AWS IoT
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

订阅/发布策略示例

您使用的策略取决于您连接到 AWS IoT 的方式。您可以使用 MQTT 客户端、HTTP 或 WebSocket 连接到 AWS IoT。通过 MQTT 客户端连接时,将使用 X.509 证书进行身份验证。通过 HTTP 或 WebSocket 协议连接时,将使用签名版本 4 和 Amazon Cognito 进行身份验证。

适用于 MQTT 客户端的策略

当在 AWS IoT 策略中为 MQTT 客户端指定主题筛选条件时,MQTT 通配符“+”和“#”将被视为文本字符。使用它们可能会导致意外行为。

Registered devices (4)Unregistered devices (4)
Registered devices (4)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 AWS IoT 以及仅订阅主题筛选条件 some/+/topic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some/+/topic" ] } ] }
Unregistered devices (4)

对于未在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1 连接到 AWS IoT 以及仅订阅主题筛选条件 some/+/topic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/some/+/topic" ] } ] }

注意

在策略中,MQTT 通配符“+”被视为文字字符,而不是通配符。尝试订阅与模式 some/+/topic 匹配的主题筛选条件失败,并导致客户端断开连接。

您可以在策略的资源属性中使用“*”作为通配符。例如,如果您账户中的每个设备都必须发布仅为其保留的唯一主题,请使用以下策略:

Registered devices (5)Unregistered devices (5)
Registered devices (5)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用与事物名称匹配的客户端 ID 连接到 AWS IoT 以及发布到前缀为事物名称的任何主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}", ] } { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*" ] } ] }
Unregistered devices (5)

对于未在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1client2client3 连接到 AWS IoT 以及发布到前缀为客户端 ID 的任何主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/*" ] } ] }

您还可以在主题筛选条件的末尾使用“*”通配符。使用通配符可能会导致授予非预期的权限,因此请小心使用它们。当设备必须订阅具有许多不同主题的消息时(例如,如果设备必须订阅来自多个位置的温度传感器的报告),通配符可能很有用。

Registered devices (6)Unregistered devices (6)
Registered devices (6)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以将设备的事物名称作为客户端 ID 以连接到 AWS IoT,以及订阅前缀为事物名称(后跟 room 和任何字符串)的主题。(预计这些主题将是 thing1/room1thing1/room2 等等):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/${iot:Connection.Thing.ThingName}/room*" ] } ] }
Unregistered devices (6)

对于未在 AWS IoT 注册表中注册为事务的设备,以下策略授予权限以使用客户端 ID client1client2client3 连接到 AWS IoT,以及订阅前缀为客户端 ID(后跟 room 和任何字符串)的主题。(预计这些主题将是 client1/room1client1/room2 等等):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/${iot:ClientId}/room*" ] } ] }
Registered devices (7)Unregistered devices (7)
Registered devices (7)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以将设备的事物名称作为客户端 ID 以连接到 AWS IoT 以及订阅主题 my/topicmy/othertopic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic", "arn:aws:iot:us-east-1:123456789012:topicfilter/my/othertopic" ] } ] }
Unregistered devices (7)

对于未在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1 连接到 AWS IoT 以及订阅主题 my/topicmy/othertopic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic", "arn:aws:iot:us-east-1:123456789012:topicfilter/my/othertopic" ] } ] }
Registered devices (8)Unregistered devices (8)
Registered devices (8)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以将设备的事物名称作为客户端 ID 以连接到 AWS IoT,以及订阅对该事物名称/客户端 ID 唯一的主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:Thing.ThingName}" ] } ] }
Unregistered devices (8)

对于未在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1 连接到 AWS IoT 以及发布到对该客户端 ID 唯一的主题:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:ClientId}" ] } ] }
Registered devices (9)Unregistered devices (9)
Registered devices (9)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以将设备的事物名称作为客户端 ID 以连接到 AWS IoT,以及发布到前缀为该事物名称/客户端的任何主题(以 bar 结尾的主题除外):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/bar" ] } ] }
Unregistered devices (9)

对于未在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1client2 连接到 AWS IoT,以及发布到前缀为用于连接的客户端 ID 的任何主题(以 bar 结尾的主题除外):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:ClientId}/bar" ] } ] }
Registered devices (10)Unregistered devices (10)
Registered devices (10)

对于在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以将设备的事物名称作为客户端 ID 以连接到 AWS IoT 以及订阅主题 my/topic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Thing.ThingName}/bar" ] } ] }
Unregistered devices (10)

对于未在 AWS IoT 注册表中注册为事物的设备,以下策略授予权限以使用客户端 ID client1 连接到 AWS IoT 以及订阅主题 my/topic

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] } ] }

当证书或经过身份验证的 Amazon Cognito 身份附加到事物时,事物策略变量也将被替换。以下策略授予权限以使用客户端 ID client1 连接到 AWS IoT 以及发布到和订阅主题 iotmonitor/provisioning/987654321098。它还允许证书持有者订阅此相同主题。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/987654321098" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/987654321098" ] } ] }

适用于 HTTP 和 WebSocket 客户端的策略

对于以下操作,AWS IoT 使用(通过 AWS IoT API)附加到 Amazon Cognito 身份的 AttachPolicy 策略缩小附加到 Amazon Cognito 身份池(由经过身份验证的身份组成)的权限范围。这意味着,Amazon Cognito 身份需要从附加到池的 IAM 角色策略和通过 AWS IoT Amazon Cognito API 附加到 AWS IoT 身份的 AttachPolicy 策略获取权限。

  • iot:Connect

  • iot:Publish

  • iot:Subscribe

  • iot:Receive

  • iot:GetThingShadow

  • iot:UpdateThingShadow

  • iot:DeleteThingShadow

注意

对于其他 AWS IoT 操作或未经身份验证的身份,AWS IoT 不会缩小附加到 Amazon Cognito 身份池角色的权限范围。无论是对于经过身份验证的身份还是未经过身份验证的身份,这都是我们建议附加到 Amazon Cognito 池角色的最宽松的策略。

HTTP

要允许未经过身份验证的 Amazon Cognito 身份通过 HTTP 向特定于 Amazon Cognito 身份的主题发布消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户执行此操作,请使用 AWS IoT AttachPrincipalPolicy API 将之前的策略附加到 Amazon Cognito 身份池角色和 Amazon Cognito 身份。

注意

在授权 Amazon Cognito 身份时,AWS IoT 会考虑这两个策略并授予指定的最小权限。两个策略必须允许所请求的操作。如果任一策略不允许某项操作,则该操作未经授权。

MQTT

要允许未经过身份验证的 Amazon Cognito 身份通过 WebSocket 向特定于账户中的 Amazon Cognito 身份的主题发布 MQTT 消息,请将以下策略附加到 Amazon Cognito 身份池角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] }, { "Effect": "Allow", "Action": [ "iot:Connect", ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${cognito-identity.amazonaws.com:sub}"] } ] }

要允许经过身份验证的用户执行此操作,请使用 AWS IoT AttachPrincipalPolicy API 将之前的策略附加到 Amazon Cognito 身份池角色和 Amazon Cognito 身份。

注意

在授权 Amazon Cognito 身份时,AWS IoT 会考虑这两个策略并授予指定的最小权限。两个策略必须允许所请求的操作。如果任一策略不允许某项操作,则该操作未经授权。

接收策略示例

Registered devices (11)Unregistered devices (11)
Registered devices (11)

对于已在 AWS IoT 注册表中注册的设备,以下策略授予使用与事物名称匹配的客户端 ID 连接到 AWS IoT 以及订阅和接收某个主题的相关消息的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic" ] } ] }
Unregistered devices (11)

对于未在 AWS IoT 注册表中注册的设备,以下策略授予权限以使用客户端 ID client1 连接到 AWS IoT 以及订阅和接收有关一个主题的消息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/client1"] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/my/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/my/topic" ] } ] }