What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal

0

What are the required resource strings for iot:CreateCertificateFromCsr, iot:AttachThingPrincipal, and iot:DetachThingPrincipal when configuring permissions for a lambda? When I try to follow THIS DOCUMENT it tells me that there are none, but you have to specify something or it fails. I could just specify ["*"] and for creating the CSR that sort of makes sense but for attach and detach shouldn't I specify something like:

`arn:aws:iot:*:${props?.env?.account}:thing/*`;

Instead of resource: ["*"] can I at least specify arn:aws:iot:*:${props?.env?.account}:* (somehow)?

profile picture
wz2b
已提问 8 个月前206 查看次数
1 回答
1
已接受的回答

As described in the documentation both AttachThingPrincipal and DetachThingPricipal accept only the wildcard * as resource.

You can verify the same by creating an new Policy in the IAM console including the above mentioned actions.

However, you can restrict the policy to a specific region using the aws;RequestedRegion condition key. This workshop explains how to use it in a policy: https://www.wellarchitectedlabs.com/cost/200_labs/200_2_cost_and_usage_governance/2_ec2_restrict_region/

Similarly you can restrict access to only resources in an account by using aws:ResourceAccount global condition key

AWS
专家
已回答 8 个月前
profile pictureAWS
专家
已审核 8 个月前
profile pictureAWS
专家
Greg_B
已审核 8 个月前
  • Thank you, I didn't know about aws:ResourceAccount

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则