Add necessary IAM role for network analyzer - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Add necessary IAM role for network analyzer

When you use network analyzer, you must grant a user permission to use the API operations UpdateNetworkAnalyzerConfiguration and GetNetworkAnalyzerConfiguration to access network analyzer resources. The following shows the IAM policies that you use to grant permissions.

IAM policies for network analyzer

Use either of the following:

  • Full access wireless policy

    Grant Amazon IoT Core for LoRaWAN the full access policy by attaching the policy AWSIoTWirelessFullAccess to your role. For more information, see AWSIoTWirelessFullAccess policy summary.

  • Scoped IAM policy for Get and Update API

    Create the following IAM policy by going to the Create policy page of the IAM console, and on the Visual editor tab:

    1. Choose IoTWireless for Service.

    2. Under Access level, expand Read and choose GetNetworkAnalyzerConfiguration, and then expand Write and choose UpdateNetworkAnalyzerConfiguration.

    3. Choose Next:Tags, and enter a Name for the policy, such as IoTWirelessNetworkAnalyzerPolicy. Choose Create policy.

    The following shows the policy IoTWirelessNetworkAnalyzerPolicy that you created. For more information about creating a policy, see Create IAM policies.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:UpdateNetworkAnalyzerConfiguration" ], "Resource": "*" } ] }
Scoped policy to access specific resources

To configure more fine-grained access control, you must add the wireless gateways, devices, and any multicast groups to the Resource field. The following policy uses the wildcard ARN to grant access to all gateways, devices, and multicast groups. You can control access to specific gateways and devices by using the WirelessGatewayId, WirelessDeviceId, and the MulticastGroupId.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:UpdateNetworkAnalyzerConfiguration" ], "Resource": [ "arn:aws:iotwireless:*:{accountId}:WirelessDevice/*", "arn:aws:iotwireless:*:{accountId}:WirelessGateway/*", "arn:aws:iotwireless:*:{accountId}:MulticastGroup/*", "arn:aws:iotwireless:*:{accountId}:NetworkAnalyzerConfiguration/*" ] } ] }

To grant a user permission to use network analyzer but not to use any wireless resources or multicast groups, use the following policy. Unless specified, permissions to use the resources are implicitly denied.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:UpdateNetworkAnalyzerConfiguration" ], "Resource": [ "arn:aws:iotwireless:*:{accountId}:NetworkAnalyzerConfiguration/*" ] } ] }

Next steps

Now that you've created the policy, you can add resources to your network analyzer configuration and receive trace messaging information for those resources. For more information, see Create a network analyzer configuration and add resources.