Certificate policy examples
For devices registered in Amazon IoT Core registry, the following policy grants
permission to connect to Amazon IoT Core with a client ID that matches a thing name,
and to publish to a topic whose name is equal to the certificateId
of the certificate the device used to authenticate itself:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
For devices not registered in the Amazon IoT Core registry, the following policy
grants permission to connect to Amazon IoT Core with client IDs, client1,
client2, and client3 and to publish to a topic
whose name is equal to the certificateId of the certificate the
device used to authenticate itself:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
For devices registered in Amazon IoT Core registry, the following policy grants
permission to connect to Amazon IoT Core with a client ID that matches the thing name,
and to publish to a topic whose name is equal to the subject's
CommonName field of the certificate the device used to
authenticate itself:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
Note
In this example, the certificate's subject common name is used as the topic identifier, with the assumption that the subject common name is unique for each registered certificate. If the certificates are shared across multiple devices, the subject common name is the same for all the devices that share this certificate, thereby allowing publish privileges to the same topic from multiple devices (not recommended).
For devices not registered in Amazon IoT Core registry, the following policy grants
permission to connect to Amazon IoT Core with client IDs, client1,
client2, and client3 and to publish to a topic
whose name is equal to the subject's CommonName field of the
certificate the device used to authenticate itself:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
Note
In this example, the certificate's subject common name is used as the topic identifier, with the assumption that the subject common name is unique for each registered certificate. If the certificates are shared across multiple devices, the subject common name is the same for all the devices that share this certificate, thereby allowing publish privileges to the same topic from multiple devices (not recommended).
For devices registered in the Amazon IoT Core registry, the following policy grants
permission to connect to Amazon IoT Core with a client ID that matches the thing name,
and to publish to a topic whose name is prefixed with admin/ when
the certificate used to authenticate the device has its
Subject.CommonName.2 field set to
Administrator:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
For devices not registered in Amazon IoT Core registry, the following policy grants
permission to connect to Amazon IoT Core with client IDs client1,
client2, and client3 and to publish to a topic
whose name is prefixed with admin/ when the certificate used to
authenticate the device has its Subject.CommonName.2 field set to
Administrator:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
For devices registered in Amazon IoT Core registry, the following policy allows a
device to use its thing name to publish on a specific topic that consists of
admin/ followed by the ThingName when the
certificate used to authenticate the device has any one of its
Subject.CommonName fields set to
Administrator:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }
For devices not registered in Amazon IoT Core registry, the following policy grants
permission to connect to Amazon IoT Core with client IDs client1,
client2, and client3 and to publish to the topic
admin when the certificate used to authenticate the device has
any one of its Subject.CommonName fields set to
Administrator:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }