Step 6: Create the Amazon IoT policy
Follow these procedures to create an Amazon IoT policy that will be attached to the device certificate. This gives permissions to Amazon IoT capabilities and allows the assumption of the role alias using the certificate.
With Amazon IoT Core policies, you can control access to the Amazon IoT Core data plane. The Amazon IoT Core data plane consists of operations that you can use to do the following:
-
Connect to the Amazon IoT Core message broker
-
Send and receive MQTT messages
-
Get or update a thing's device shadow
For more information, see Amazon IoT Core policies.
Use Amazon IoT policy editor to create an Amazon IoT policy
-
Sign in to the Amazon Web Services Management Console and open the Amazon IoT Core console at https://console.amazonaws.cn/iot/
. -
On the left navigation, select Security and then choose Policies.
-
Choose Create policy.
-
Enter a name for your policy.
An example of a policy name is KvsEdgeAccessIoTPolicy.
-
(Optional) Add metadata to the policy by attaching tags as key-value pairs.
For more information about using tags in IAM, see Tagging your Amazon IoT resources in the Amazon IoT Core Developer Guide.
-
Choose the JSON tab.
-
Paste the following JSON policy document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AssumeRoleWithCertificate" ], "Resource": "your-role-alias-arn" } ] }Note
Replace
your-role-alias-arnwith the ARN of the role alias that you created in Step 5: Create the Amazon IoT role alias. -
Choose Create to save your work.