What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal

0

What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal when configuring permissions for a lambda? When I try to follow THIS DOCUMENT it tells me that there are none, but you have to specify something or it fails. I could just specify ["*"] and for creating the CSR that sort of makes sense but for attach and detach shouldn't I specify something like:

`arn:aws:iot:*:${props?.env?.account}:thing/*`;

Instead of resource: ["*"] can I at least specify arn:aws:iot:*:${props?.env?.account}:* (somehow)?

profile picture
wz2b
질문됨 8달 전208회 조회
1개 답변
1
수락된 답변

As described in the documentation both AttachThingPrincipal and DetachThingPricipal accept only the wildcard * as resource.

You can verify the same by creating an new Policy in the IAM console including the above mentioned actions.

However, you can restrict the policy to a specific region using the aws;RequestedRegion condition key. This workshop explains how to use it in a policy: https://www.wellarchitectedlabs.com/cost/200_labs/200_2_cost_and_usage_governance/2_ec2_restrict_region/

Similarly you can restrict access to only resources in an account by using aws:ResourceAccount global condition key

AWS
전문가
답변함 8달 전
profile pictureAWS
전문가
검토됨 8달 전
profile pictureAWS
전문가
Greg_B
검토됨 8달 전
  • Thank you, I didn't know about aws:ResourceAccount

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠