Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IoT Thing Tag - use for access control

0

I'm stuck understanding how I can write an IAM policy that allows a cognito identity with assumed credentials to publish MQTT messages to IoT things. I would like to have an attribute companyId stored on my cognito identity (that works) but also tag the IoT thing with this company Id so that I can enforce access control. The IAM conditional would match the user's companyId to the IoT thing's resource tag: companyId.

My understanding is that currently i cannot tag IoT things. So, how are other people enforcing policies like this? It appears IoT policies do not have conditionals either.

Use case: User A of company 1 can MQTT publish from mobile app to all IoT Things associated with company 1. User A cannot MQTT publish to IoT things of other companies.

I can do this with an IAM policy but can't figure out how to do that for IoT Thing , specifically MQTT publishing

{
            "Condition": {
                "StringLike": {
                    "aws:PrincipalTag/companyRoles": [
                        "*${aws:ResourceTag/companyId}:admin*",
                        "*${aws:ResourceTag/companyId}:member*"
                    ]
                }
            },
            "Action": [
                "kinesisvideo:GetMedia",
                "kinesisvideo:GetClip",
                "kinesisvideo:ListFragments",
                "kinesisvideo:GetDataEndpoint",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:GetHLSStreamingSessionUrl",
                "kinesisvideo:GetImages"
            ],
            "Resource": "arn:aws:kinesisvideo:us-east-2:000011112222:stream/*",
            "Effect": "Allow"
        }
Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
Amazon CognitoIAM PoliciesAWS IoT Core
Language
English
asked 9 months ago127 views
2 Answers
4

AWS IoT does not support tagging IoT Things for access control yet nor do IoT policies support conditionals, you may consider storing the metadata in Thing Attributes say companyId that can be retrieved by MQTT messages handling

EXPERT
answered 9 months ago
AWS
EXPERT
reviewed 9 months ago
0

Hey,

Hope you're keeping well.

AWS IoT Core doesn’t currently support resource tagging for IoT Things in a way that can be used directly in IAM condition keys like aws:ResourceTag. IoT policies also don’t have conditional logic based on Thing attributes, so you can’t natively enforce this using tags in the same way you might with S3 or Kinesis. A common pattern is to use a naming convention for Thing names or MQTT topics that embeds the companyId, and then scope the IoT policy’s iot:Publish, iot:Subscribe, etc. actions to arn:aws:iot:region:account:topic/companyId/* using ${cognito-identity.amazonaws.com:sub} or custom claims from Cognito in policy variables.

Thanks and regards,
Taz

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content