Step 1: Creating an Amazon IoT policy
In this procedure, create an Amazon IoT policy that allows your Amazon IoT things to access the resources used in this tutorial.
To create an Amazon IoT policy
-
Sign in to the Amazon Web Services Management Console
. -
Review the Amazon Regions where Amazon IoT SiteWise is supported. Switch to one of these supported Regions, if necessary.
-
Navigate to the Amazon IoT console
. If a Connect device button appears, choose it. -
In the left navigation pane, choose Security and then choose Policies.
-
Choose Create.
-
Enter a name for the Amazon IoT policy (for example,
SiteWiseTutorialDevicePolicy
). -
Under Policy document, choose JSON to enter the following policy in JSON form. Replace
region
andaccount-id
with your Region and account ID, such asus-east-1
and123456789012
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:
region
:account-id
:client/SiteWiseTutorialDevice*" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": [ "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update", "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete", "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get" ] }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": [ "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted", "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted", "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/accepted", "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected", "arn:aws:iot:region
:account-id
:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:aws:iot:region
:account-id
:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted", "arn:aws:iot:region
:account-id
:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted", "arn:aws:iot:region
:account-id
:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/accepted", "arn:aws:iot:region
:account-id
:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected", "arn:aws:iot:region
:account-id
:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected" ] }, { "Effect": "Allow", "Action": [ "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow" ], "Resource": "arn:aws:iot:region
:account-id
:thing/SiteWiseTutorialDevice*" } ] }This policy enables your Amazon IoT devices to establish connections and communicate with device shadows using MQTT messages. For more information about MQTT messages, see What is MQTT?
. To interact with device shadows, your Amazon IoT things publish and receive MQTT messages on topics that start with $aws/things/
. This policy incorporates a thing policy variable known asthing-name
/shadow/${iot:Connection.Thing.ThingName}
. This variable substitutes the connected thing's name in each topic. Theiot:Connect
statement sets limitations on which devices can establish connections, ensuring that the thing policy variable can only substitute names starting withSiteWiseTutorialDevice
.For more information, see Thing policy variables in the Amazon IoT Developer Guide.
Note
This policy applies to things whose names start with
SiteWiseTutorialDevice
. To use a different name for your things, you must update the policy accordingly. -
Choose Create.