AWS IoT
开发人员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

订阅/发布策略示例

您使用的策略取决于您连接到 AWS IoT 的方式。您可以使用 MQTT 客户端、HTTP 或 WebSocket 连接到 AWS IoT。通过 MQTT 客户端连接时,将使用 X.509 证书进行身份验证。通过 HTTP 或 WebSocket 协议连接时,将使用签名版本 4 和 Amazon Cognito 进行身份验证。

适用于 MQTT 客户端的策略

当在 AWS IoT 策略中为 MQTT 客户端指定主题筛选条件时,MQTT 通配符“+”和“#”将被视为文本字符。使用它们可能会导致意外行为。例如,以下策略将仅允许客户端订阅主题筛选条件 foo/+/bar

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/+/bar" ] } ] }

注意

MQTT 通配符“+”在策略中不被视为通配符。尝试订阅符合 foo/+/bar 模式 (如 foo/baz/barfoo/goo/bar) 的主题筛选条件将会失败,并且会导致客户端断开连接。

您可以在策略的资源属性中使用“*”作为通配符。例如,以下策略允许证书持有者使用 AWS 账户在所有主题下发布消息以及订阅所有主题筛选条件:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": [ "*" ] } ] }

以下策略允许证书持有者使用 AWS 账户在所有主题下发布消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Connect" ], "Resource": [ "*" ] } ] }

您还可以在主题筛选条件的末尾使用“*”通配符。例如,以下策略允许证书持有者订阅符合 foo/bar/* 模式的主题筛选条件:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar/*" ] } ] }

以下策略允许证书持有者在 foo/barfoo/baz 主题下发布消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar", "arn:aws:iot:us-east-1:123456789012:topic/foo/baz" ] } ] }

以下策略禁止证书持有者在 foo/bar 主题下发布消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] } ] }

以下策略允许证书持有者在主题 foo 下发布消息,但禁止证书持有者在主题 bar 下发布消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/bar" ] } ] }

以下策略允许证书持有者订阅主题筛选条件 foo/bar

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] } ] }

以下策略允许证书持有者在 arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/8050373158915119971 主题下发布消息以及订阅主题筛选条件 arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/8050373158915119971

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/8050373158915119971" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/8050373158915119971" ] } ] }

适用于 HTTP 和 WebSocket 客户端的策略

对于以下操作,AWS IoT 使用附加到 Amazon Cognito 身份(通过 AttachPolicy API)的 AWS IoT 策略缩小附加到 Amazon Cognito 身份池(由经过身份验证的身份组成)的权限范围。这意味着,Amazon Cognito 身份需要从附加到池的 IAM 角色策略和通过 AWS IoT AttachPolicy API 附加到 Amazon Cognito 身份的 AWS IoT 策略获取权限。

  • iot:Connect

  • iot:Publish

  • iot:Subscribe

  • iot:Receive

  • iot:GetThingShadow

  • iot:UpdateThingShadow

  • iot:DeleteThingShadow

注意

对于其他 AWS IoT 操作或未经身份验证的身份,AWS IoT 不会缩小附加到 Amazon Cognito 身份池角色的权限范围。无论是对于经过身份验证的身份还是未经过身份验证的身份,这都是我们建议附加到 Amazon Cognito 池角色的最宽松的策略。

要允许未经过身份验证的 Amazon Cognito 身份通过 HTTP 向任何主题发布消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow​" ], "Resource": ["*"] }] }

要允许未经过身份验证的 Amazon Cognito 身份通过 HTTP 向您账户中的任何主题发布 MQTT 消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["*"] }] }

注意

此示例仅用于说明。除非您的服务确实要求,否则,我们建议您使用较严格的策略,即,禁止未经过身份验证的 Amazon Cognito 身份在任何主题下发布消息的策略。

要允许未经过身份验证的 Amazon Cognito 身份通过 HTTP 在账户中的 topic1 下发布 MQTT 消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }

要使经过身份验证的 Amazon Cognito 身份能够通过 HTTP 在 AWS 账户内的 topic1 下发布 MQTT 消息,您必须指定此处列出的两项策略。第一个策略必须附加到 Amazon Cognito 身份池角色。它允许该池中的身份进行发布调用。第二个策略必须使用 AWS IoT AttachPolicy API 附加到 Amazon Cognito 用户。它允许指定的 Amazon Cognito 用户访问 topic1 主题。

Amazon Cognito 身份池策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }

Amazon Cognito 用户策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }

同样,以下示例策略允许 Amazon Cognito 用户通过 HTTP 在 topic1topic2 主题下发布 MQTT 消息。需要两项策略。第一项策略允许 Amazon Cognito 身份池角色进行发布调用。第二项策略允许 Amazon Cognito 用户访问 topic1topic2 主题。

Amazon Cognito 身份池策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["*"] }] }

Amazon Cognito 用户策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/topic1", "arn:aws:iot:us-east-1:123456789012:topic/topic2" ] }] }

以下策略允许多个 Amazon Cognito 用户向一个主题发布消息。每个 Amazon Cognito 身份需要两个策略。第一项策略允许 Amazon Cognito 身份池角色进行发布调用。第二个和第三个策略分别允许 Amazon Cognito 用户访问主题 topic1topic2

Amazon Cognito 身份池策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["*"] }] }

Amazon Cognito user1 策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }

Amazon Cognito user2 策略:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic2"] }] }

接收策略示例

以下策略禁止证书持有者使用任何客户端 ID 接收来自某个主题的消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/restricted" ] }, { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": [ "*" ] } ] }

以下策略允许证书持有者使用任何客户端 ID 订阅并接收一个主题中的消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [*] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] } ] }