Amazon managed policies for Amazon IoT SiteWise - Amazon IoT SiteWise
AWSIoTSiteWiseReadOnlyAccessAWSServiceRoleForIoTSiteWisePolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon IoT SiteWise

Simplify adding permissions to users, groups, and roles using Amazon managed policies rather than to writing policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team precise permissions. For a faster setup, consider using our Amazon managed policies for common use cases. Find Amazon managed policies in your Amazon Web Services account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Amazon services take care of updating and maintaining Amazon managed policies, meaning you cannot modify these policies' permissions. Occasionally, Amazon IoT SiteWise may add permissions to accommodate new features, impacting all identities with the policy attached. Such updates are common with the introduction of new services or features. However, permissions are never removed, ensuring your setups remain intact.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list with descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.

Amazon managed policy: AWSIoTSiteWiseReadOnlyAccess

Use the AWSIoTSiteWiseReadOnlyAccess Amazon managed policy to allow read-only access to Amazon IoT SiteWise.

You can attach the AWSIoTSiteWiseReadOnlyAccess policy to your IAM identities.

Service-level permissions

This policy provides read-only access to Amazon IoT SiteWise. No other service permissions are included in this policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iotsitewise:Describe*",
                "iotsitewise:List*",
                "iotsitewise:BatchGet*",
                "iotsitewise:Get*"
            ],
            "Resource": "*"
        }
    ]
}

Amazon managed policy: AWSServiceRoleForIoTSiteWise

The AWSServiceRoleForIoTSiteWise role uses the AWSServiceRoleForIoTSiteWise policy with the following permissions. This policy:

  • Allows Amazon IoT SiteWise to deploy SiteWise Edge gateways (which run on Amazon IoT Greengrass).

  • Allows Amazon IoT SiteWise to perform logging.

  • Allows Amazon IoT SiteWise to run a metadata search query, against the Amazon IoT TwinMaker database.

If you are using Amazon IoT SiteWise with a singe user account,the AWSServiceRoleForIoTSiteWise role creates the AWSServiceRoleForIoTSiteWise policy in your IAM account, and attaches it to the AWSServiceRoleForIoTSiteWise service-linked roles for Amazon IoT SiteWise. 


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowSiteWiseReadGreenGrass",
			"Effect": "Allow",
			"Action": [
				"greengrass:GetAssociatedRole",
				"greengrass:GetCoreDefinition",
				"greengrass:GetCoreDefinitionVersion",
				"greengrass:GetGroup",
				"greengrass:GetGroupVersion"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowSiteWiseAccessLogGroup",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:DescribeLogGroups"
			],
			"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*"
		},
		{
			"Sid": "AllowSiteWiseAccessLog",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogStream",
				"logs:DescribeLogStreams",
				"logs:PutLogEvents"
			],
			"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
		},
		{
			"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
			"Effect": "Allow",
			"Action": [
				"iottwinmaker:GetWorkspace",
				"iottwinmaker:ExecuteQuery"
			],
			"Resource": "arn:aws-cn:iottwinmaker:*:*:workspace/*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"iottwinmaker:linkedServices": [
						"IOTSITEWISE"
					]
				}
			}
		}
	]
}

Amazon IoT SiteWise updates to Amazon managed policies

You can view details about updates to Amazon managed policies for Amazon IoT SiteWise, beginning from when this service began tracking the changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon IoT SiteWise Document history page.

Change Description Date

AWSServiceRoleForIoTSiteWise – Update to an existing policy

Amazon IoT SiteWise now can run a metadata search query, against the Amazon IoT TwinMaker database.

 November 6, 2023

AWSIoTSiteWiseReadOnlyAccess – Update to an existing policy

Amazon IoT SiteWise added a new policy prefix, BatchGet*, that enables you to do batch read operations.

 September 16, 2022

AWSIoTSiteWiseReadOnlyAccess – New policy

Amazon IoT SiteWise added a new policy to grant read-only access to Amazon IoT SiteWise.

 November 24, 2021

Amazon IoT SiteWise started tracking changes

Amazon IoT SiteWise started tracking changes for its Amazon managed policies.

 November 24, 2021