What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal

0

What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal when configuring permissions for a lambda? When I try to follow THIS DOCUMENT it tells me that there are none, but you have to specify something or it fails. I could just specify ["*"] and for creating the CSR that sort of makes sense but for attach and detach shouldn't I specify something like:

`arn:aws:iot:*:${props?.env?.account}:thing/*`;

Instead of resource: ["*"] can I at least specify arn:aws:iot:*:${props?.env?.account}:* (somehow)?

profile picture
wz2b
asked 6 months ago166 views
1 Answer
1
Accepted Answer

As described in the documentation both AttachThingPrincipal and DetachThingPricipal accept only the wildcard * as resource.

You can verify the same by creating an new Policy in the IAM console including the above mentioned actions.

However, you can restrict the policy to a specific region using the aws;RequestedRegion condition key. This workshop explains how to use it in a policy: https://www.wellarchitectedlabs.com/cost/200_labs/200_2_cost_and_usage_governance/2_ec2_restrict_region/

Similarly you can restrict access to only resources in an account by using aws:ResourceAccount global condition key

AWS
EXPERT
answered 6 months ago
profile pictureAWS
EXPERT
reviewed 6 months ago
profile pictureAWS
EXPERT
Greg_B
reviewed 6 months ago
  • Thank you, I didn't know about aws:ResourceAccount

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions