Amazon IoT Core action resources - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Core action resources

To specify a resource for an Amazon IoT Core policy action, use the Amazon Resource Name (ARN) of the resource. All resource ARNs follow the following format:


The following table shows the resource to specify for each action type. The ARN examples are for the account ID 123456789012, in the partition aws, and specific to the region us-east-1. For more information about the formats for ARNs, see Amazon Resource Names (ARNs) from the Amazon Identity and Access Management User Guide.

Action Resource type Resource name ARN example
iot:Connect client

The client's client ID

iot:DeleteThingShadow thing

The thing's name, and the shadow's name, if applicable

arn:aws:iot:us-east-1:123456789012:thing/thingOne arn:aws:iot:us-east-1:123456789012:thing/thingOne/shadowOne
iotjobsdata:DescribeJobExecution thing

The thing's name

iotjobsdata:GetPendingJobExecutions thing

The thing's name

iot:GetRetainedMessage topic

A retained message topic

iot:GetThingShadow thing

The thing's name, and the shadow's name, if applicable

arn:aws:iot:us-east-1:123456789012:thing/thingOne arn:aws:iot:us-east-1:123456789012:thing/thingOne/shadowOne
iot:ListNamedShadowsForThing All All *
iot:ListRetainedMessages All All *
iot:Publish topic

A topic string

iot:Receive topic

A topic string

iot:RetainPublish topic

A topic to publish with the RETAIN flag set

iotjobsdata:StartNextPendingJobExecution thing

The thing's name

iot:Subscribe topicfilter A topic filter string arn:aws:iot:us-east-1:123456789012:topicfilter/myTopicFilter
iotjobsdata:UpdateJobExecution thing

The thing's name

iot:UpdateThingShadow thing

The thing's name, and the shadow's name, if applicable

arn:aws:iot:us-east-1:123456789012:thing/thingOne arn:aws:iot:us-east-1:123456789012:thing/thingOne/shadowOne
iot:AssumeRoleWithCertificate rolealias

A role alias that points to a role ARN
