Example: Secure access to an Amazon IoT Events alarm model - Amazon IoT Events
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

End of support notice: On May 20, 2026, Amazon end support for Amazon IoT Events. After May 20, 2026, you will no longer be able to access the Amazon IoT Events console or Amazon IoT Events resources. For more information, visit this Amazon IoT Events end of support.

Example: Secure access to an Amazon IoT Events alarm model

This example demonstrates how to create an IAM policy that allows Amazon IoT Events to securely access alarm models. The policy uses conditions to ensure that only the specified Amazon account and Amazon IoT Events service can assume the role.

In this example, the role can access any alarm model within the specified Amazon account, as indicated by the * wildcard in the alarm model ARN. The aws:SourceAccount and aws:SourceArn conditions work together to prevent the confused deputy problem.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotevents.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account_id"
        },
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:iotevents:region:account_id:alarmModel/*"
        }
      }
    }
  ]
}