Authorizing your devices to securely use Amazon IoT Jobs on the data plane
To authorize your devices to interact securely with Amazon IoT Jobs on the data plane, you must use Amazon IoT Core policies. Amazon IoT Core policies for jobs are JSON documents containing policy statements. These policies also use Effect, Action, and Resource elements, and follow a similar convention to IAM policies. For more information about the elements, see IAM JSON Policy Elements Reference in the IAM user Guide.
The policies can be used with both MQTT and HTTPS protocols and must use TCP or TLS mutual authentication to authenticate the devices. The following shows how to use these policies across the different communication protocols.
Warning
We recommend that you don't use wildcard permissions, such as "Action":
["iot:*"] in your IAM policies or Amazon IoT Core policies. Using wildcard
permissions is not a recommended security best practice. For more information, see
Amazon IoT
policy overly permissive.
Amazon IoT Core policies for MQTT protocol
Amazon IoT Core policies for MQTT protocol grant you permissions to use the jobs device MQTT API actions. The MQTT API operations are used to work with MQTT topics that are reserved for jobs commands. For more information about these API operations, see Jobs device MQTT API operations.
MQTT policies use policy actions such as iot:Connect,
iot:Publish, iot:Subscribe, and
iot:Receieve to work with the jobs topics. These policies allow you
to connect to the message broker, subscribe to the jobs MQTT topics, and send and
receive MQTT messages between your devices and the cloud. For more information about
these actions, see Amazon IoT Core policy actions.
For information about topics for Amazon IoT Jobs, see Job topics.
The following example shows how you can use iot:Publish and
iot:Subscribe to publish and subscribe to jobs and job
executions.
In the example, replace:
-
regionwith your Amazon Web Services Region, such asus-east-1. -
account-idwith your Amazon Web Services account number, such as57EXAMPLE833. -
thing-namewith the name of your IoT thing for which you're targeting jobs, such asMyIoTThing.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Subscribe" ], "Resource": [ "arn:aws:iot:region:account-id:topic/$aws/events/job/*", "arn:aws:iot:region:account-id:topic/$aws/events/jobExecution/*", "arn:aws:iot:region:account-id:topic/$aws/things/thing-name/jobs/*" ] } ], "Version": "2012-10-17" }
Amazon IoT Core policies for HTTPS protocol
Amazon IoT Core policies on the data plane can also use the HTTPS protocol with the TLS
authentication mechanism to authorize your devices. On the data plane, policies use
the iotjobsdata: prefix to authorize jobs API operations that your
devices can perform. For example, the iotjobsdata:DescribeJobExecution
policy action grants the user permission to use the DescribeJobExecution API.
Note
The data plane policy actions must use the iotjobsdata: prefix.
On the control plane, the actions must use the iot: prefix. For an
example IAM policy when both control plane and data plane policy actions are
used, see IAM policy example for both control
plane and data plane.
The following table shows a list of Amazon IoT Core policy actions and permissions for authorizing devices to use the API actions. For a list of API operations that you can perform in the data plane, see Jobs device HTTP API.
Note
These job execution policy actions apply only to the HTTP TLS endpoint. If you use the MQTT endpoint, you must use the MQTT policy actions defined previously.
Amazon IoT Core policy actions on data plane | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Policy action | API operation | Resource types | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
iotjobsdata:DescribeJobExecution |
DescribeJobExecution |
|
Represents the permission to retrieve a job execution.
The iotjobsdata:DescribeJobExecution permission
is checked every time a request is made to retrieve a job
execution. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
iotjobsdata:GetPendingJobExecutions |
GetPendingJobExecutions |
thing | Represents the permission to retrieve the list of jobs
that are not in a terminal status for a thing. The
iotjobsdata:GetPendingJobExecutions
permission is checked every time a request is made to
retrieve the list. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
iotjobsdata:StartNextPendingJobExecution |
StartNextPendingJobExecution |
thing | Represents the permission to get and start the next
pending job execution for a thing. That is, to update a job
execution with status QUEUED to IN_PROGRESS.
The iot:StartNextPendingJobExecution permission
is checked every time a request is made to start the next
pending job execution. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
iotjobsdata:UpdateJobExecution |
UpdateJobExecution |
thing | Represents the permission to update a job execution. The
iot:UpdateJobExecution permission is checked every
time a request is made to update the state of a job execution. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The following shows an example of an Amazon IoT Core policy that grants permission to perform the actions on the data plane API operations for any resource. You can scope your policy to a specific resource, such as an IoT thing. In your example, replace:
-
regionwith your Amazon Web Services Region such asus-east-1. -
account-idwith your Amazon Web Services account number, such as57EXAMPLE833. -
thing-namewith the name of the IoT thing, such asMyIoTthing.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iotjobsdata:GetPendingJobExecutions", "iotjobsdata:StartNextPendingJobExecution", "iotjobsdata:DescribeJobExecution", "iotjobsdata:UpdateJobExecution" ], "Effect": "Allow", "Resource": "arn:aws:iot:region:account-id:thing/thing-name" } ] }
An example of when you must use these policies can be when your IoT devices use an
Amazon IoT Core policy to access one of these API operations, such as the following example
of the DescribeJobExecution API:
GET /things/thingName/jobs/jobId?executionNumber=executionNumber&includeJobDocument=includeJobDocument&namespaceId=namespaceId HTTP/1.1