AWS IoT
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

证书策略示例

registered devices (12)unregistered devices (12)
registered devices (12)

对于已在 AWS IoT Registry 中注册的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 和发布到名称等于设备用于身份验证的证书的 certificateId 的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
unregistered devices (12)

对于未在 AWS IoT Registry 中注册的设备,以下策略授予使用客户端 ID“client1”、“client2”和“client3”连接到 AWS IoT 和发布到名称等于设备用于身份验证的证书的 certificateId 的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
registered devices (13)unregistered devices (13)
registered devices (13)

对于已在 AWS IoT Registry 中注册的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 和发布到名称等于设备用于身份验证的证书的主题公用名字段的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }

注意

在此示例中,证书的主题公用名用作主题标识符,并假设主题公用名对于每个已注册的证书都是唯一的。如果证书在多个设备之间共享,则共享此证书的所有设备的主题公用名将相同,因而允许从多个设备向同一主题发布权限(不推荐)。

unregistered devices (13)

对于未在 AWS IoT Registry 中注册的设备,以下策略授予使用客户端 ID“client1”、“client2”和“client3”连接到 AWS IoT 和发布到名称等于设备用于身份验证的证书的主题公用名字段的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }

注意

在此示例中,证书的主题公用名用作主题标识符,并假设主题公用名对于每个已注册的证书都是唯一的。如果证书在多个设备之间共享,则共享此证书的所有设备的主题公用名将相同,因而允许从多个设备向同一主题发布权限(不推荐)。

registered devices (14)unregistered devices (14)
registered devices (14)

对于已在 AWS IoT Registry 中注册的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 的权限,并授予当用于对设备进行身份验证的证书的 Subject.CommonName.2 字段设置为“Administrator”时发布到名称前缀为“admin/”的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
unregistered devices (14)

对于未在 AWS IoT Registry 中注册的设备,以下策略授予使用客户端 ID“client1”、“client2”和“client3”连接到 AWS IoT 的权限,并授予当用于对设备进行身份验证的证书的 Subject.CommonName.2 字段设置为“Administrator”时发布到名称前缀为“admin/”的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
registered devices (15)unregistered devices (15)
registered devices (15)

对于已在 AWS IoT Registry 中注册的设备,以下策略允许设备在用于对设备进行身份验证的证书的任一 Subject.CommonName 字段设置为“Administrator”时,使用注册到 AWS IoT 的事物名称发布特定主题(依次包含“admin/”和 ThingName):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }
unregistered devices (15)

对于未在 AWS IoT Registry 中注册的设备,以下策略授予使用客户端 ID“client1”、“client2”和“client3”连接到 AWS IoT 的权限,并授予当用于对设备进行身份验证的证书的任一 Subject.CommonName 字段设置为“Administrator”时发布到主题“admin”的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }