Accessing cross-account resources using Amazon IoT rules
You can configure Amazon IoT rules for cross-account access so that data ingested on MQTT topics of one account can be routed into the Amazon services, such as Amazon SQS and Lambda, of another account. The following explains how to set up Amazon IoT rules for cross-account data ingestion, from an MQTT topic in one account, to a destination in another account.
Cross-account rules can be configured using resource-based permissions
Note
For the supported destinations, except for Amazon SQS, you must define the rule in the same Amazon Web Services Region as another service's resource so that the rule action can interact with that resource. For more information about Amazon IoT rule actions, see Amazon IoT rule actions. For more information about rule's SQS action, see SQS.
Prerequisites
-
Familiarity with Amazon IoT rules
-
An understanding of IAM users
, roles , and resource-based permission -
Having Amazon CLI
installed
Cross-account setup for Amazon SQS
Scenario: Account A sends data from an MQTT message to account B's Amazon SQS queue.
Amazon Web Services account | Account referred to as | Description |
---|---|---|
|
Account A | Rule action: sqs:SendMessage |
|
Account B | Amazon SQS queue
|
Note
Your destination Amazon SQS queue doesn't have to be in the same Amazon Web Services Region as
your Amazon IoT rule
Do the Account A tasks
Note
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule
with the rule's Amazon Resource Name
(ARN) as a resource, and permissions to iam:PassRole
action
with a resource as the role's ARN.
-
Configure Amazon CLI
using account A’s IAM user. -
Create an IAM role that trusts Amazon IoT rules engine, and attaches a policy that allows access to account B's Amazon SQS queue. See example commands and policy documents in Granting Amazon IoT the required access
. -
To create a rule that is attached to a topic, run the create-topic-rule command
. aws iot create-topic-rule --rule-name
myRule
--topic-rule-payload file://./my-rule.json
The following is an example payload file with a rule that inserts all messages sent to the
iot/test
topic into the specified Amazon SQS queue. The SQL statement filters the messages and the role ARN grants Amazon IoT permissions to add the message to the Amazon SQS queue.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "sqs": { "queueUrl": "https://sqs.region.amazonaws.com/2222-2222-2222/ExampleQueue", "roleArn": "arn:aws:iam::1111-1111-1111:role/my-iot-role", "useBase64": false } } ] }
For more information about how to define an Amazon SQS action in an Amazon IoT rule, see Amazon IoT rule actions - Amazon SQS
.
Do the Account B tasks
-
Configure Amazon CLI
using account B’s IAM user. -
To give permissions for the Amazon SQS queue resource to account A, run the add-permission command
. aws sqs add-permission --queue-url
https://sqs.region.amazonaws.com/2222-2222-2222/ExampleQueue
--labelSendMessagesToMyQueue
--aws-account-ids1111-1111-1111
--actions SendMessage
Cross-account setup for Amazon SNS
Scenario: Account A sends data from an MQTT message to an Amazon SNS topic of account B.
Amazon Web Services account | Account referred to as | Description |
---|---|---|
|
Account A | Rule action: sns:Publish |
|
Account B | Amazon SNS topic ARN:
|
Do the Account A tasks
Notes
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule
with rule ARN as a resource and
permissions to the iam:PassRole
action with a resource as role
ARN.
-
Configure Amazon CLI
using account A’s IAM user. -
Create an IAM role that trusts Amazon IoT rules engine, and attaches a policy that allows access to account B's Amazon SNS topic. For example commands and policy documents, see Granting Amazon IoT the required access
. -
To create a rule that is attached to a topic, run the create-topic-rule command
. aws iot create-topic-rule --rule-name
myRule
--topic-rule-payload file://./my-rule.json
The following is an example payload file with a rule that inserts all messages sent to the
iot/test
topic into the specified Amazon SNS topic. The SQL statement filters the messages, and the role ARN grants Amazon IoT permissions to send the message to the Amazon SNS topic.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "sns": { "targetArn": "arn:aws:sns:region:2222-2222-2222:ExampleTopic", "roleArn": "arn:aws:iam::1111-1111-1111:role/my-iot-role" } } ] }
For more information about how to define an Amazon SNS action in an Amazon IoT rule, see Amazon IoT rule actions - Amazon SNS
.
Do the Account B tasks
-
Configure Amazon CLI
using account B’s IAM user. -
To give permission on the Amazon SNS topic resource to account A, run the add-permission command
. aws sns add-permission --topic-arn
arn:aws:sns:region:2222-2222-2222:ExampleTopic
--labelPublish-Permission
--aws-account-id1111-1111-1111
--action-name Publish
Cross-account setup for Amazon S3
Scenario: Account A sends data from an MQTT message to an Amazon S3 bucket of account B.
Amazon Web Services account | Account referred to as | Description |
---|---|---|
|
Account A | Rule action: s3:PutObject |
|
Account B | Amazon S3 bucket ARN:
|
Do the Account A tasks
Note
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule
with the rule ARN as a resource and
permissions to iam:PassRole
action with a resource as role
ARN.
-
Configure Amazon CLI
using account A’s IAM user. -
Create an IAM role that trusts Amazon IoT rules engine and attaches a policy that allows access to account B's Amazon S3 bucket. For example commands and policy documents, see Granting Amazon IoT the required access
. -
To create a rule that is attached to your target S3 bucket, run the create-topic-rule command
. aws iot create-topic-rule --rule-name
my-rule
--topic-rule-payload file://./my-rule.json
The following is an example payload file with a rule that inserts all messages sent to the
iot/test
topic into the specified Amazon S3 bucket. The SQL statement filters the messages, and the role ARN grants Amazon IoT permissions to add the message to the Amazon S3 bucket.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "s3": { "bucketName": "amzn-s3-demo-bucket", "key": "${topic()}/${timestamp()}", "roleArn": "arn:aws:iam::1111-1111-1111:role/my-iot-role" } } ] }
For more information about how to define an Amazon S3 action in an Amazon IoT rule, see Amazon IoT rule actions - Amazon S3
.
Do the Account B tasks
-
Configure Amazon CLI
using account B’s IAM user. -
Create a bucket policy that trusts account A's principal.
The following is an example payload file that defines a bucket policy that trusts the principal of another account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddCannedAcl", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::1111-1111-1111:root" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" } ] }
For more information, see bucket policy examples
. -
To attach the bucket policy to the specified bucket, run the put-bucket-policy command
. aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://./
amzn-s3-demo-bucket-policy.json
-
To make the cross-account access work, make sure you have the correct Block all public access settings. For more information, see Security Best Practices for Amazon S3
.
Cross-account setup for Amazon Lambda
Scenario: Account A invokes an Amazon Lambda function of account B, passing in an MQTT message.
Amazon Web Services account | Account referred to as | Description |
---|---|---|
|
Account A | Rule action: lambda:InvokeFunction |
|
Account B | Lambda function ARN:
|
Do the Account A tasks
Notes
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule
with rule ARN as a resource, and
permissions to iam:PassRole
action with resource as role
ARN.
-
Configure Amazon CLI
using account A’s IAM user. -
Run the create-topic-rule command
to create a rule that defines cross-account access to account B's Lambda function. aws iot create-topic-rule --rule-name
my-rule
--topic-rule-payload file://./my-rule.json
The following is an example payload file with a rule that inserts all messages sent to the
iot/test
topic into the specified Lambda function. The SQL statement filters the messages and the role ARN grants Amazon IoT permission to pass in the data to the Lambda function.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "lambda": { "functionArn": "arn:aws:lambda:region:2222-2222-2222:function:example-function" } } ] }
For more information about how to define an Amazon Lambda action in an Amazon IoT rule, read Amazon IoT rule actions - Lambda
.
Do the Account B tasks
-
Configure Amazon CLI
using account B’s IAM user. -
Run Lambda's add-permission command
to give Amazon IoT rules permission to activate the Lambda function. To run the following command, your IAM user should have permission to lambda:AddPermission
action.aws lambda add-permission --function-name
example-function
--regionus-east-1
--principal iot.amazonaws.com --source-arnarn:aws:iot:region:1111-1111-1111:rule/example-rule
--source-account1111-1111-1111
--statement-id"unique_id"
--action "lambda:InvokeFunction"Options:
--principal
This field gives permission to Amazon IoT (represented by
iot.amazonaws.com
) to call the Lambda function.--source-arn
This field confirms that only
arn:aws:iot:region:1111-1111-1111:rule/example-rule
in Amazon IoT triggers this Lambda function and no other rule in the same or different account can activate this Lambda function.--source-account
This field confirms that Amazon IoT activates this Lambda function only on behalf of the
1111-1111-1111
account.Notes
If you see an error message "The rule could not be found" from your Amazon Lambda function’s console under Configuration, ignore the error message and proceed to test the connection.