AWS IoT
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

IAM IoT 策略

AWS Identity and Access Management 为 AWS IoT 定义的每种操作定义一种策略操作,包括控制层面 API 和数据层面 API。

AWS IoTAPI 权限

下表列出了 AWS IoT API、所需的 IAM 权限以及 API 操纵的资源。

API 必需权限 (策略操作) 资源
AcceptCertificateTransfer iot:AcceptCertificateTransfer

arn:aws:iot:region:account-id:cert/cert-id

注意

ARN 中指定的 AWS 账户必须是证书将传输到的账户。

AddThingToThingGroup iot:AddThingToThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

arn:aws:iot:region:account-id:thing/thing-name

AssociateTargetsWithJob iot:AssociateTargetsWithJob
AttachPolicy iot:AttachPolicy

arn:aws:iot:region:account-id:thinggroup/thing-group-name

arn:aws:iot:region:account-id:cert/cert-id

AttachPrincipalPolicy iot:AttachPrincipalPolicy

arn:aws:iot:region:account-id:cert/cert-id

AttachThingPrincipal iot:AttachThingPrincipal

arn:aws:iot:region:account-id:cert/cert-id

CancelCertificateTransfer iot:CancelCertificateTransfer

arn:aws:iot:region:account-id:cert/cert-id

注意

ARN 中指定的 AWS 账户必须是证书将传输到的账户。

CancelJob iot:CancelJob

arn:aws:iot:region:account-id:job/job-id

CancelJobExecution iot:CancelJobExecution

arn:aws:iot:region:account-id:job/job-id

arn:aws:iot:region:account-id:thing/thing-name

ClearDefaultAuthorizer iot:ClearDefaultAuthorizer
CreateAuthorizer iot:CreateAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-function-name

CreateCertificateFromCsr iot:CreateCertificateFromCsr *
CreateJob iot:CreateJob

arn:aws:iot:region:account-id:job/job-id

CreateKeysAndCertificate iot:CreateKeysAndCertificate *
CreatePolicy iot:CreatePolicy *
CreatePolicyVersion iot:CreatePolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

注意

这必须是 AWS IoT 策略,而不是 IAM 策略。

CreateRoleAlias iot:CreateRoleAlias

(参数:roleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

CreateThing iot:CreateThing

arn:aws:iot:region:account-id:thing/thing-name

CreateThingGroup iot:CreateThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

针对要创建的组和父组(如果使用)

CreateThingType iot:CreateThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

CreateTopicRule iot:CreateTopicRule

arn:aws:iot:region:account-id:rule/rule-name

DeleteAuthorizer iot:DeleteAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-name

DeleteCACertificate iot:DeleteCACertificate

arn:aws:iot:region:account-id:cacert/cert-id

DeleteCertificate iot:DeleteCertificate

arn:aws:iot:region:account-id:cert/cert-id

DeleteJob iot:DeleteJob

arn:aws:iot:region:account-id:job/job-id

DeleteJobExecution iot:DeleteJobExecution

arn:aws:iot:region:account-id:job/job-id

arn:aws:iot:region:account-id:thing/thing-name

DeletePolicy iot:DeletePolicy

arn:aws:iot:region:account-id:policy/policy-name

DeletePolicyVersion iot:DeletePolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

DeleteRegistrationCode iot:DeleteRegistrationCode *
DeleteRoleAlias iot:DeleteRoleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

DeleteThing iot:DeleteThing

arn:aws:iot:region:account-id:thing/thing-name

DeleteThingGroup iot:DeleteThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DeleteThingType iot:DeleteThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

DeleteTopicRule iot:DeleteTopicRule

arn:aws:iot:region:account-id:rule/rule-name

DeleteV2LoggingLevel iot:DeleteV2LoggingLevel

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DeprecateThingType iot:DeprecateThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

DescribeAuthorizer iot:DescribeAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-function-name

(参数:authorizerName

DescribeCACertificate iot:DescribeCACertificate

arn:aws:iot:region:account-id:cacert/cert-id

DescribeCertificate iot:DescribeCertificate

arn:aws:iot:region:account-id:cert/cert-id

DescribeDefaultAuthorizer iot:DescribeDefaultAuthorizer
DescribeEndpoint iot:DescribeEndpoint *
DescribeEventConfigurations iot:DescribeEventConfigurations
DescribeIndex iot:DescribeIndex

>arn:aws:iot:region:account-id:index/index-name

DescribeJob iot:DescribeJob

arn:aws:iot:region:account-id:job/job-id

DescribeJobExecution iot:DescribeJobExecution
DescribeRoleAlias iot:DescribeRoleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

DescribeThing iot:DescribeThing

arn:aws:iot:region:account-id:thing/thing-name

DescribeThingGroup iot:DescribeThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DescribeThingRegistrationTask iot:DescribeThingRegistrationTask
DescribeThingType iot:DescribeThingType

arn:aws:iot:region:account-id:thingtype/thing-type-name

DetachPolicy iot:DetachPolicy

arn:aws:iot:region:account-id:cert/cert-id

arn:aws:iot:region:account-id:thinggroup/thing-group-name

DetachPrincipalPolicy iot:DetachPrincipalPolicy

arn:aws:iot:region:account-id:cert/cert-id

DetachThingPrincipal iot:DetachThingPrincipal

arn:aws:iot:region:account-id:cert/cert-id

DisableTopicRule iot:DisableTopicRule

arn:aws:iot:region:account-id:rule/rule-name

EnableTopicRule iot:EnableTopicRule

arn:aws:iot:region:account-id:rule/rule-name

GetEffectivePolicies iot:GetEffectivePolicies

arn:aws:iot:region:account-id:cert/cert-id

GetIndexingConfiguration iot:GetIndexingConfiguration
GetJobDocument iot:GetJobDocument

arn:aws:iot:region:account-id:job/job-id

GetLoggingOptions iot:GetLoggingOptions *
GetPolicy iot:GetPolicy

arn:aws:iot:region:account-id:policy/policy-name

GetPolicyVersion iot:GetPolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

GetRegistrationCode iot:GetRegistrationCode *
GetTopicRule iot:GetTopicRule

arn:aws:iot:region:account-id:rule/rule-name

ListAttachedPolicies iot:ListAttachedPolicies

arn:aws:iot:region:account-id:thinggroup/thing-group-name

arn:aws:iot:region:account-id:cert/cert-id

ListAuthorizers iot:ListAuthorizers
ListCACertificates iot:ListCACertificates *
ListCertificates iot:ListCertificates *
ListCertificatesByCA iot:ListCertificatesByCA *
ListIndices iot:ListIndices
ListJobExecutionsForJob iot:ListJobExecutionsForJob
ListJobExecutionsForThing iot:ListJobExecutionsForThing
ListJobs iot:ListJobs

arn:aws:iot:region:account-id:thinggroup/thing-group-name

如果使用 thingGroupName 参数。

ListOutgoingCertificates iot:ListOutgoingCertificates *
ListPolicies iot:ListPolicies *
ListPolicyPrincipals iot:ListPolicyPrincipals

arn:aws:iot:region:account-id:policy/policy-name

ListPolicyVersions iot:ListPolicyVersions

arn:aws:iot:region:account-id:policy/policy-name

ListPrincipalPolicies iot:ListPrincipalPolicies

arn:aws:iot:region:account-id:cert/cert-id

ListPrincipalThings iot:ListPrincipalThings

arn:aws:iot:region:account-id:cert/cert-id

ListRoleAliases iot:ListRoleAliases
ListTargetsForPolicy iot:ListTargetsForPolicy

arn:aws:iot:region:account-id:policy/policy-name

ListThingGroups iot:ListThingGroups
ListThingGroupsForThing iot:ListThingGroupsForThing

arn:aws:iot:region:account-id:thing/thing-name

ListThingPrincipals iot:ListThingPrincipals

arn:aws:iot:region:account-id:thing/thing-name

ListThingRegistrationTaskReports iot:ListThingRegistrationTaskReports
ListThingRegistrationTasks iot:ListThingRegistrationTasks
ListThingTypes iot:ListThingTypes *
ListThings iot:ListThings *
ListThingsInThingGroup iot:ListThingsInThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

ListTopicRules iot:ListTopicRules *
ListV2LoggingLevels iot:ListV2LoggingLevels
RegisterCACertificate iot:RegisterCACertificate *
RegisterCertificate iot:RegisterCertificate *
RegisterThing iot:RegisterThing
RejectCertificateTransfer iot:RejectCertificateTransfer

arn:aws:iot:region:account-id:cert/cert-id

RemoveThingFromThingGroup iot:RemoveThingFromThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

arn:aws:iot:region:account-id:thing/thing-name

ReplaceTopicRule iot:ReplaceTopicRule

arn:aws:iot:region:account-id:rule/rule-name

SearchIndex iot:SearchIndex

arn:aws:iot:region:account-id:index/index-id

SetDefaultAuthorizer iot:SetDefaultAuthorizer

arn:aws:iot:region:account-id:authorizer/authorizer-function-name

SetDefaultPolicyVersion iot:SetDefaultPolicyVersion

arn:aws:iot:region:account-id:policy/policy-name

SetLoggingOptions iot:SetLoggingOptions

arn:aws:iot:region:account-id:role/role-name

SetV2LoggingLevel iot:SetV2LoggingLevel

arn:aws:iot:region:account-id:thinggroup/thing-group-name

SetV2LoggingOptions iot:SetV2LoggingOptions

arn:aws:iot:region:account-id:role/role-name

StartThingRegistrationTask iot:StartThingRegistrationTask
StopThingRegistrationTask iot:StopThingRegistrationTask
TestAuthorization iot:TestAuthorization

arn:aws:iot:region:account-id:cert/cert-id

TestInvokeAuthorizer iot:TestInvokeAuthorizer
TransferCertificate iot:TransferCertificate

arn:aws:iot:region:account-id:cert/cert-id

UpdateAuthorizer iot:UpdateAuthorizer

arn:aws:iot:region:account-id:authorizerfunction/authorizer-function-name

UpdateCACertificate iot:UpdateCACertificate

arn:aws:iot:region:account-id:cacert/cert-id

UpdateCertificate iot:UpdateCertificate

arn:aws:iot:region:account-id:cert/cert-id

UpdateEventConfigurations iot:UpdateEventConfigurations
UpdateIndexingConfiguration iot:UpdateIndexingConfiguration
UpdateRoleAlias iot:UpdateRoleAlias

arn:aws:iot:region:account-id:rolealias/role-alias-name

UpdateThing iot:UpdateThing

arn:aws:iot:region:account-id:thing/thing-name

UpdateThingGroup iot:UpdateThingGroup

arn:aws:iot:region:account-id:thinggroup/thing-group-name

UpdateThingGroupsForThing iot:UpdateThingGroupsForThing

arn:aws:iot:region:account-id:thing/thing-name

IAM 托管策略

AWS IoT 提供了 IAM 策略模板,您可以按原样使用,也可以将其作为起点来创建自定义的 IAM 策略。利用这些模板,您可以访问配置和数据操作。利用配置操作,您可以创建事物、证书、策略和规则。数据操作通过 MQTT 或 HTTP 协议发送数据。下表对这些模板进行了说明。

策略模板 描述
AWSIotLogging

允许相关身份配置 CloudWatch 日志记录。本策略附加到您的 CloudWatch 日志记录角色。

AWSIoTConfigAccess 允许相关身份访问所有 AWS IoT 配置操作。此策略可能会影响数据处理和存储。
AWSIoTConfigReadOnlyAccess 允许相关身份调用只读配置操作。
AWSIoTDataAccess 允许相关身份全面访问所有 AWS IoT 数据操作。数据操作通过 MQTT 或 HTTP 协议发送数据。
AWSIoTFullAccess 允许相关身份全面访问所有 AWS IoT 配置和消息收发操作。
AWSIotLogging

允许相关身份创建 Amazon CloudWatch Logs 组和将日志流式传输到组。本策略附加到您的 CloudWatch 日志记录角色。

AWSIoTOTAUpdate

允许相关身份访问权限创建 AWS IoT 作业和 AWS IoT 代码签名作业。

AWSIoTRuleActions 允许相关身份访问 AWS IoT 规则操作中所有受支持的 AWS 服务。
AWSIoTThingsRegistration 允许相关身份使用 StartThingRegistrationTask API 批量注册事物。此策略可能会影响数据处理和存储。