IAM policy with Kinesis Partition Key Conditions Based on IoT Thing Name

0

I am working on an IoT solution in which IoT devices send data to AWS Kinesis streams. Each device is identified by an IoT Thing Name, and we use this name (or its hashed value) as the Kinesis partition key.

To enhance security, I want to enforce a policy restricting each device from writing only to its partition using its specific Thing Name as the partition key. However, I’ve realized that AWS IAM does not support conditions based on the Kinesis partition key (e.g., no condition key like kinesis:PartitionKey). This limitation poses challenges in ensuring that each IoT device cannot write data to another device’s partition.

Given this scenario, could you provide some insight into:

1.	Why does AWS not support IAM conditions based on the Kinesis partition key?
2.	Are there any plans to introduce such a condition key to better manage access control for IoT solutions?
3.	What are the best practices for enforcing security and partition key isolation in a multi-device IoT environment, mainly when using AWS services like IoT Core and Kinesis?

I'm considering creating a Lambda service to protect the source device from partition by updating all devices using its URL, which is a lot cheaper than with/without an API gateway. However, I'm exploring more straightforward options that involve no cost and are easy to update for existing devices in the field. Any guidance or recommendations on alternative approaches to securely enforce partition key usage would be greatly appreciated.

Thank you for your time and assistance.

Best regards, Balu

1 Answer
0

Hi Balu,

For questions 1 and 2 I would recommend contacting your account team and provide feedback. They can ensure that is provided to the service team.

As for enforcing partition key isolation, if your devices (things) can support publishing to specific topics, you can derive the thingName (clientId) and use that as the partition key. Assuming you have thing1 and thing2, create a IoT Policy that allows them to publish to unique topics using an Arn such as arn:aws:iot:us-east-1:123456789012:topic/foo/${iot:Connection.Thing.ThingName}. That will allow thing1 to publish only on foo/thing1, and similar for thing2, etc.

Then create a rule action that triggers on foo/+, and derive the partition key by using the topic function. Something like this:

{
    "topicRulePayload": {
        "sql": "SELECT * FROM 'foo/+'", 
        "ruleDisabled": false, 
        "awsIotSqlVersion": "2016-03-23",
        "actions": [
            {
                "kinesis": {
                    "streamName": "my_kinesis_stream", 
                    "partitionKey": "${topic(2)}",
                    "roleArn": "arn:aws:iam::123456789012:role/aws_iot_kinesis"
                }
            }
        ] 
    }
}

The rule will enforce the second level namespace as the partition key, and the IoT policy will only allow a thing to publish on a specific topic aligned with it's ThingName.

Hope this helps!

AWS
Gavin_A
answered 3 days ago
profile picture
EXPERT
reviewed 2 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions