AWS IoT
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

订阅/发布策略示例

您使用的策略取决于您连接到 AWS IoT 的方式。您可以使用 MQTT 客户端、HTTP 或 WebSocket 连接到 AWS IoT。通过 MQTT 客户端连接时,将使用 X.509 证书进行身份验证。通过 HTTP 或 WebSocket 协议连接时,将使用签名版本 4 和 Amazon Cognito 进行身份验证。

适用于 MQTT 客户端的策略

当在 AWS IoT 策略中为 MQTT 客户端指定主题筛选条件时,MQTT 通配符“+”和“#”将被视为文本字符。使用它们可能会导致意外行为。

registered devices (4)unregistered devices (4)
registered devices (4)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 和仅订阅主题筛选条件 foo/+/bar 的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/+/bar" ] } ] }
unregistered devices (4)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用客户端 ID“client1”连接到 AWS IoT 和仅订阅主题筛选条件 foo/+/bar 的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/+/bar" ] } ] }

注意

MQTT 通配符“+”在策略中不被视为通配符。尝试订阅符合 foo/+/bar 模式(如 foo/baz/barfoo/goo/bar)的主题筛选条件将会失败,并且会导致客户端断开连接。

您可以在策略的资源属性中使用“*”作为通配符。例如,如果您账户中的每个设备都必须发布仅为其保留的唯一主题,请使用以下策略:

registered devices (5)unregistered devices (5)
registered devices (5)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 和发布到前缀为事物名称的任何主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}", ] } { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*" ] } ] }
unregistered devices (5)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用与事物名称匹配的客户端 ID“client1”、“client2”或“client3”连接到 AWS IoT 和发布到前缀为客户端 ID 的任何主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/*" ] } ] }

您还可以在主题筛选条件的末尾使用“*”通配符。使用通配符可能会导致授予意外权限,因此只有在仔细考虑后才能使用它们。它们可能有用的一种情况是,设备必须订阅具有许多不同主题的消息,例如,在设备必须订阅来自多个位置的温度传感器的报告的情况下。

registered devices (6)unregistered devices (6)
registered devices (6)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用设备的事物名称作为客户端 ID 连接到 AWS IoT 和订阅前缀为事物名称(后跟“房间”和任何字符串)的主题的权限。(预计这些主题将是“thing1/room1”、“thing1/room2”...):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/${iot:Connection.Thing.ThingName}/room*" ] } ] }
unregistered devices (6)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用客户端 ID“client1”、“client2”和“client3”连接到 AWS IoT 和订阅前缀为客户端 ID(后跟“房间”和任何字符串)的主题的权限。(预计这些主题将是“client1/room1”、“client1/room2”...):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/${iot:ClientId}/room*" ] } ] }
registered devices (7)unregistered devices (7)
registered devices (7)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用设备的事物名称作为客户端 ID 连接到 AWS IoT 和订阅主题“foo/bar”和“foo/baz”的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar", "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/baz" ] } ] }
unregistered devices (7)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用客户端 ID“client1”连接到 AWS IoT 和订阅主题“foo/bar”和“foo/baz”的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar", "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/baz" ] } ] }
registered devices (8)unregistered devices (8)
registered devices (8)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用设备的事物名称作为客户端 ID 连接到 AWS IoT 和订阅对该事物名称/客户端 ID 唯一的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar/${iot:Thing.ThingName}" ] } ] }
unregistered devices (8)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用客户端 ID“client1”连接到 AWS IoT 和发布到对该客户端 ID 唯一的主题的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar/${iot:ClientId}" ] } ] }
registered devices (9)unregistered devices (9)
registered devices (9)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用设备的事物名称作为客户端 ID 连接到 AWS IoT 和发布到前缀为该事物名称/客户端的任何主题(以“bar”结尾的主题除外)的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/bar" ] } ] }
unregistered devices (9)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用客户端 ID“client1”和“client2”连接到 AWS IoT 和发布到前缀为用于连接的客户端 ID 的任何主题(以“bar”结尾的主题除外)的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/bar" ] } ] }
registered devices (10)unregistered devices (10)
registered devices (10)

对于在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用设备的事物名称作为客户端 ID 连接到 AWS IoT 和订阅主题“foo/bar”的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/bar" ] } ] }
unregistered devices (10)

对于未在 AWS IoT Registry 中注册为事物的设备,以下策略授予使用客户端 ID“client1”连接到 AWS IoT 和订阅主题“foo/bar”的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] } ] }

当证书或经过身份验证的 Amazon Cognito 身份附加到事物时,事物策略变量也将被替换。以下策略授予使用客户端 ID“client1”连接到 AWS IoT 和订阅主题“iotmonitor/provisioning/987654321098”的权限。它还允许证书持有者订阅此相同主题。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/987654321098" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/987654321098" ] } ] }

适用于 HTTP 和 WebSocket 客户端的策略

对于以下操作,AWS IoT 使用(通过 AWS IoT API)附加到 Amazon Cognito 身份的 AttachPolicy 策略缩小附加到 Amazon Cognito 身份池(由经过身份验证的身份组成)的权限范围。这意味着,Amazon Cognito 身份需要从附加到池的 IAM 角色策略和通过 AWS IoT Amazon Cognito API 附加到 AWS IoT 身份的 AttachPolicy 策略获取权限。

  • iot:Connect

  • iot:Publish

  • iot:Subscribe

  • iot:Receive

  • iot:GetThingShadow

  • iot:UpdateThingShadow

  • iot:DeleteThingShadow

注意

对于其他 AWS IoT 操作或未经身份验证的身份,AWS IoT 不会缩小附加到 Amazon Cognito 身份池角色的权限范围。无论是对于经过身份验证的身份还是未经过身份验证的身份,这都是我们建议附加到 Amazon Cognito 池角色的最宽松的策略。

HTTP

要允许未经过身份验证的 Amazon Cognito 身份通过 HTTP 向特定于 Cognito 身份的主题发布消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户执行此操作,请使用 AWS IoT AttachPrincipalPolicy API 将之前的策略附加到 Amazon Cognito 身份池角色和 Cognito 身份。

注意

在授权 Cognito 身份时,AWS IoT 将考虑这两个策略并授予指定的最小权限。只有当两个策略都允许请求的操作时,才允许操作,如果其中一个策略不允许操作,则该操作将是未授权的。

MQTT

要允许未经过身份验证的 Amazon Cognito 身份通过 WebSockets 向特定于账户中的 Cognito 身份的主题发布 MQTT 消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] }, { "Effect": "Allow", "Action": [ "iot:Connect", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户执行此操作,请使用 AWS IoT AttachPrincipalPolicy API 将之前的策略附加到 Amazon Cognito 身份池角色和 Cognito 身份。

注意

在授权 Cognito 身份时,AWS IoT 将考虑这两个策略并授予指定的最小权限。只有当两个策略都允许请求的操作时,才允许操作,如果其中一个策略不允许操作,则该操作将是未授权的。

接收策略示例

registered devices (11)unregistered devices (11)
registered devices (11)

对于已在 AWS IoT Registry 中注册的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 以及订阅和接收某个主题的相关消息的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] } ] }
unregistered devices (11)

对于未在 AWS IoT Registry 中注册的设备,以下策略授予使用客户端 ID“client1”连接到 AWS IoT 以及订阅和接收某个主题的相关消息的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/client1"] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] } ] }