AWS IoT
开发人员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

IAM IoT 策略

AWS Identity and Access Management 为 AWS IoT 定义的每种操作定义一种策略操作,包括控制层面 API 和数据层面 API。

AWS IoT API 权限

下表列出了 AWS IoT API、所需的 IAM 权限以及 API 操纵的资源。

API 必需权限 (策略操作) 资源
AcceptCertificateTransfer iot:AcceptCertificateTransfer

arn:aws:iot:region:account-id:cert/cert-id

注意

ARN 中指定的 AWS 账户必须是证书将传输到的账户。

AddLoggingRole iot:AddLoggingRole
AddThingToThingGroup iot:AddThingToThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

arn:aws:iot:region:account-id:thing/thing-name

AssociateTargetsWithJob iot:AssociateTargetsWithJob
AttachPolicy iot:AttachPolicy

arn:aws:iot:region:account-id:thinggroup/thing-group-name

或者

arn:aws:iot:region:account-id:cert/cert-id

AttachPrincipalPolicy iot:AttachPrincipalPolicy

arn:aws:iot:region:account-id:cert/cert-id

AttachThingPrincipal iot:AttachThingPrincipal

arn:aws:iot:region:account-id:cert/cert-id

CancelCertificateTransfer iot:CancelCertificateTransfer

arn:aws:iot:region:account-id:cert/cert-id

注意

ARN 中指定的 AWS 账户必须是证书将传输到的账户。

CancelJob iot:CancelJob

arn:aws:iot:region:account-id:job/job-id

ClearDefaultAuthorizer iot:ClearDefaultAuthorizer
CreateAuthorizer iot:CreateAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-function-name

CreateCertificateFromCsr iot:CreateCertificateFromCsr *
CreateJob iot:CreateJob

arn:aws:iot:region:account-id:job/job-id

CreateKeysAndCertificate iot:CreateKeysAndCertificate *
CreateMessageSchema iot:CreateMessageSchema
CreatePolicy iot:CreatePolicy *
CreatePolicyVersion iot:CreatePolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

注意

这必须是 AWS IoT 策略,而不是 IAM 策略。

CreateRoleAlias iot:CreateRoleAlias

(参数:roleAlias)

arn:aws:iot:region:account-id:rolealias/role-alias-name

CreateThing iot:CreateThing

arn:aws:iot:region:account-id:thing/thing-name

CreateThingGroup iot:CreateThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

针对要创建的组和父组 (如果使用)

CreateThingType iot:CreateThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

CreateTopicRule iot:CreateTopicRule

arn:aws:iot:region:account-id:rule/rule-name

DeleteAuthorizer iot:DeleteAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-name

DeleteCACertificate iot:DeleteCACertificate

arn:aws:iot:region:account-id:cacert/cert-id

DeleteCertificate iot:DeleteCertificate

arn:aws:iot:region:account-id:cert/cert-id

DeleteLoggingLevel iot:DeleteLoggingLevel

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DeleteLoggingRole iot:DeleteLoggingRole
DeleteMessageSchema iot:DeleteMessageSchema
DeletePolicy iot:DeletePolicy

arn:aws:iot:region:account-id:policy/policy-name

DeletePolicyVersion iot:DeletePolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

DeleteRegistrationCode iot:DeleteRegistrationCode *
DeleteRoleAlias iot:DeleteRoleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

DeleteThing iot:DeleteThing

arn:aws:iot:region:account-id:thing/thing-name

DeleteThingGroup iot:DeleteThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DeleteThingType iot:DeleteThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

DeleteTopicRule iot:DeleteTopicRule

arn:aws:iot:region:account-id:rule/rule-name

DeleteV2LoggingLevel iot:DeleteV2LoggingLevel

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DeprecateThingType iot:DeprecateThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

DescribeAuthorizer iot:DescribeAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-function-name

(参数:authorizerName)

DescribeCACertificate iot:DescribeCACertificate

arn:aws:iot:region:account-id:cacert/cert-id

DescribeCertificate iot:DescribeCertificate

arn:aws:iot:region:account-id:cert/cert-id

DescribeDefaultAuthorizer iot:DescribeDefaultAuthorizer
DescribeEndpoint iot:DescribeEndpoint *
DescribeEventConfigurations iot:DescribeEventConfigurations
DescribeIndex iot:DescribeIndex

arn:aws:iot:region:account-id:index/index-name

DescribeJob iot:DescribeJob

arn:aws:iot:region:account-id:job/job-id

DescribeJobExecution iot:DescribeJobExecution
DescribeRoleAlias iot:DescribeRoleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

DescribeThing iot:DescribeThing

arn:aws:iot:region:account-id:thing/thing-name

DescribeThingGroup iot:DescribeThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DescribeThingRegistrationTask iot:DescribeThingRegistrationTask
DescribeThingType iot:DescribeThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

DetachPolicy iot:DetachPolicy

arn:aws:iot:region:account-id:cert/cert-id

或者

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DetachPrincipalPolicy iot:DetachPrincipalPolicy

arn:aws:iot:region:account-id:cert/cert-id

DetachThingPrincipal iot:DetachThingPrincipal

arn:aws:iot:region:account-id:cert/cert-id

DisableTopicRule iot:DisableTopicRule

arn:aws:iot:region:account-id:rule/rule-name

EnableTopicRule iot:EnableTopicRule

arn:aws:iot:region:account-id:rule/rule-name

GetEffectivePolicies iot:GetEffectivePolicies

arn:aws:iot:region:account-id:cert/cert-id

GetIndexingConfiguration iot:GetIndexingConfiguration
GetJobDocument iot:GetJobDocument

arn:aws:iot:region:account-id:job/job-id

GetLoggingOptions iot:GetLoggingOptions *
GetLoggingOptionsV2 9iot:GetLoggingOptionsV2
GetLoggingRole iot:GetLoggingRole
GetMessageSchema iot:GetMessageSchema
GetPolicy iot:GetPolicy

arn:aws:iot:region:account-id:policy/policy-name

GetPolicyVersion iot:GetPolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

GetRegistrationCode iot:GetRegistrationCode *
GetTopicRule iot:GetTopicRule

arn:aws:iot:region:account-id:rule/rule-name

GetV2LoggingOptions iot:GetV2LoggingOptions
ListAttachedPolicies iot:ListAttachedPolicies

arn:aws:iot:region:account-id:thinggroup/thing-group-name

或者

arn:aws:iot:region:account-id:cert/cert-id

ListAuthorizers iot:ListAuthorizers
ListCACertificates iot:ListCACertificates *
ListCertificates iot:ListCertificates *
ListCertificatesByCA iot:ListCertificatesByCA *
ListIndices iot:ListIndices
ListJobExecutionsForJob iot:ListJobExecutionsForJob
ListJobExecutionsForThing iot:ListJobExecutionsForThing
ListJobs iot:ListJobs

arn:aws:iot:region:account-id:thinggroup/thing-group-name

如果使用 thingGroupName 参数

ListLoggingLevels iot:ListLoggingLevels
ListMessageSchemas iot:ListMessageSchemas
ListOutgoingCertificates iot:ListOutgoingCertificates *
ListPolicies iot:ListPolicies *
ListPolicyPrincipals iot:ListPolicyPrincipals

arn:aws:iot:region:account-id:policy/policy-name

ListPolicyVersions iot:ListPolicyVersions

arn:aws:iot:region:account-id:policy/policy-name

ListPrincipalPolicies iot:ListPrincipalPolicies

arn:aws:iot:region:account-id:cert/cert-id

ListPrincipalThings iot:ListPrincipalThings

arn:aws:iot:region:account-id:cert/cert-id

ListRoleAliases iot:ListRoleAliases
ListTargetsForPolicy iot:ListTargetsForPolicy

arn:aws:iot:region:account-id:policy/policy-name

ListThingGroups iot:ListThingGroups
ListThingGroupsForThing iot:ListThingGroupsForThing

arn:aws:iot:region:account-id:thing/thing-name

ListThingPrincipals iot:ListThingPrincipals

arn:aws:iot:region:account-id:thing/thing-name

ListThingRegistrationTaskReports iot:ListThingRegistrationTaskReports
ListThingRegistrationTasks iot:ListThingRegistrationTasks
ListThingTypes iot:ListThingTypes *
ListThings iot:ListThings *
ListThingsInThingGroup iot:ListThingsInThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

ListTopicRules iot:ListTopicRules *
ListV2LoggingLevels iot:ListV2LoggingLevels
RegisterCACertificate iot:RegisterCACertificate *
RegisterCertificate iot:RegisterCertificate *
RegisterThing iot:RegisterThing
RejectCertificateTransfer iot:RejectCertificateTransfer

arn:aws:iot:region:account-id:cert/cert-id

RemoveThingFromThingGroup iot:RemoveThingFromThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

arn:aws:iot:region:account-id:thing/thing-name

ReplaceTopicRule iot:ReplaceTopicRule

arn:aws:iot:region:account-id:rule/rule-name

SearchIndex iot:SearchIndex

arn:aws:iot:region:account-id:index/index-id

SetDefaultAuthorizer iot:SetDefaultAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-function-name

SetDefaultPolicyVersion iot:SetDefaultPolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

SetLoggingLevel iot:SetLoggingLevel
SetLoggingOptions iot:SetLoggingOptions

arn:aws:iot:region:account-id:role/role-name

SetLoggingOptionsV2 iot:SetLoggingOptionsV2

arn:aws:iot:region:account-id:role/role-name

SetV2LoggingLevel iot:SetV2LoggingLevel

arn:aws:iot:region:account-id:thinggroup/thing-group-name

SetV2LoggingOptions iot:SetV2LoggingOptions

arn:aws:iot:region:account-id:role/role-name

StartThingRegistrationTask iot:StartThingRegistrationTask
StopThingRegistrationTask iot:StopThingRegistrationTask
TestAuthorization iot:TestAuthorization

arn:aws:iot:region:account-id:cert/cert-id

TestInvokeAuthorizer iot:TestInvokeAuthorizer
TransferCertificate iot:TransferCertificate

arn:aws:iot:region:account-id:cert/cert-id

UpdateAuthorizer iot:UpdateAuthorizer

arn:aws:iot:region:account-id:authorizerfunction/authorizer-function-name

UpdateCACertificate iot:UpdateCACertificate

arn:aws:iot:region:account-id:cacert/cert-id

UpdateCertificate iot:UpdateCertificate

arn:aws:iot:region:account-id:cert/cert-id

UpdateEventConfigurations iot:UpdateEventConfigurations
UpdateIndexingConfiguration iot:UpdateIndexingConfiguration
UpdateMessageSchema iot:UpdateMessageSchema
UpdateRoleAlias iot:UpdateRoleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

UpdateThing iot:UpdateThing

arn:aws:iot:region:account-id:thing/thing-name

UpdateThingGroup iot:UpdateThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

UpdateThingGroupsForThing iot:UpdateThingGroupsForThing

arn:aws:iot:region:account-id:thing/thing-name

IAM 策略模板

AWS IoT 提供了一组 IAM 策略模板,您可以按原样使用,也可以将其作为起点来创建自定义的 IAM 策略。利用这些模板,您可以访问配置和数据操作。利用配置操作,您可以创建事物、证书、策略和规则。数据操作通过 MQTT 或 HTTP 协议发送数据。下表对这些模板进行了说明。

策略模板 描述
AWSIotLogging

允许相关身份配置 CloudWatch 日志记录。本策略附加到您的 CloudWatch 日志记录角色。

AWSIoTConfigAccess 允许相关身份访问所有 AWS IoT 配置操作。
AWSIoTConfigReadOnlyAccess 允许相关身份调用只读配置操作。
AWSIoTDataAccess 允许相关身份全面访问所有 AWS IoT 数据操作。数据操作通过 MQTT 或 HTTP 协议发送数据。
AWSIoTFullAccess 允许相关身份全面访问所有 AWS IoT 配置和数据操作。
AWSIoTRuleActions 允许相关身份访问 AWS IoT 规则操作中所有受支持的 AWS 服务。