Identity-based policy examples for Amazon IoT Greengrass - Amazon IoT Greengrass
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon IoT Greengrass Version 1 no longer receives feature updates, and will receive only security patches and bug fixes until June 30, 2023. For more information, see the Amazon IoT Greengrass V1 maintenance policy. We strongly recommend that you migrate to Amazon IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Identity-based policy examples for Amazon IoT Greengrass

By default, IAM users and roles don't have permission to create or modify Amazon IoT Greengrass resources. They also can't perform tasks using the Amazon Web Services Management Console, Amazon CLI, or Amazon API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

Policy best practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Amazon IoT Greengrass resources in your account. These actions can incur costs for your Amazon Web Services account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started using Amazon managed policies – To start using Amazon IoT Greengrass quickly, use Amazon managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by Amazon. For more information, see Get started using permissions with Amazon managed policies in the IAM User Guide.

  • Grant least privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant least privilege in the IAM User Guide.

  • Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using multi-factor authentication (MFA) in Amazon in the IAM User Guide.

  • Use policy conditions for extra security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

Amazon managed policies for Amazon IoT Greengrass

Amazon IoT Greengrass maintains the following Amazon managed policies that you can use to grant permissions to IAM users and roles.

Policy

Description

AWSGreengrassFullAccess

Allows all Amazon IoT Greengrass actions for all of your Amazon resources. This policy is recommended for Amazon IoT Greengrass service administrators or testing purposes.

AWSGreengrassReadOnlyAccess

Allows List and Get Amazon IoT Greengrass actions for all of your Amazon resources.

AWSGreengrassResourceAccessRolePolicy

Allows access to resources from Amazon services including Amazon Lambda and Amazon IoT Device Shadow. This is the default policy used for the Greengrass service role. This policy is designed to provide general ease of access. You can define a custom policy that is more restrictive.

GreengrassOTAUpdateArtifactAccess

Allows read-only access to over-the-air (OTA) update artifacts for the Amazon IoT Greengrass Core software in all Amazon Web Services Regions.

Policy examples

The following example customer-defined policies grant permissions for common scenarios.

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating policies on the JSON tab in the IAM User Guide.

Allow users to view their own permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the Amazon CLI or Amazon API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws-cn:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }