By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Including thing identity in messages published to message broker

0

So my understanding is that when an IoT device publishes and/or subscribes to the MQTT topics related to its shadow that AWS will ensure that the certificate on the device is allowed to access that particular shadow/topics. Furthermore, the shadow topics have the name of the device embedded in the topics ($aws/things/ <thingName> /shadow/delete).

With these two things, and assuming the device's private key hasn't been compromised, this ensures that the only device able to pub/sub on those topics is the one assigned the certificate and also proves the device's identity to the system.

My question is if there is any similar functionality available for non-shadow MQTT topics. For example, say I want to publish messages to /mySensor/ <thingName> /temperature, is there any way to 1) automatically include the thingName 2) enforce that the thingName is only accessible by the thing that possess the proper certificate?

An alternative would be to publish to a topic not specific to a device (ex: /sensors/temperature) but have the system inject the device identities in the message that ends up on the topic.

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
nak
asked 6 years ago285 views
1 Answer
0

Of course 10 minutes after posting I find the answer on my own but figured I'd post it here for anyone else looking:

It turns out the IoT thing IAM policies can leverage variables to enforce the described functionality. See https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

nak
answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content