So my understanding is that when an IoT device publishes and/or subscribes to the MQTT topics related to its shadow that AWS will ensure that the certificate on the device is allowed to access that particular shadow/topics. Furthermore, the shadow topics have the name of the device embedded in the topics ($aws/things/ <thingName> /shadow/delete).
With these two things, and assuming the device's private key hasn't been compromised, this ensures that the only device able to pub/sub on those topics is the one assigned the certificate and also proves the device's identity to the system.
My question is if there is any similar functionality available for non-shadow MQTT topics. For example, say I want to publish messages to /mySensor/ <thingName> /temperature, is there any way to 1) automatically include the thingName 2) enforce that the thingName is only accessible by the thing that possess the proper certificate?
An alternative would be to publish to a topic not specific to a device (ex: /sensors/temperature) but have the system inject the device identities in the message that ends up on the topic.