Amazon适用于 Amazon IoT 的托管策略 - Amazon IoT Core
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

Amazon适用于 Amazon IoT 的托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管式策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户 中使用。有关 Amazon 托管策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管策略

Amazon 服务负责维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管策略。例如,ReadOnlyAccess Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

注意

Amazon IoT 可同时与 Amazon IoT 和 IAM policy 结合使用。本主题仅讨论 IAM policy,它为控制面板和数据层面 API 操作定义策略操作。另请参阅 Amazon IoT Core 策略

Amazon 托管式策略:AWSIoTConfigAccess

您可以将 AWSIoTConfigAccess 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许访问所有 Amazon IoT 配置操作。此策略可能会影响数据处理和存储。要在 Amazon Web Services Management Console中查看此策略,请参阅 AWSIoTConfigAccess

权限详细信息

此策略包含以下权限。

  • iot – 检索 Amazon IoT 数据和执行 IoT 配置操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:AcceptCertificateTransfer", "iot:AddThingToThingGroup", "iot:AssociateTargetsWithJob", "iot:AttachPolicy", "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CancelCertificateTransfer", "iot:CancelJob", "iot:CancelJobExecution", "iot:ClearDefaultAuthorizer", "iot:CreateAuthorizer", "iot:CreateCertificateFromCsr", "iot:CreateJob", "iot:CreateKeysAndCertificate", "iot:CreateOTAUpdate", "iot:CreatePolicy", "iot:CreatePolicyVersion", "iot:CreateRoleAlias", "iot:CreateStream", "iot:CreateThing", "iot:CreateThingGroup", "iot:CreateThingType", "iot:CreateTopicRule", "iot:DeleteAuthorizer", "iot:DeleteCACertificate", "iot:DeleteCertificate", "iot:DeleteJob", "iot:DeleteJobExecution", "iot:DeleteOTAUpdate", "iot:DeletePolicy", "iot:DeletePolicyVersion", "iot:DeleteRegistrationCode", "iot:DeleteRoleAlias", "iot:DeleteStream", "iot:DeleteThing", "iot:DeleteThingGroup", "iot:DeleteThingType", "iot:DeleteTopicRule", "iot:DeleteV2LoggingLevel", "iot:DeprecateThingType", "iot:DescribeAuthorizer", "iot:DescribeCACertificate", "iot:DescribeCertificate", "iot:DescribeDefaultAuthorizer", "iot:DescribeEndpoint", "iot:DescribeEventConfigurations", "iot:DescribeIndex", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:DescribeRoleAlias", "iot:DescribeStream", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:DescribeThingRegistrationTask", "iot:DescribeThingType", "iot:DetachPolicy", "iot:DetachPrincipalPolicy", "iot:DetachThingPrincipal", "iot:DisableTopicRule", "iot:EnableTopicRule", "iot:GetEffectivePolicies", "iot:GetIndexingConfiguration", "iot:GetJobDocument", "iot:GetLoggingOptions", "iot:GetOTAUpdate", "iot:GetPolicy", "iot:GetPolicyVersion", "iot:GetRegistrationCode", "iot:GetTopicRule", "iot:GetV2LoggingOptions", "iot:ListAttachedPolicies", "iot:ListAuthorizers", "iot:ListCACertificates", "iot:ListCertificates", "iot:ListCertificatesByCA", "iot:ListIndices", "iot:ListJobExecutionsForJob", "iot:ListJobExecutionsForThing", "iot:ListJobs", "iot:ListOTAUpdates", "iot:ListOutgoingCertificates", "iot:ListPolicies", "iot:ListPolicyPrincipals", "iot:ListPolicyVersions", "iot:ListPrincipalPolicies", "iot:ListPrincipalThings", "iot:ListRoleAliases", "iot:ListStreams", "iot:ListTargetsForPolicy", "iot:ListThingGroups", "iot:ListThingGroupsForThing", "iot:ListThingPrincipals", "iot:ListThingRegistrationTaskReports", "iot:ListThingRegistrationTasks", "iot:ListThings", "iot:ListThingsInThingGroup", "iot:ListThingTypes", "iot:ListTopicRules", "iot:ListV2LoggingLevels", "iot:RegisterCACertificate", "iot:RegisterCertificate", "iot:RegisterThing", "iot:RejectCertificateTransfer", "iot:RemoveThingFromThingGroup", "iot:ReplaceTopicRule", "iot:SearchIndex", "iot:SetDefaultAuthorizer", "iot:SetDefaultPolicyVersion", "iot:SetLoggingOptions", "iot:SetV2LoggingLevel", "iot:SetV2LoggingOptions", "iot:StartThingRegistrationTask", "iot:StopThingRegistrationTask", "iot:TestAuthorization", "iot:TestInvokeAuthorizer", "iot:TransferCertificate", "iot:UpdateAuthorizer", "iot:UpdateCACertificate", "iot:UpdateCertificate", "iot:UpdateEventConfigurations", "iot:UpdateIndexingConfiguration", "iot:UpdateRoleAlias", "iot:UpdateStream", "iot:UpdateThing", "iot:UpdateThingGroup", "iot:UpdateThingGroupsForThing", "iot:UpdateAccountAuditConfiguration", "iot:DescribeAccountAuditConfiguration", "iot:DeleteAccountAuditConfiguration", "iot:StartOnDemandAuditTask", "iot:CancelAuditTask", "iot:DescribeAuditTask", "iot:ListAuditTasks", "iot:CreateScheduledAudit", "iot:UpdateScheduledAudit", "iot:DeleteScheduledAudit", "iot:DescribeScheduledAudit", "iot:ListScheduledAudits", "iot:ListAuditFindings", "iot:CreateSecurityProfile", "iot:DescribeSecurityProfile", "iot:UpdateSecurityProfile", "iot:DeleteSecurityProfile", "iot:AttachSecurityProfile", "iot:DetachSecurityProfile", "iot:ListSecurityProfiles", "iot:ListSecurityProfilesForTarget", "iot:ListTargetsForSecurityProfile", "iot:ListActiveViolations", "iot:ListViolationEvents", "iot:ValidateSecurityProfileBehaviors" ], "Resource": "*" } ] }

Amazon 托管式策略:AWSIoTConfigReadOnlyAccess

您可以将 AWSIoTConfigReadOnlyAccess 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许只读访问所有 Amazon IoT 配置操作。要在 Amazon Web Services Management Console中查看此策略,请参阅 AWSIoTConfigReadOnlyAccess

权限详细信息

此策略包含以下权限。

  • iot – 对 IoT 配置操作执行只读操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:DescribeAuthorizer", "iot:DescribeCACertificate", "iot:DescribeCertificate", "iot:DescribeDefaultAuthorizer", "iot:DescribeEndpoint", "iot:DescribeEventConfigurations", "iot:DescribeIndex", "iot:DescribeJob", "iot:DescribeJobExecution", "iot:DescribeRoleAlias", "iot:DescribeStream", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:DescribeThingRegistrationTask", "iot:DescribeThingType", "iot:GetEffectivePolicies", "iot:GetIndexingConfiguration", "iot:GetJobDocument", "iot:GetLoggingOptions", "iot:GetOTAUpdate", "iot:GetPolicy", "iot:GetPolicyVersion", "iot:GetRegistrationCode", "iot:GetTopicRule", "iot:GetV2LoggingOptions", "iot:ListAttachedPolicies", "iot:ListAuthorizers", "iot:ListCACertificates", "iot:ListCertificates", "iot:ListCertificatesByCA", "iot:ListIndices", "iot:ListJobExecutionsForJob", "iot:ListJobExecutionsForThing", "iot:ListJobs", "iot:ListOTAUpdates", "iot:ListOutgoingCertificates", "iot:ListPolicies", "iot:ListPolicyPrincipals", "iot:ListPolicyVersions", "iot:ListPrincipalPolicies", "iot:ListPrincipalThings", "iot:ListRoleAliases", "iot:ListStreams", "iot:ListTargetsForPolicy", "iot:ListThingGroups", "iot:ListThingGroupsForThing", "iot:ListThingPrincipals", "iot:ListThingRegistrationTaskReports", "iot:ListThingRegistrationTasks", "iot:ListThings", "iot:ListThingsInThingGroup", "iot:ListThingTypes", "iot:ListTopicRules", "iot:ListV2LoggingLevels", "iot:SearchIndex", "iot:TestAuthorization", "iot:TestInvokeAuthorizer", "iot:DescribeAccountAuditConfiguration", "iot:DescribeAuditTask", "iot:ListAuditTasks", "iot:DescribeScheduledAudit", "iot:ListScheduledAudits", "iot:ListAuditFindings", "iot:DescribeSecurityProfile", "iot:ListSecurityProfiles", "iot:ListSecurityProfilesForTarget", "iot:ListTargetsForSecurityProfile", "iot:ListActiveViolations", "iot:ListViolationEvents", "iot:ValidateSecurityProfileBehaviors" ], "Resource": "*" } ] }

Amazon 托管式策略:AWSIoTDataAccess

您可以将 AWSIoTDataAccess 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许访问所有 Amazon IoT 数据操作。数据操作通过 MQTT 或 HTTP 协议发送数据。要在 Amazon Web Services Management Console中查看该策略,请参阅 AWSIoTDataAccess

权限详细信息

此策略包含以下权限。

  • iot – 检索 Amazon IoT 数据并允许对 Amazon IoT 消息收发操作进行完全访问。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow", "iot:ListNamedShadowsForThing" ], "Resource": "*" } ] }

Amazon 托管式策略:AWSIoTFullAccess

您可以将 AWSIoTFullAccess 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许访问所有 Amazon IoT 配置和消息收发操作。要在 Amazon Web Services Management Console中查看该策略,请参阅 AWSIoTFullAccess

权限详细信息

此策略包含以下权限。

  • iot – 检索 Amazon IoT 数据并允许对 Amazon IoT 配置和消息收发操作进行完全访问。

  • iotjobsdata – 检索 Amazon IoT Jobs 数据并允许完全访问 Amazon IoT Jobs 数据层面 API 操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*", "iotjobsdata:*" ], "Resource": "*" } ] }

Amazon 托管式策略:AWSIoTLogging

您可以将 AWSIoTLogging 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许创建 Amazon CloudWatch Logs 组和将日志流式传输到这些组。本策略附加到您的 CloudWatch 日志记录角色。要在 Amazon Web Services Management Console中查看该策略,请参阅 AWSIoTLogging

权限详细信息

此策略包含以下权限。

  • logs 检索 CloudWatch 日志。此外,允许创建 CloudWatch Logs 组和将日志流式传输到这些组。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy", "logs:GetLogEvents", "logs:DeleteLogStream" ], "Resource": [ "*" ] } ] }

Amazon 托管式策略:AWSIoTOTAUpdate

您可以将 AWSIoTOTAUpdate 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许创建 Amazon IoT 任务、Amazon IoT 代码签署任务,并描述 Amazon 代码签署者任务。要在 Amazon Web Services Management Console中查看该策略,请参阅 AWSIoTOTAUpdate

权限详细信息

此策略包含以下权限。

  • iot – 创建 Amazon IoT 任务和代码签署任务。

  • signer – 执行创建 Amazon 代码签署者任务。

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iot:CreateJob", "signer:DescribeSigningJob" ], "Resource": "*" } }

Amazon 托管式策略:AWSIoTRuleActions

您可以将 AWSIoTRuleActions 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许访问所有 Amazon IoT 规则操作中支持的所有 Amazon Web Service。要在 Amazon Web Services Management Console中查看该策略,请参阅 AWSIoTRuleActions

权限详细信息

此策略包含以下权限。

  • iot - 执行用于发布规则操作消息的操作。

  • dynamodb - 将消息插入到 DynamoDB 表或将消息拆分为 DynamoDB 表的多列。

  • s3 - 将对象存储在 Amazon S3 存储桶中。

  • kinesis - 将消息发送到 Amazon Kinesis 流对象。

  • firehose - 在 Kinesis Data Firehose 流对象中插入记录。

  • cloudwatch - 更改 CloudWatch 告警状态或向 CloudWatch 指标发送消息数据。

  • sns - 执行使用 Amazon SNS 发布通知的操作。此操作的范围为 Amazon IoT SNS 主题。

  • sqs - 插入要添加到 SQS 队列的消息。

  • es - 向 OpenSearch Service 服务发送消息。

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "kinesis:PutRecord", "iot:Publish", "s3:PutObject", "sns:Publish", "sqs:SendMessage*", "cloudwatch:SetAlarmState", "cloudwatch:PutMetricData", "es:ESHttpPut", "firehose:PutRecord" ], "Resource": "*" } }

Amazon 托管式策略:AWSIoTThingsRegistration

您可以将 AWSIoTThingsRegistration 策略附加得到 IAM 身份。

此策略向相关身份授予权限,以允许使用 StartThingRegistrationTask API 批量注册事物。此策略可能会影响数据处理和存储。要在 Amazon Web Services Management Console中查看该策略,请参阅 AWSIoTThingsRegistration

权限详细信息

此策略包含以下权限。

  • iot - 批量注册时,执行用于创建内容以及附加策略和证书的操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateCertificateFromCsr", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeCertificate", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:DetachPolicy", "iot:DetachThingPrincipal", "iot:GetPolicy", "iot:ListAttachedPolicies", "iot:ListPolicyPrincipals", "iot:ListPrincipalPolicies", "iot:ListPrincipalThings", "iot:ListTargetsForPolicy", "iot:ListThingGroupsForThing", "iot:ListThingPrincipals", "iot:RegisterCertificate", "iot:RegisterThing", "iot:RemoveThingFromThingGroup", "iot:UpdateCertificate", "iot:UpdateThing", "iot:UpdateThingGroupsForThing", "iot:AddThingToBillingGroup", "iot:DescribeBillingGroup", "iot:RemoveThingFromBillingGroup" ], "Resource": [ "*" ] } ] }

对 Amazon 托管式策略的 Amazon IoT 更新

查看有关 Amazon IoT 的 Amazon 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。有关此页面更改的自动提示,请订阅 Amazon IoT 文档历史记录页面上的 RSS 源。

更改 说明 日期

AWSIoTFullAccess – 更新现有策略

Amazon IoT 添加了新的权限,以允许用户使用 HTTP 协议访问 Amazon IoT Jobs 数据层面 API 操作。

一个新的 IAM policy 前缀 iotjobsdata: 为您提供了更精细的访问控制机制,以访问 Amazon IoT Jobs 数据层面终端节点。对于控制面板 API 操作,您仍然使用 iot: 前缀。有关更多信息,请参阅HTTPS 协议的 Amazon IoT Core 策略

2022 年 5 月 11 日

Amazon IoT 已开启跟踪更改

Amazon IoT 为其 Amazon 托管式策略开启了跟踪更改。

2022 年 5 月 11 日