS
EXPERTE
beantwortet vor 8 Monaten
profile pictureAWS
EXPERTE
überprüft vor 8 Monaten
profile pictureAWS
EXPERTE
Greg_B
überprüft vor 8 Monaten
  • Thank you, I didn't know about aws:ResourceAccount

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen