使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Restrict IOT publish topic policy

0

I'm using flutter/dart (mqtt_client / https://pub.dev/packages/mqtt_client) to send an AWS IOT MQTT messages over websockets and I'd like to restrict an IAM user to only specific topics that a user is allowed to Publish messages only to their specific topic. I've attempted to add some restricted policies, but the application will fail with little information on the client side. Also, in Cloud Watch, I don't see any specific errors.

Here's some example topics:

arn:aws:iot:us-east-2:1234567890:topic/action_request/ASDF1234

arn:aws:iot:us-east-2:1234567890:topic/action_request/ASDF5678

So, I want to add the proper JSON policy attached to the IAM user and they only have access to ASDF1234

All of my publish topics are patterned like the above. For now, I'm focusing on restricting the Publish endpoints and then working others like Subscribe.

I've tried numerous different policies like below. Also with adding some wildcards to no success on the client side. They look right, but I'm not sure if there's indirectly other publish topics that are used internally within MQTT that's causing the failures or maybe just my syntax.

Another thought is if I add a condition that would allow only the above endpoint and no others. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iot:Receive",
                "iot:ListNamedShadowsForThing",
                "iot:Subscribe",
                "iot:Connect",
                "iot:GetThingShadow",
                "iot:DeleteThingShadow",
                "iot:UpdateThingShadow"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iot:Publish",
            "Resource": "arn:aws:iot:us-east-2:1234567890:topic/*/ASDF1234*"
        }
    ]
}
主題
物聯網 (IoT)安全性、身分識別與合規
標籤
AWS IoT CoreIAM 政策
語言
English
nickernet
已提問 2 年前檢視次數 535 次
1 個回答
0

Lets try to take it step by step. First, the policy you required to use for your Thing is IoT Policy, and not IAM policy, which is for IAM identities (users, user groups, and roles). The policy should be attached to a certificate. Cartificate should be attached to a Thing. I'd suggest to start by enabling logging in the 'Settings' page of the AWS IoT Console, and using overly permissive IoT Policy(1) until you make it work. Once you succeed to connect and subscribe/publish, modify the IoT policy to include what you need.

(1) Not for production

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:*"
      ],
      "Resource": "*"
    }
  ]
}
AWS
Doron-AWS
已回答 2 年前
  • nickernet
    2 年前

    thanks for the reply. We originally were using associated certificates for policy association. However, to get past security requirements for Android app store, we had to use MQTT over websockets and Signature Version 4 authentication. It then just uses https/wss protocol instead. That eliminates the certificate need at the mobile app, thus eliminating some security requirements. We also did enable the logging on the AWS IoT console. We have seen some really generic failures coming in but nothing to help build out a proper Resource arn to lock things down. Thanks for the advice.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容