Basic Amazon IoT Core policy variables
Amazon IoT Core defines the following basic policy variables:
-
iot:ClientId
: The client ID used to connect to the Amazon IoT Core message broker. -
aws:SourceIp
: The IP address of the client connected to the Amazon IoT Core message broker.
The following Amazon IoT Core policy shows a policy that uses policy variables.
aws:SourceIp
can be used in the Condition element of your
policy to allow principals to make API requests only within a specific address
range. For examples, see Authorizing users and cloud services to use
Amazon IoT Jobs.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientid1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:ClientId}" ], "Condition": { "IpAddress": { "aws:SourceIp": "123.45.167.89" } } } ] }
In these examples, ${iot:ClientId}
is replaced by the ID of the
client connected to the Amazon IoT Core message broker when the policy is evaluated.
When you use policy variables like ${iot:ClientId}
, you can
inadvertently open access to unintended topics. For example, if you use a policy
that uses ${iot:ClientId}
to specify a topic filter:
{ "Effect": "Allow", "Action": ["iot:Subscribe"], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/${iot:ClientId}/topic" ] }
A client can connect using +
as the client ID. This would allow
the user to subscribe to any topic that matches the topic filter
my/+/topic
. To protect against such security gaps, use the
iot:Connect
policy action to control which client IDs can
connect. For example, this policy allows only those clients whose client ID is
clientid1
to connect:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iot:Connect"], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/clientid1" ] } ] }
Note
Using the policy variable ${iot:ClientId}
with
Connect
is not recommended. There is no check on the value
of ClientId
, so an attacher with a different client's ID can
pass the validation but cause disconnection. Because any
ClientId
is allowed, setting a random client ID can bypass
thing group policies.