Setting up permissions for Amazon IoT Events alarms
When you use an Amazon IoT Events alarm model to monitor an Amazon IoT SiteWise asset property, you must have the following IAM permissions:
-
An Amazon IoT Events service role that allows Amazon IoT Events to send data to Amazon IoT SiteWise. For more information, see Identity and access management for Amazon IoT Events in the Amazon IoT Events Developer Guide.
-
You must have the following Amazon IoT SiteWise action permissions:
iotsitewise:DescribeAssetModelandiotsitewise:UpdateAssetModelPropertyRouting. These permissions allow Amazon IoT SiteWise to send asset property values to Amazon IoT Events alarm models.
For more information, see Resource-based policies in the IAM User Guide.
Required action permissions
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal
can perform actions on what resources, and under what conditions.
The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy.
Before you define an Amazon IoT Events alarm model, you must grant the following permissions that allow Amazon IoT SiteWise to send asset property values to the alarm model.
-
iotsitewise:DescribeAssetModel– Allows Amazon IoT Events to check if an asset property exists. -
iotsitewise:UpdateAssetModelPropertyRouting– Allows Amazon IoT SiteWise to automatically create subscriptions that enable Amazon IoT SiteWise to send data to Amazon IoT Events.
For more information about Amazon IoT SiteWise supported actions, see Actions defined by Amazon IoT SiteWise in the Service Authorization Reference.
Example permissions policy 1
The following policy allows Amazon IoT SiteWise to send asset property values to any Amazon IoT Events alarm models.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }
Example permissions policy 2
The following policy allows Amazon IoT SiteWise to send values of a specified asset property to a specified Amazon IoT Events alarm model.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": [ "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef" ], "Condition": { "StringLike": { "iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890", "iotevents:alarmModelArn": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel" } } } ] }
(Optional) ListInputRoutings permission
When you update or delete an asset model, Amazon IoT SiteWise can check if an alarm model in Amazon IoT Events
is monitoring an asset property associated with this asset model. This prevents you from deleting an asset property
that an Amazon IoT Events alarm is currently using. To enable this feature in Amazon IoT SiteWise, you must have the iotevents:ListInputRoutings permission.
This permission allows Amazon IoT SiteWise to make calls to the ListInputRoutings API operation supported by Amazon IoT Events.
Note
We strongly recommend that you add the ListInputRoutings permission.
Example permissions policy
The following policy allows you to update and delete asset models, and use the ListInputRoutings API in Amazon IoT SiteWise.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModel", "iotsitewise:DeleteAssetModel", "iotevents:ListInputRoutings" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }
Required permissions for SiteWise Monitor
If you want to use the alarms feature in SiteWise Monitor portals, you must update the SiteWise Monitor service role with the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:DescribePortal", "iotsitewise:CreateProject", "iotsitewise:DescribeProject", "iotsitewise:UpdateProject", "iotsitewise:DeleteProject", "iotsitewise:ListProjects", "iotsitewise:BatchAssociateProjectAssets", "iotsitewise:BatchDisassociateProjectAssets", "iotsitewise:ListProjectAssets", "iotsitewise:CreateDashboard", "iotsitewise:DescribeDashboard", "iotsitewise:UpdateDashboard", "iotsitewise:DeleteDashboard", "iotsitewise:ListDashboards", "iotsitewise:CreateAccessPolicy", "iotsitewise:DescribeAccessPolicy", "iotsitewise:UpdateAccessPolicy", "iotsitewise:DeleteAccessPolicy", "iotsitewise:ListAccessPolicies", "iotsitewise:DescribeAsset", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:DescribeAssetProperty", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:BatchPutAssetPropertyValue", "iotsitewise:ListAssetRelationships", "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting", "sso-directory:DescribeUsers", "sso-directory:DescribeUser", "iotevents:DescribeAlarmModel", "iotevents:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotevents:BatchAcknowledgeAlarm", "iotevents:BatchSnoozeAlarm", "iotevents:BatchEnableAlarm", "iotevents:BatchDisableAlarm" ], "Resource": "*", "Condition": { "Null": { "iotevents:keyValue": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:TagResource" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:UpdateAlarmModel", "iotevents:DeleteAlarmModel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "iotevents.amazonaws.com" ] } } } ] }