# Securing users and devices with Amazon IoT Jobs
<a name="iot-jobs-security"></a>

To authorize users to use Amazon IoT Jobs with their devices, you must grant them permissions by using IAM policies. The devices must then be authorized by using Amazon IoT Core policies to connect securely to Amazon IoT, receive job executions, and update the execution status.

## Required policy type for Amazon IoT Jobs
<a name="jobs-required-policy"></a>

The following table shows the different types of policies that you must use for authorization. For more information about the required policy to use, see [Authorization](iot-authorization.md).


**Required policy type**  

| Use case | Protocol | Authentication | Control plane/data plane | Identity type | Required policy type | 
| --- | --- | --- | --- | --- | --- | 
| Authorize an administrator, operator, or Cloud Service to work securely with Jobs | HTTPS | Amazon Signature Version 4 authentication (port 443) | Both control plane and data plane | Amazon Cognito Identity, IAM, or federated user | IAM policy | 
| Authorize your IoT device to work securely with Jobs | MQTT/HTTPS | TCP or TLS mutual authentication (port 8883 or 443) | Data plane | X.509 certificates | Amazon IoT Core policy | 

To authorize Amazon IoT Jobs operations that can be performed both on the control plane and data plane, you must use IAM policies. The identities must have been authenticated with Amazon IoT to perform these operations, which must be [Amazon Cognito identities](cognito-identities.md) or [IAM users, groups, and roles](iam-users-groups-roles.md). For more information about authentication, see [Authentication](authentication.md).

The devices must now be authorized on the data plane by using Amazon IoT Core policies to connect securely to the device gateway. The device gateway enables devices to securely communicate with Amazon IoT, receive job executions, and update the job execution status. Device communication is secured by using secure [MQTT](mqtt.md) or [HTTPS publish](http.md) communication protocols. These protocols use [X.509 client certificates](x509-client-certs.md) that are provided by Amazon IoT to authenticate the device connections.

The following shows how you authorize your users, cloud services, and devices to use Amazon IoT Jobs. For information about control plane and data plane API operations, see [Amazon IoT jobs API operations](jobs-api.md).

**Topics**
+ [Required policy type for Amazon IoT Jobs](#jobs-required-policy)
+ [Authorizing users and cloud services to use Amazon IoT Jobs](iam-policy-users-jobs.md)
+ [Authorizing your devices to securely use Amazon IoT Jobs on the data plane](iot-data-plane-jobs.md)