Step 6: Create the Amazon IoT policy - Amazon Kinesis Video Streams
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 6: Create the Amazon IoT policy

Follow these procedures to create an Amazon IoT policy that will be attached to the device certificate. This gives permissions to Amazon IoT capabilities and allows the assumption of the role alias using the certificate.

With Amazon IoT Core policies, you can control access to the Amazon IoT Core data plane. The Amazon IoT Core data plane consists of operations that you can use to do the following:

  • Connect to the Amazon IoT Core message broker

  • Send and receive MQTT messages

  • Get or update a thing's device shadow

For more information, see Amazon IoT Core policies.

Use Amazon IoT policy editor to create an Amazon IoT policy
  1. Sign in to the Amazon Web Services Management Console and open the Amazon IoT Core console at

  2. On the left navigation, select Security and then choose Policies.

  3. Choose Create policy.

  4. Enter a name for your policy.

    An example of a policy name is KvsEdgeAccessIoTPolicy.

  5. (Optional) Add metadata to the policy by attaching tags as key-value pairs.

    For more information about using tags in IAM, see Tagging your Amazon IoT resources in the Amazon IoT Core Developer Guide.

  6. Choose the JSON tab.

  7. Paste the following JSON policy document:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AssumeRoleWithCertificate" ], "Resource": "your-role-alias-arn" } ] }

    Replace your-role-alias-arn with the ARN of the role alias that you created in Step 5: Create the Amazon IoT role alias.

  8. Choose Create to save your work.