Connect policy examples - Amazon IoT Core
MQTT persistent sessions policy examples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect policy examples

The following policy denies permission to client IDs client1 and client2 to connect to Amazon IoT Core, while allowing devices to connect using a client ID. The client ID matches the name of a thing that's registered in the Amazon IoT Core registry and attached to the principal that's used for connection:

Note

For registered devices, we recommend that you use thing policy variables for Connect actions and attach the thing to the principal that's used for the connection.

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Deny",
			"Action": [
				"iot:Connect"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/client1",
				"arn:aws:iot:us-east-1:123456789012:client/client2"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
			],
			"Condition": {
				"Bool": {
					"iot:Connection.Thing.IsAttached": "true"
				}
			}
		}
	]
}

The following policy grants permission to connect to Amazon IoT Core with client ID client1. This policy example is for unregistered devices.

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": [
				"arn:aws:iot:us-east-1:123456789012:client/client1"
			]
		}
	]
}

MQTT persistent sessions policy examples

connectAttributes allow you to specify what attributes you want to use in your connect message in your IAM policies such as PersistentConnect and LastWill. For more information, see Using connectAttributes.

The following policy allows connect with PersistentConnect feature:

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": [
						"PersistentConnect"
					]
				}
			}
		}
	]
}

The following policy disallows PersistentConnect, other features are allowed:

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
			"Condition": {
				"ForAllValues:StringNotEquals": {
					"iot:ConnectAttributes": [
						"PersistentConnect"
					]
				}
			}
		}
	]
}

The above policy can also be expressed using StringEquals, any other feature including new feature is allowed:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1"
        },
        {
            "Effect": "Deny",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iot:ConnectAttributes": [
                        "PersistentConnect"
                    ]
                }
            }
        }
    ]
}

The following policy allows connect by both PersistentConnect and LastWill, any other new feature is not allowed:

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": [
						"PersistentConnect",
						"LastWill"
					]
				}
			}
		}
	]
}

The following policy allows clean connect by clients with or without LastWill, no other features will be allowed:

JSON
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iot:Connect"
        ],
        "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
        "Condition": {
            "StringEquals": {
                "iot:ConnectAttributes": "LastWill"
            }
        }
    }]
}

The following policy only allows connect using default features:

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": []
				}
			}
		}
	]
}

The following policy allows connect only with PersistentConnect, any new feature is allowed as long as the connection uses PersistentConnect:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iot:ConnectAttributes": [
                        "PersistentConnect"
                    ]
                }
            }
        }
    ]
}

The following policy states the connect must have both PersistentConnect and LastWill usage, no new feature is allowed:

JSON
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iot:Connect"
			],
			"Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": [
						"PersistentConnect",
						"LastWill"
					]
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": [
				"iot:Connect"
			],
			"Resource": "*",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": [
						"PersistentConnect"
					]
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": [
				"iot:Connect"
			],
			"Resource": "*",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": [
						"LastWill"
					]
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": [
				"iot:Connect"
			],
			"Resource": "*",
			"Condition": {
				"ForAllValues:StringEquals": {
					"iot:ConnectAttributes": []
				}
			}
		}
	]
}

The following policy must not have PersistentConnect but can have LastWill, any other new feature is not allowed:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iot:ConnectAttributes": [
                        "PersistentConnect"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "iot:ConnectAttributes": [
                        "LastWill"
                    ]
                }
            }
        }
    ]
}

The following policy allows connect only by clients that have a LastWill with topic "my/lastwill/topicName", any feature is allowed as long as it uses the LastWill topic:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
            "Condition": {
                "ArnEquals": {
                "iot:LastWillTopic": "arn:aws:iot:us-east-1:123456789012:topic/my/lastwill/topicName"
                }
            }
        }
    ]
}

The following policy only allows clean connect using a specific LastWillTopic, any feature is allowed as long as it uses the LastWillTopic:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1",
            "Condition": {
                "ArnEquals": {
                "iot:LastWillTopic": "arn:aws:iot:us-east-1:123456789012:topic/my/lastwill/topicName"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iot:ConnectAttributes": [
                        "PersistentConnect"
                    ]
                }
            }
        }
    ]
}