By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Clarification on Resource-Level Permissions and Tag-Based Access Control for ListWirelessDevices in AWS IoT Wireless

0

Hello AWS Community,

I am currently working with AWS IoT Wireless and I am looking to implement fine-grained access control for the ListWirelessDevices action using IAM policies. My goal is to allow users to list only those wireless devices that have a specific tag (GroupName = test_user_group).

I have attempted to use the aws:ResourceTag condition in my IAM policy, but I am facing challenges in getting it to work as expected. When I include the aws:ResourceTag condition, users are unable to list any devices, leading me to suspect that the ListWirelessDevices action might not support resource-level permissions or tag-based filtering.

I would like to seek clarification on the following points:

Does the ListWirelessDevices action in AWS IoT Wireless support resource-level permissions? Can I use the aws:ResourceTag condition in IAM policies to filter ListWirelessDevices based on the tags of the wireless devices? If tag-based access control is not supported for ListWirelessDevices, what are the recommended best practices for implementing access control based on device tags? Any insights, documentation references, or examples of policy configurations that align with this use case would be greatly appreciated.

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreAWS Identity and Access ManagementAWS IoT Device Management
Language
English
Netbits
asked 3 months ago177 views
2 Answers
1

Hello,

As indicated in the Actions defined for IoT Wireless documentation [1], the action "ListWirelessDevices" does not have a value specified as the Resource element and the condition key as such, the resource element for the above-mentioned actions would need to be set as "*", and it does not support any condition key, meaning that it is possible for user, to only see either all the devices, or none of the devices via the AWS managament console.

[1] https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html#awsiotwireless-actions-as-permissions

[2] https://docs.aws.amazon.com/iot-wireless/latest/developerguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-iot-wireless-resources

You cannot limit "ListWirelessDevices" action on the basis of tag as it does not support any condition key. However, you can limit other action listed in documentation [1] according to the supported condition key and resource for each action.

AWS
Sakshi M
answered 3 months ago
0

Hello, and thank you for your response.

I came across an alternative solution in another forum post with a similar question: How to list only the specified GW and Device. The suggestion there involves implementing a multi-account strategy within an AWS Organization. This approach would entail creating member AWS Accounts under the AWS Organization, allowing isolation of AWS resource visibility at the account level. This seems particularly useful for scenarios where users access AWS resources via the AWS Management Console, and where restrictive IAM policies might not provide the desired level of granularity.

Based on this, I have a follow-up question regarding the integration of AWS IoT Core for LoRaWAN gateways and devices across multiple accounts within the same AWS Organization:

If the gateways associated with AWS IoT Core for LoRaWAN are created and managed in one AWS account, and the devices are created and managed in another member account within the same AWS Organization, how is the device data handled? Specifically, is the device data received by the gateways routed to the member account that manages these devices, does it remain within the account that manages the gateways, or don't the devices connect at all?

Any insights or clarifications on this architecture and data flow would be greatly appreciated.

Thank you!

Netbits
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content