连接策略示例 - Amazon IoT Core
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

连接策略示例

以下策略授予权限以使用客户端 ID Amazon IoT Core 连接到 client1

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] } ] }

以下策略拒绝使用客户端 ID client1client2 连接到 Amazon IoT Core 的权限,同时允许设备使用与已在 Amazon IoT Core 注册表中注册的事物名称匹配的客户端 ID 进行连接:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] } ] }

MQTT 持久性会话策略示例

connectAttributes 允许您在 IAM 策略中指定要在连接消息中使用的属性,如 PersistentConnectLastWill。有关更多信息,请参阅 使用 ConnectAttributes

以下策略允许连接 PersistentConnect 功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

以下策略不允许 PersistentConnect,但允许使用其他功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringNotEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ]

上述策略也可以使用 StringEquals 表达,但允许使用包括新功能在内的任何其他功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

以下策略允许通过 PersistentConnectLastWill 连接,但不允许使用任何其他新功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } } ] }

以下策略允许客户端进行干净连接,无论是否具有 LastWill,但不允许使用其他功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }

以下策略仅允许使用默认功能进行连接:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ ] } } } ] }

以下策略仅允许使用 PersistentConnect 连接,但只要连接使用 PersistentConnect,则允许使用任何新功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }

以下策略规定连接必须同时使用 PersistentConnectLastWill,而不允许使用新功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ ] } } } ] }

以下策略不能拥有 PersistentConnect,但可以有 LastWill,不允许使用任何其他新功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }

以下策略仅允许包括带有主题 "my/lastwill/topicName"LastWill 客户端连接,同时允许任何使用 LastWill 主题的功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:*region*:*account-id*:topic/*my/lastwill/topicName*" } } } ] }

以下策略仅允许使用特定 LastWillTopic 的干净连接,同时允许任何使用 LastWillTopic 的功能:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:*region*:*account-id*:topic/*my/lastwill/topicName*" } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
Registered devices (3)

以下策略授予设备使用其事物名称作为客户端 ID 进行连接和订阅主题筛选条件 my/topic/filter 的权限。设备必须注册到 Amazon IoT Core 。当设备连接到 Amazon IoT Core 时,它必须提供与 Amazon IoT Core 注册表中的 IoT 事物关联的证书:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic/filter" ] } ] }
Unregistered devices (3)

对于未在 Amazon IoT Core 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1 进行连接以及订阅主题筛选条件 my/topic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] } ] }