By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Device Defender says "Policy allows broad access to IoT data plane actions"

0

I turned on Device Defender in IoT services. I chose the standard/default configuration.

The report says I passed all the tests except "IoT policy overly permissive". The detail says "Policy allows broad access to IoT data plane actions".

I don't understand the issue. The policy I created allows iot:Connect, iot:Publish, iot:Subscribe and iot:Receive, and nothing else. I need all of these functions. Why does it think I'm being overly permissive?

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreSecurity, Identity, & Compliance
Language
English
Frank
asked 8 months ago187 views
1 Answer
1

Hi Frank. I would guess the Resource fields are wildcards. In general, you should try to use policy variables to make least privilege Resource definitions. Some guidance here: https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-iot-policy-permissive.html#audit-chk-iot-policy-permissive-how-to-fix

profile pictureAWS
EXPERT
Greg_B
answered 8 months ago
  • Frank
    8 months ago

    Yes, the resource ends in a wildcard but I don't know why it would not. Perhaps I am not understanding what 'resources' the wildcard is selecting in this context. I can't think of any resource related to IoT that my devices should not be able to access.

  • Frank
    8 months ago

    The policy resource for each item says arn:aws:iot:us-east-1:[number]:*

  • Greg_B EXPERT
    8 months ago

    Please check the examples in the link. You need to make resource specifiers that are more specific than what you currently have.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content