Granting Amazon IoT the required access - Amazon IoT SiteWise
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting Amazon IoT the required access

You use IAM roles to control the Amazon resources to which each rule has access. Before you create a rule, you must create an IAM role with a policy that allows the rule to perform actions on the required Amazon resource. Amazon IoT assumes this role when running a rule.

If you create the rule action in the Amazon IoT console, you can choose a root asset to create a role that has access to a selected asset hierarchy. For more information about how to manually define a role for a rule, see Granting Amazon IoT the required access and Pass role permissions in the Amazon IoT Developer Guide.

For the Amazon IoT SiteWise rule action, you must define a role that allows iotsitewise:BatchPutAssetPropertyValue access to the asset properties to which the rule sends data. To improve security, you can specify an Amazon IoT SiteWise asset hierarchy path in the Condition property.

The following example trust policy allows access to a specific asset and its children.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iotsitewise:BatchPutAssetPropertyValue",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "iotsitewise:assetHierarchyPath": [
            "/root node asset ID",
            "/root node asset ID/*"
          ]
        }
      }
    }
  ]
}

Remove the Condition from the policy to allow access to all of your assets. The following example trust policy allows access to all of your assets in the current Region.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iotsitewise:BatchPutAssetPropertyValue",
      "Resource": "*"
    }
  ]
}