Assigning more than 10 IoT policies on identity

Question

We are using AWS IoT things to represent our IoT devices. Our users are getting temp credentials using the AWS Cognito Identity Pool. We mapped the group id claim from the ID Token to the Principal, and we need a way to connect this group ID to the things in this group in the IoT policy.
Based on the current solution 1 thing has 1 certificate, and the IoT policy is attached to the certificate and to the identity. With this, the thing and the identity are connected, but there is no way to check that in the IoT policy.
[This solution](https://aws.amazon.com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/) suggests a thing prefix with the group Id, or a custom policy manager that will have permissions for multiple things, is there any other way for doing this?

Answer

I recommend using [AWS IoT custom authorizer](https://docs.aws.amazon.com/iot/latest/developerguide/custom-authentication.html) to manage more complex and dynamic authorization schemas.

The authorizer lambda function can receive the JWT token, extract the necessary claims and craft an on-demand policy with the required resources whose names depends on the claims.

You can refer to [this repo](https://github.com/massi-ang/aws-iot-custom-authorizer-sample/) for an example on how to implement a custom authorizer to validate JWT tokens.

Assigning more than 10 IoT policies on identity

관련 콘텐츠