What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal

0

What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal when configuring permissions for a lambda? When I try to follow THIS DOCUMENT it tells me that there are none, but you have to specify something or it fails. I could just specify ["*"] and for creating the CSR that sort of makes sense but for attach and detach shouldn't I specify something like:

`arn:aws:iot:*:${props?.env?.account}:thing/*`;

Instead of resource: ["*"] can I at least specify arn:aws:iot:*:${props?.env?.account}:* (somehow)?

profile picture
wz2b
posta 8 mesi fa207 visualizzazioni
1 Risposta
1
Risposta accettata

As described in the documentation both AttachThingPrincipal and DetachThingPricipal accept only the wildcard * as resource.

You can verify the same by creating an new Policy in the IAM console including the above mentioned actions.

However, you can restrict the policy to a specific region using the aws;RequestedRegion condition key. This workshop explains how to use it in a policy: https://www.wellarchitectedlabs.com/cost/200_labs/200_2_cost_and_usage_governance/2_ec2_restrict_region/

Similarly you can restrict access to only resources in an account by using aws:ResourceAccount global condition key

AWS
ESPERTO
con risposta 8 mesi fa
profile pictureAWS
ESPERTO
verificato 8 mesi fa
profile pictureAWS
ESPERTO
Greg_B
verificato 8 mesi fa
  • Thank you, I didn't know about aws:ResourceAccount

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande