Step 1: Creating an Amazon IoT policy

To create an Amazon IoT policy

1. Sign in to the Amazon Web Services Management Console.

2. Review the Amazon Regions where Amazon IoT SiteWise is supported. Switch to one of these supported Regions, if necessary.

3. Navigate to the Amazon IoT console. If a Connect device button appears, choose it.

4. In the left navigation pane, choose Security and then choose Policies.

5. Choose Create.

6. Enter a name for the Amazon IoT policy (for example, SiteWiseTutorialDevicePolicy).

7. Under Policy document, choose JSON to enter the following policy in JSON form. Replace region and account-id with your Region and account ID, such as us-east-1 and 123456789012.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": "iot:Connect",
         "Resource": "arn:aws:iot:region:account-id:client/SiteWiseTutorialDevice*"
       },
       {
         "Effect": "Allow",
         "Action": "iot:Publish",
         "Resource": [
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update",
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete",
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get"
         ]
       },
       {
         "Effect": "Allow",
         "Action": "iot:Receive",
         "Resource": [
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted",
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted",
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/accepted",
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected",
           "arn:aws:iot:region:account-id:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected"
         ]
       },
       {
         "Effect": "Allow",
         "Action": "iot:Subscribe",
         "Resource": [
           "arn:aws:iot:region:account-id:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted",
           "arn:aws:iot:region:account-id:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted",
           "arn:aws:iot:region:account-id:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/accepted",
           "arn:aws:iot:region:account-id:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected",
           "arn:aws:iot:region:account-id:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected"
         ]
       },
       {
         "Effect": "Allow",
         "Action": [
           "iot:GetThingShadow",
           "iot:UpdateThingShadow",
           "iot:DeleteThingShadow"
         ],
         "Resource": "arn:aws:iot:region:account-id:thing/SiteWiseTutorialDevice*"
       }
     ]
   }

   This policy enables your Amazon IoT devices to establish connections and communicate with device shadows using MQTT messages. For more information about MQTT messages, see What is MQTT?. To interact with device shadows, your Amazon IoT things publish and receive MQTT messages on topics that start with $aws/things/thing-name/shadow/. This policy incorporates a thing policy variable known as ${iot:Connection.Thing.ThingName}. This variable substitutes the connected thing's name in each topic. The iot:Connect statement sets limitations on which devices can establish connections, ensuring that the thing policy variable can only substitute names starting with SiteWiseTutorialDevice.

   For more information, see Thing policy variables in the Amazon IoT Developer Guide.

   Note

   This policy applies to things whose names start with SiteWiseTutorialDevice. To use a different name for your things, you must update the policy accordingly.

8. Choose Create.