连接策略示例 - Amazon IoT Core
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

连接策略示例

以下策略拒绝访问客户端 ID client1 和连接client2的权限 Amazon IoT Core,同时允许设备使用客户端 ID 进行连接。客户端 ID 与在注册表中 Amazon IoT Core 注册并附加到用于连接的主体上的事物的名称相匹配:

注意

对于注册的设备,我们建议您将事物策略变量用于 Connect 操作,并将事物附加到用于连接的主体。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } } ] }

以下策略授予 Amazon IoT Core 使用客户端 ID 进行连接的权限client1。此策略示例适用于未注册的设备。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] } ] }

MQTT 持久性会话策略示例

connectAttributes 允许您在 IAM policy 中指定要在连接消息中使用的属性,如 PersistentConnectLastWill。有关更多信息,请参阅使用 ConnectAttributes

以下策略允许连接 PersistentConnect 特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

以下策略不允许 PersistentConnect,但允许使用其它特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringNotEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

上述策略也可以使用 StringEquals 表达,但允许使用包括新特征在内的任何其它特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

以下策略允许通过 PersistentConnectLastWill 连接,但不允许使用任何其它新特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } } ] }

以下策略允许客户端进行干净连接,无论是否具有 LastWill,但不允许使用其它特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }

以下策略仅允许使用默认特征进行连接:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [] } } } ] }

以下策略仅允许使用 PersistentConnect 连接,但只要连接使用 PersistentConnect,则允许使用任何新特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

以下策略规定连接必须同时使用 PersistentConnectLastWill,而不允许使用新特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [] } } } ] }

以下策略不能拥有 PersistentConnect,但可以有 LastWill,不允许使用任何其它新特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }

以下策略仅允许包括带有主题 "my/lastwill/topicName"LastWill 客户端连接,同时允许任何使用 LastWill 主题的特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:region:account-id:topic/my/lastwill/topicName" } } } ] }

以下策略仅允许使用特定 LastWillTopic 的干净连接,同时允许任何使用 LastWillTopic 的特征:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:region:account-id:topic/my/lastwill/topicName" } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }