Connect policy examples - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Connect policy examples

The following policy grants permission to connect to Amazon IoT Core with client ID client1:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] } ] }

The following policy denies permission to client IDs client1 and client2 to connect to Amazon IoT Core, while allowing devices to connect using a client ID that matches the name of a thing registered in the Amazon IoT Core registry:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] } ] }

MQTT persistent sessions policy examples

connectAttributes allow you to specify what attributes you want to use in your connect message in your IAM policies such as PersistentConnect and LastWill. For more information, see Using connectAttributes

The following policy allows connect with PersistentConnect feature:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

The following policy disallows PersistentConnect, other features are allowed:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringNotEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ]

The above policy can also be expressed using StringEquals, any other feature including new feature is allowed:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

The following policy allows connect by both PersistentConnect and LastWill, any other new feature is not allowed:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } } ] }

The following policy allows clean connect by clients with or without LastWill, no other features will be allowed:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }

The following policy only allows connect using default features:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ ] } } } ] }

The following policy allows connect only with PersistentConnect, any new feature is allowed as long as the connection uses PersistentConnect:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

The following policy states the connect must have both PersistentConnect and LastWill usage, no new feature is allowed:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ ] } } } ] }

The following policy must not have PersistentConnect but can have LastWill, any other new feature is not allowed:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }

The following policy allows connect only by clients that have a LastWill with topic "my/lastwill/topicName", any feature is allowed as long as it uses the LastWill topic:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:*region*:*account-id*:topic/*my/lastwill/topicName*" } } } ] }

The following policy only allows clean connect using a specific LastWillTopic, any feature is allowed as long as it uses the LastWillTopic:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:*region*:*account-id*:topic/*my/lastwill/topicName*" } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
Registered devices (3)

The following policy grants permission for a device to connect using its thing name as the client ID and to subscribe to the topic filter my/topic/filter. The device must be registered with Amazon IoT Core. When the device connects to Amazon IoT Core, it must provide the certificate associated with the IoT thing in the Amazon IoT Core registry:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic/filter" ] } ] }
Unregistered devices (3)

For devices not registered as things in the Amazon IoT Core registry, the following policy grants permission to connect using client ID client1 and to subscribe to topic filter my/topic:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] } ] }