Amazon IoT Core policy actions - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Core policy actions

The following policy actions are defined by Amazon IoT Core:

MQTT Policy Actions
iot:Connect

Represents the permission to connect to the Amazon IoT Core message broker. The iot:Connect permission is checked every time a CONNECT request is sent to the broker. The message broker doesn't allow two clients with the same client ID to stay connected at the same time. After the second client connects, the broker closes the existing connection. Use the iot:Connect permission to ensure only authorized clients using a specific client ID can connect.

iot:GetRetainedMessage

Represents the permission to get the contents of a single retained message. Retained messages are the messages that were published with the RETAIN flag set and stored by Amazon IoT Core. For permission to get a list of all the account's retained messages, see iot:ListRetainedMessages.

iot:ListRetainedMessages

Represents the permission to retrieve summary information about the account's retained messages, but not the contents of the messages. Retained messages are the messages that were published with the RETAIN flag set and stored by Amazon IoT Core. The resource ARN specified for this action must be *. For permission to get the contents of a single retained message, see iot:GetRetainedMessage.

iot:Publish

Represents the permission to publish an MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns.

Note

To grant iot:Publish permission, you must also grant iot:Connect permission.

iot:Receive

Represents the permission to receive a message from Amazon IoT Core. The iot:Receive permission is confirmed every time a message is delivered to a client. Because this permission is checked on every delivery, you can use it to revoke permissions to clients that are currently subscribed to a topic.

iot:RetainPublish

Represents the permission to publish an MQTT message with the RETAIN flag set.

Note

To grant iot:RetainPublish permission, you must also grant iot:Publish permission.

iot:Subscribe

Represents the permission to subscribe to a topic filter. This permission is checked every time a SUBSCRIBE request is sent to the broker. Use it to allow clients to subscribe to topics that match specific topic patterns.

Note

To grant iot:Subscribe permission, you must also grant iot:Connect permission.

Device Shadow Policy Actions
iot:DeleteThingShadow

Represents the permission to delete a thing's Device Shadow. The iot:DeleteThingShadow permission is checked every time a request is made to delete a thing's Device Shadow contents.

iot:GetThingShadow

Represents the permission to retrieve a thing's Device Shadow. The iot:GetThingShadow permission is checked every time a request is made to retrieve a thing's Device Shadow contents.

iot:ListNamedShadowsForThing

Represents the permission to list a thing's named Shadows. The iot:ListNamedShadowsForThing permission is checked every time a request is made to list a thing's named Shadows.

iot:UpdateThingShadow

Represents the permission to update a device's shadow. The iot:UpdateThingShadow permission is checked every time a request is made to update a thing's Device Shadow contents.

Note

The job execution policy actions apply only for the HTTP TLS endpoint. If you use the MQTT endpoint, you must use MQTT policy actions defined in this topic.

For an example of a job execution policy that demonstrates this, see Basic job policy example that works with the MQTT protocol.

Job Executions Amazon IoT Core Policy Actions
iotjobsdata:DescribeJobExecution

Represents the permission to retrieve a job execution for a given thing. The iotjobsdata:DescribeJobExecution permission is checked every time a request is made to get a job execution.

iotjobsdata:GetPendingJobExecutions

Represents the permission to retrieve the list of jobs that are not in a terminal status for a thing. The iotjobsdata:GetPendingJobExecutions permission is checked every time a request is made to retrieve the list.

iotjobsdata:UpdateJobExecution

Represents the permission to update a job execution. The iotjobsdata:UpdateJobExecution permission is checked every time a request is made to update the state of a job execution.

iotjobsdata:StartNextPendingJobExecution

Represents the permission to get and start the next pending job execution for a thing. (That is, to update a job execution with status QUEUED to IN_PROGRESS.) The iotjobsdata:StartNextPendingJobExecution permission is checked every time a request is made to start the next pending job execution.

Amazon IoT Core Credential Provider Policy Action
iot:AssumeRoleWithCertificate

Represents the permission to call Amazon IoT Core credential provider to assume an IAM role with certificate-based authentication. The iot:AssumeRoleWithCertificate permission is checked every time a request is made to Amazon IoT Core credential provider to assume a role.