Setting up permissions for Amazon IoT Events

Setting up Amazon IoT Events

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

Open http://www.amazonaws.cn/ and choose Sign Up.
Follow the on-screen instructions.

Setting up permissions for Amazon IoT Events

This section describes the roles and permissions that are required to use some features of Amazon IoT Events. You can use Amazon CLI commands or the Amazon Identity and Access Management (IAM) console to create roles and associated permission policies to access resources or perform certain functions in Amazon IoT Events.

The IAM User Guide has more detailed information about securely controlling permissions to access Amazon resources. For information specific to Amazon IoT Events, see Actions, resources, and condition keys for Amazon IoT Events.

To use the IAM console to create and manage roles and permissions, see IAM tutorial: Delegate access across Amazon accounts using IAM roles.

Note

Keys can be 1-128 characters and can include:

uppercase or lowercase letters a-z
numbers 0-9
special characters -, _, or :.

Action permissions

Amazon IoT Events enables you to trigger actions which use other Amazon services. To do so, you must grant Amazon IoT Events permission to perform these actions on your behalf. This section contains a list of the actions and an example policy which grants permission to perform all these actions on your resources. Change the region and account-id references as required. When possible, you should also change the wildcards (*) to refer to specific resources that will be accessed. You can use the IAM console to grant permission to Amazon IoT Events to send an Amazon SNS alert that you have defined. .

Amazon IoT Events supports the following actions that let you use a timer or set a variable:

setTimer to create a timer.
resetTimer to reset the timer.
clearTimer to delete the timer.
setVariable to create a variable.

Amazon IoT Events supports the following actions that let you work with Amazon services:

iotTopicPublish to publish a message on an MQTT topic.
iotEvents to send data to Amazon IoT Events as an input value.
iotSiteWise to send data to an asset property in Amazon IoT SiteWise.
dynamoDB to send data to an Amazon DynamoDB table.
dynamoDBv2 to send data to an Amazon DynamoDB table.
firehose to send data to an Amazon Data Firehose stream.
lambda to invoke an Amazon Lambda function.
sns to send data as a push notification.
sqs to send data to an Amazon SQS queue.

Example Policy


{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Action": "iot:Publish",
       "Resource": "arn:aws-cn:iot:<region>:<account_id>:topic/*"
     },
     {
       "Effect": "Allow",
       "Action": "iotevents:BatchPutMessage",
       "Resource": "arn:aws-cn:iotevents:<region>:<account_id>:input/*"
     },
     {
       "Effect": "Allow",
       "Action": "iotsitewise:BatchPutAssetPropertyValue",
       "Resource": "*"
     },
     {
       "Effect": "Allow",
       "Action": "dynamodb:PutItem",
       "Resource": "arn:aws-cn:dynamodb:<region>:<account_id>:table/*"
     },
     {
       "Effect": "Allow",
       "Action": [
         "firehose:PutRecord",
         "firehose:PutRecordBatch"
       ],
       "Resource": "arn:aws-cn:firehose:<region>:<account_id>:deliverystream/*"
     },
     {
       "Effect": "Allow",
       "Action": "lambda:InvokeFunction",
       "Resource": "arn:aws-cn:lambda:<region>:<account_id>:function:*"
     },
     {
       "Effect": "Allow",
       "Action": "sns:Publish",
       "Resource": "arn:aws-cn:sns:<region>:<account_id>:*"
     },
     {
       "Effect": "Allow",
       "Action": "sqs:SendMessage",
       "Resource": "arn:aws-cn:sqs:<region>:<account_id>:*"
     }
   ]
}

Securing input data

It's important to consider who can grant access to input data for use in a detector model. If you have a user or entity whose overall permissions you want to restrict, but that is permitted to create or update a detector model, you must also grant permission for that user or entity to update input routing. This means that in addition to granting permission for iotevents:CreateDetectorModel and iotevents:UpdateDetectorModel, you must also grant permission for iotevents:UpdateInputRouting.

Example

The following policy adds permission for iotevents:UpdateInputRouting.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "updateRoutingPolicy",
            "Effect": "Allow",
            "Action": [
                "iotevents:UpdateInputRouting"
            ],
            "Resource": "*"
        }
    ]
}

You can specify a list of input Amazon Resource Names (ARNs) instead of the wildcard "*" for the "Resource" to limit this permission to specific inputs. This enables you to restrict access to the input data that is consumed by detector models created or updated by the user or entity.

Amazon CloudWatch logging role policy

The following policy documents provide the role policy and trust policy that allow Amazon IoT Events to submit logs to CloudWatch on your behalf.

Role policy:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter",
                "logs:PutRetentionPolicy",
                "logs:GetLogEvents",
                "logs:DeleteLogStream"
            ],
            "Resource": [
                "arn:aws-cn:logs:*:*:*"
            ]
        }
    ]
}

Trust policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          
          "iotevents.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

You also need an IAM permissions policy attached to the user that allows the user to pass roles, as follows. For more information, see Granting a user permissions to pass a role to an Amazon service in the IAM User Guide.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
          "iam:GetRole",
          "iam:PassRole"
      ],
      "Resource": "arn:aws-cn:iam::<account-id>:role/Role_To_Pass"
    }
  ]
}

You can use the following command to put the resource policy for CloudWatch logs. This allows Amazon IoT Events to put log events into CloudWatch streams.



aws logs put-resource-policy --policy-name ioteventsLoggingPolicy --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"IoTEventsToCloudWatchLogs\", \"Effect\": \"Allow\", \"Principal\": { \"Service\": [ \"iotevents.amazonaws.com\" ] }, \"Action\":\"logs:PutLogEvents\", \"Resource\": \"*\" } ] }"

Use the following command to put logging options. Replace the roleArn with the logging role that you created.



aws iotevents put-logging-options --cli-input-json "{ \"loggingOptions\": {\"roleArn\": \"arn:aws-cn:iam::123456789012:role/testLoggingRole\", \"level\": \"INFO\", \"enabled\": true } }"

Amazon SNS messaging role policy

The following policy documents provide the role policy and trust policy that allow Amazon IoT Events to send SNS messages.

Role policy:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sns:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws-cn:sns:us-east-1:123456789012:testAction"
        }
    ]
}

Trust policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotevents.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

What is Amazon IoT Events?

Getting started