Amazon IoT Core policy actions
The following policy actions are defined by Amazon IoT Core:
MQTT Policy Actions
iot:Connect
-
Represents the permission to connect to the Amazon IoT Core message broker. The
iot:Connect
permission is checked every time aCONNECT
request is sent to the broker. The message broker doesn't allow two clients with the same client ID to stay connected at the same time. After the second client connects, the broker closes the existing connection. Use theiot:Connect
permission to ensure only authorized clients using a specific client ID can connect. iot:GetRetainedMessage
-
Represents the permission to get the contents of a single retained message. Retained messages are the messages that were published with the RETAIN flag set and stored by Amazon IoT Core. For permission to get a list of all the account's retained messages, see iot:ListRetainedMessages.
iot:ListRetainedMessages
-
Represents the permission to retrieve summary information about the account's retained messages, but not the contents of the messages. Retained messages are the messages that were published with the RETAIN flag set and stored by Amazon IoT Core. The resource ARN specified for this action must be
*
. For permission to get the contents of a single retained message, see iot:GetRetainedMessage. iot:Publish
-
Represents the permission to publish an MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns.
Note
To grant
iot:Publish
permission, you must also grantiot:Connect
permission. iot:Receive
-
Represents the permission to receive a message from Amazon IoT Core. The
iot:Receive
permission is confirmed every time a message is delivered to a client. Because this permission is checked on every delivery, you can use it to revoke permissions to clients that are currently subscribed to a topic. iot:RetainPublish
-
Represents the permission to publish an MQTT message with the RETAIN flag set.
Note
To grant
iot:RetainPublish
permission, you must also grantiot:Publish
permission. iot:Subscribe
-
Represents the permission to subscribe to a topic filter. This permission is checked every time a SUBSCRIBE request is sent to the broker. Use it to allow clients to subscribe to topics that match specific topic patterns.
Note
To grant
iot:Subscribe
permission, you must also grantiot:Connect
permission.
Device Shadow Policy Actions
iot:DeleteThingShadow
-
Represents the permission to delete a thing's Device Shadow. The
iot:DeleteThingShadow
permission is checked every time a request is made to delete a thing's Device Shadow contents. iot:GetThingShadow
-
Represents the permission to retrieve a thing's Device Shadow. The
iot:GetThingShadow
permission is checked every time a request is made to retrieve a thing's Device Shadow contents. iot:ListNamedShadowsForThing
-
Represents the permission to list a thing's named Shadows. The
iot:ListNamedShadowsForThing
permission is checked every time a request is made to list a thing's named Shadows. iot:UpdateThingShadow
-
Represents the permission to update a device's shadow. The
iot:UpdateThingShadow
permission is checked every time a request is made to update a thing's Device Shadow contents.
Note
The job execution policy actions apply only for the HTTP TLS endpoint. If you use the MQTT endpoint, you must use MQTT policy actions defined in this topic.
For an example of a job execution policy that demonstrates this, see Basic job policy example that works with the MQTT protocol.
Job Executions Amazon IoT Core Policy Actions
iotjobsdata:DescribeJobExecution
-
Represents the permission to retrieve a job execution for a given thing. The
iotjobsdata:DescribeJobExecution
permission is checked every time a request is made to get a job execution. iotjobsdata:GetPendingJobExecutions
-
Represents the permission to retrieve the list of jobs that are not in a terminal status for a thing. The
iotjobsdata:GetPendingJobExecutions
permission is checked every time a request is made to retrieve the list. iotjobsdata:UpdateJobExecution
-
Represents the permission to update a job execution. The
iotjobsdata:UpdateJobExecution
permission is checked every time a request is made to update the state of a job execution. iotjobsdata:StartNextPendingJobExecution
-
Represents the permission to get and start the next pending job execution for a thing. (That is, to update a job execution with status QUEUED to IN_PROGRESS.) The
iotjobsdata:StartNextPendingJobExecution
permission is checked every time a request is made to start the next pending job execution.
Amazon IoT Core Credential Provider Policy Action
iot:AssumeRoleWithCertificate
-
Represents the permission to call Amazon IoT Core credential provider to assume an IAM role with certificate-based authentication. The
iot:AssumeRoleWithCertificate
permission is checked every time a request is made to Amazon IoT Core credential provider to assume a role.