Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
证书策略示例
对于在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core,以及发布到名称等于设备用于对自身进行身份验证的证书的 certificateId 的主题:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
}
]
}
对于未在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core、client1 和 client2 连接到 client3,以及发布到名称等于设备用于对自身进行身份验证的证书的 certificateId 的主题:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
}
]
}
对于在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core,以及发布到名称等于设备用于对自身进行身份验证的证书的使用者 CommonName 字段的主题:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
}
]
}
在此示例中,证书的使用者公用名用作主题标识符,并假设使用者公用名对于每个已注册的证书都是唯一的。如果证书在多个设备之间共享,则共享此证书的所有设备的使用者公用名将相同,因而允许从多个设备向同一主题发布权限(不推荐)。
对于未在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core、client1 和 client2 连接到 client3,以及发布到名称等于设备用于对自身进行身份验证的证书的使用者 CommonName 字段的主题:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
}
]
}
在此示例中,证书的使用者公用名用作主题标识符,并假设使用者公用名对于每个已注册的证书都是唯一的。如果证书在多个设备之间共享,则共享此证书的所有设备的使用者公用名将相同,因而允许从多个设备向同一主题发布权限(不推荐)。
对于在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 Amazon IoT Core,以及在用于对设备进行身份验证的证书将其 admin/ 字段设置为 Subject.CommonName.2 时发布到名称前缀为 Administrator 的主题:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"],
"Condition": {
"StringEquals": {
"iot:Certificate.Subject.CommonName.2": "Administrator"
}
}
}
]
}
对于未在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core、client1 和 client2 连接到 client3,以及在用于对设备进行身份验证的证书将其 admin/ 字段设置为 Subject.CommonName.2 时发布到名称前缀为 Administrator 的主题:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"],
"Condition": {
"StringEquals": {
"iot:Certificate.Subject.CommonName.2": "Administrator"
}
}
}
]
}
对于在 Amazon IoT Core 注册表中注册的设备,在用于对设备进行身份验证的证书将其任一 admin/ 字段设置为 ThingName 时,以下策略允许设备使用其事物名称在包含 Subject.CommonName 并且后跟 Administrator 的特定主题上发布:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"],
"Condition": {
"ForAnyValue:StringEquals": {
"iot:Certificate.Subject.CommonName.List": "Administrator"
}
}
}
]
}
对于未在 Amazon IoT Core 注册表中注册的设备,以下策略授予权限以使用客户端 ID Amazon IoT Core、client1 和 client2 连接到 client3,以及在用于对设备进行身份验证的证书将其任一 admin 字段设置为 Subject.CommonName 时发布到主题 Administrator:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"],
"Condition": {
"ForAnyValue:StringEquals": {
"iot:Certificate.Subject.CommonName.List": "Administrator"
}
}
}
]
}