Basic Amazon IoT Core policy variables - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Basic Amazon IoT Core policy variables

Amazon IoT Core defines the following basic policy variables:

  • iot:ClientId: The client ID used to connect to the Amazon IoT Core message broker.

  • aws:SourceIp: The IP address of the client connected to the Amazon IoT Core message broker.

The following Amazon IoT Core policy shows a policy that uses policy variables. aws:SourceIp can be used in the Condition element of your policy to allow principals to make API requests only within a specific address range. For examples, see Authorizing users and cloud services to use Amazon IoT Jobs.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/clientid1"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:Publish"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:ClientId}"
			],
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": "123.45.167.89"
				}
			}
		}
	]
}

In these examples, ${iot:ClientId} is replaced by the ID of the client connected to the Amazon IoT Core message broker when the policy is evaluated. When you use policy variables like ${iot:ClientId}, you can inadvertently open access to unintended topics. For example, if you use a policy that uses ${iot:ClientId} to specify a topic filter:

{
    "Effect": "Allow",
    "Action": ["iot:Subscribe"],
    "Resource": [
      "arn:aws:iot:us-east-1:123456789012:topicfilter/my/${iot:ClientId}/topic"
    ]
}

A client can connect using + as the client ID. This would allow the user to subscribe to any topic that matches the topic filter my/+/topic. To protect against such security gaps, use the iot:Connect policy action to control which client IDs can connect. For example, this policy allows only those clients whose client ID is clientid1 to connect:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["iot:Connect"],
        "Resource": [
          "arn:aws:iot:us-east-1:123456789012:client/clientid1"
        ]
      }
    ]
}
Note

Using the policy variable ${iot:ClientId} with Connect is not recommended. There is no check on the value of ClientId, so an attacher with a different client's ID can pass the validation but cause disconnection. Because any ClientId is allowed, setting a random client ID can bypass thing group policies.