Connect policy examples
The following policy grants permission to connect to Amazon IoT Core with client ID
client1:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] } ] }
The following policy denies permission to client IDs client1 and
client2 to connect to Amazon IoT Core, while allowing devices to
connect using a client ID that matches the name of a thing registered in the
Amazon IoT Core registry:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] } ] }
MQTT persistent sessions policy examples
connectAttributes allow you to specify what attributes you
want to use in your connect message in your IAM policies such as
PersistentConnect and LastWill. For more
information, see Using connectAttributes
The following policy allows connect with PersistentConnect
feature:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
The following policy disallows PersistentConnect, other
features are allowed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringNotEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ]
The above policy can also be expressed using StringEquals,
any other feature including new feature is allowed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
The following policy allows connect by both PersistentConnect
and LastWill, any other new feature is not allowed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } } ] }
The following policy allows clean connect by clients with or without
LastWill, no other features will be allowed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }
The following policy only allows connect using default features:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ ] } } } ] }
The following policy allows connect only with
PersistentConnect, any new feature is allowed as long as
the connection uses PersistentConnect:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
The following policy states the connect must have both
PersistentConnect and LastWill usage, no new
feature is allowed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ ] } } } ] }
The following policy must not have PersistentConnect but can
have LastWill, any other new feature is not allowed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }
The following policy allows connect only by clients that have a
LastWill with topic "my/lastwill/topicName",
any feature is allowed as long as it uses the LastWill
topic:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:*region*:*account-id*:topic/*my/lastwill/topicName*" } } } ] }
The following policy only allows clean connect using a specific
LastWillTopic, any feature is allowed as long as it uses
the LastWillTopic:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:*region*:*account-id*:topic/*my/lastwill/topicName*" } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }