Amazon IoT Core policies
Amazon IoT Core policies are JSON documents. They follow the same conventions as IAM policies. Amazon IoT Core supports named policies so many identities can reference the same policy document. Named policies are versioned so they can be easily rolled back.
Amazon IoT Core policies allow you to control access to the Amazon IoT Core data plane. The Amazon IoT Core data plane consists of operations that allow you to connect to the Amazon IoT Core message broker, send and receive MQTT messages, and get or update a thing's Device Shadow.
An Amazon IoT Core policy is a JSON document that contains one or more policy statements. Each statement contains:
-
Effect
, which specifies whether the action is allowed or denied. -
Action
, which specifies the action the policy is allowing or denying. -
Resource
, which specifies the resource or resources on which the action is allowed or denied.
Changes made to a policy can take anywhere between 6 and 8 minutes to become effective because of how Amazon IoT caches the policy documents. That is, it may take a few minutes to access a resource that has recently been granted access, and a resource may be accessible for several minutes after its access has been revoked.
Amazon IoT Core policies can be attached to X.509 certificates, Amazon Cognito identities, and thing
groups. The policies attached to a thing group apply to any thing within that group. For
the policy to take effect, the clientId
and the thing name must match.
Amazon IoT Core policies follow the same policy evaluation logic as IAM policies. By
default, all policies are implicitly denied. An explicit allow in any identity-based or
resource-based policy overrides the default behavior. An explicit deny in any policy
overrides any allows. For more information, see Policy evaluation logic in the Amazon Identity and Access Management User
Guide.