How to deal with IoT policy documents being limited to 2048 bytes

0

The size limitation on iot policy documents seem quite small - If we have reasonably fine grained policy requirements, it blows out easily.

is there any best practice to deal with this. ?

Does this basically mean it's necessary to have multiple small policy documents ?

Or do we just need to be frugal with our policy rules ?

  • Hi, could you please share a sample of the policies you are implementing? Please replace any sensitive information with anonymized data.

majh
asked 2 years ago782 views
3 Answers
0

Hello

If you are not already using policy variables, consider using it as it will allow you to still have fine grained access control and to potentially keep the policy within the size limit. This depends on how much policy statements and conditions that you have in your policy and how many different topics you want to give the devices access to.

Policy variables: https://docs.aws.amazon.com/iot/latest/developerguide/iot-policy-variables.html

You will need to ensure that your IoT devices connect with a clientId that matches the thing name registered in AWS IoT and that your topic structure allows for it. Using policy variables for connect/publish/subscribe/receive operations should keep the size limit down.

You can also use the thingname policy variable to give access to device shadow topics. Classic shadow access is straight forward but named shadows might be a bit more complicated if you have multiple named shadows. For multiple named shadows you could just use a wildcard for the named shadow section of the topic.

Policy examples: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html

AWS
SUPPORT ENGINEER
answered 2 years ago
  • Yes I am using those policy variables - but even in that policy variable page, the first example there is already 542 bytes - and this is just a simple example. Obviously the size of production policies will be far bigger - 2048 bytes is only 4 times the size of this simple example policy. Are there any suggestions on how to deal with this size issue ?

0

Hi Massimiliano,

I am running into the same issue. I have devices that require fine-grain policy docs. In my case, I am setting up 7 named device shadow policies for one type of device. The device also needs telemetry, cert rotation, jobs and other policies. Here's a CDK policy for one named device shadow - it already exceeds the 2048 char limit. Note that certificateCondition is 261 chars long. The total size of the policy is 1,693. I "might" be able to squeeze it all within the 10 policies per certificate limit but I suspect I'm going to need to be a bit creative, which may make the code less clearer. Any further thoughts (or increasing of limits ;-)) would be welcome.

Kind regards, Gary

const deviceShadowPolicyDocument = {
    Version: '2012-10-17',
    Statement: [
        {
            Effect: 'Allow',
            Action: 'iot:Publish',
            Resource: [
                `arn:aws:iot:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:topic/\$aws/things/\${iot:Connection.Thing.ThingName}/shadow/name/deviceInformation/update`,

            ],
            Condition: certificateCondition
        },
        {
            Effect: 'Allow',
            Action: 'iot:Subscribe',
            Resource: [
                `arn:aws:iot:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:topicfilter/\$aws/things/\${iot:Connection.Thing.ThingName}/shadow/name/deviceInformation/update/*`,

            ],
            Condition: certificateCondition
        },
        {
            Effect: 'Allow',
            Action: 'iot:Receive',
            Resource: [
                `arn:aws:iot:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:topic/\$aws/things/\${iot:Connection.Thing.ThingName}/shadow/name/deviceInformation/update/*`,

            ],
            Condition: certificateCondition
        },
    ],
};
gary
answered 2 years ago
  • i think I'm ok now :-). For device shadows with shared policy statements, I used a naming convention to group them, e.g.

            {
                Effect: 'Allow',
                Action: 'iot:Publish',
                Resource: `arn:aws:iot:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:topic/\$aws/things/\${iot:Connection.Thing.ThingName}/shadow/name/group1*/update`,
                Condition: certificateCondition
            },
    

    Many thanks for airing this subject and giving me ideas to progress.

    Kind regards. Gary

0

Hi,

One way to address the policy size limitation is to use multiple policies: for example you can use different policies for different actions.

If you have multiple subscriptions topics, consider that AWS IoT has two actions that control which messages the device receives: iot:Subscribe and iot:Receive. You can keep the resources for one of them specific and the other more generic. Keep in mind that subscribe control the topics to which the device can subscribe, while receive controls the actual topics which will be send to the subscriber (see the docs).

To have a more manageable control of which policies are attached to which things, consider attaching policies to Thing Groups instead of Certificates. In this way associating the Thing to one or more thing groups automatically merges all the policies attached to the different groups (you can associate a thing to up to 10 thing groups). Disassociating the thing from the thing groups removes the corresponding thing group policies. There is a limit of 2 policies per Thing Groups, but thing groups can be child of another thing group up to 7 levels.

Finally, using shorter topics also reduces the size of the policy, but this can only be applied to your custom topics and not AWS reserved ones ($aws/...)

Regards,

Massimiliano

AWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions