How to list only the specified GW and Device

Hello,

When using the AWS Management Console to view devices and gateways in IoT Core for LoRaWAN, the AWS management Console would make the following API operations, to view the information:

• ListWirelessGateways[1] - to list all Wireless gateways via the Management Console
• ListWirelessDevices[2] - To list all Wireless devices via the Management Console.

As such, the IAM user/role viewing the devices and gateways, would require the following permissions to be allowed within the attached IAM policy:

• iotwireless:ListWirelessGateways
• iotwireless:ListWirelessDevices

As indicated in the Actions defined for IoT Core for LoRaWAN[3], the actions "ListWirelessGateways" and "ListWirelessDevices" does not have a value specified as the Resource element, as such, the resource element for the above-mentioned actions would need to be set as "*", meaning that it is possible for user, to only see either all the devices and gateways, or none of the devices and gateways via the AWS managament console.

Having noted the above, the following 2 approaches can be considerd:

1. You can restrict specific actions that are defined here[3], to be allowed on a specific AWS resource, either by specifying the ARN of the AWS resource as the "Resource" element of the policy, or by using policy condition keys, such as the Global Condition key "aws:ResourceTag"[4], as seen in the example policy here[5]. You would essentially still need to specify "*" as the resource element, for both the "iotwireless:ListWirelessGateways" and "iotwireless:ListWirelessDevices" action.

Although this approach will allow the user to still see all devices/gateways via the Management Console, the user would be able to only obtain specific information regarding their own devices/gateways, as well as being able to manage only their own resources.

2. You may also consider implementing a multi-account strategy for your environment[6]. Essentially, you would create an AWS Organization, where you would then create member AWS Accounts within the AWS Organization. Doing so will allow you to achieve the following, specifically for the use-case provided:

a. Allows you to isolate visibility of AWS resources to specific users/teams to the account level, especially if users are viewing AWS resources via the AWS Managament console, without the need to using restrictive IAM policies for the IAM users/roles.

References:

[1] ListWirelessGateways - https://docs.aws.amazon.com/iot-wireless/2020-11-22/apireference/API_ListWirelessGateways.html

[2] ListWirelessDevices - https://docs.aws.amazon.com/iot-wireless/2020-11-22/apireference/API_ListWirelessDevices.html

[3] Actions, resources, and condition keys for AWS IoT Core for LoRaWAN - Actions defined by AWS IoT Core for LoRaWAN - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoreforlorawan.html#awsiotcoreforlorawan-actions-as-permissions

[4] AWS global condition context keys - aws:ResourceTag/tag-key - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag

[5] AWS IoT identity-based policy examples - Viewing AWS IoT resources based on tags - https://docs.aws.amazon.com/iot/latest/developerguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-view-thing-tags

[6] https://aws.amazon.com/organizations/getting-started/best-practices/

I sincerely hope the above helps address the query of concern.