Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Thing policy examples
The following policy allows a device to connect if the certificate used to
authenticate with Amazon IoT Core is attached to the thing for which the policy is
being evaluated:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["iot:Connect"],
"Resource":[ "*" ],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": ["true"]
}
}
}
]
}
The following policy allows a device to publish if the certificate is attached
to a thing with a particular thing type and if the thing has an attribute of
attributeName with value attributeValue. For more
information about thing policy variables, see Thing policy variables.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789012:topic/device/stats",
"Condition": {
"StringEquals": {
"iot:Connection.Thing.Attributes[attributeName]": "attributeValue",
"iot:Connection.Thing.ThingTypeName": "Thing_Type_Name"
},
"Bool": {
"iot:Connection.Thing.IsAttached": "true"
}
}
}
]
}
The following policy allows a device to publish to a topic that starts with an
attribute of the thing. If the device certificate is not associated with the
thing, this variable won't be resolved and will result in an access denied
error. For more information about thing policy variables, see Thing policy variables.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.Attributes[attributeName]}/*"
}
]
}