Actions, Resources, and Condition Keys for AWS IoT
AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Actions Defined by AWS IoT
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AcceptCertificateTransfer | Accepts a pending certificate transfer. | Write | |||
| AddThingToBillingGroup | Adds a thing to the specified billing group. | Write | |||
| AddThingToThingGroup | Adds a thing to the specified thing group. | Write | |||
| AssociateTargetsWithJob | Associates a group with a continuous job. | Write | |||
| AttachPolicy | Attaches a policy to the specified target. | Permissions management | |||
| AttachPrincipalPolicy | Attaches the specified policy to the specified principal (certificate or other credential). | Permissions management | |||
| AttachSecurityProfile | Associates a Device Defender security profile with a thing group or with this account. | Write | |||
| AttachThingPrincipal | Attaches the specified principal to the specified thing. | Write | |||
| CancelAuditTask | Cancels an audit that is in progress. The audit can be either scheduled or on-demand. | Write | |||
| CancelCertificateTransfer | Cancels a pending transfer for the specified certificate. | Write | |||
| CancelJob | Cancels a job. | Write | |||
| CancelJobExecution | Cancels a job execution on a particular device. | Write | |||
| ClearDefaultAuthorizer | Clears the default authorizer. | Write | |||
| Connect | Connect as the specified client | Write | |||
| CreateAuthorizer | Creates an authorizer. | Write | |||
| CreateBillingGroup | Creates a billing group. | Tagging | |||
| CreateCertificateFromCsr | Creates an X.509 certificate using the specified certificate signing request. | Write | |||
| CreateDynamicThingGroup | Creates a Dynamic Thing Group | Tagging | |||
| CreateJob | Creates a job. | Write | |||
| CreateKeysAndCertificate | Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key. | Write | |||
| CreateOTAUpdate | Creates an OTA update job. | Write | |||
| CreatePolicy | Creates an AWS IoT policy. | Write | |||
| CreatePolicyVersion | Creates a new version of the specified AWS IoT policy. | Write | |||
| CreateRoleAlias | Creates a role alias. | Write | |||
| CreateScheduledAudit | Creates a scheduled audit that is run at a specified time interval. | Tagging | |||
| CreateSecurityProfile | Creates a Device Defender security profile. | Tagging | |||
| CreateStream | Creates a new AWS IoT stream | Write | |||
| CreateThing | Creates a thing in the thing registry. | Write | |||
| CreateThingGroup | Creates a thing group. | Tagging | |||
| CreateThingType | Creates a new thing type. | Tagging | |||
| CreateTopicRule | Creates a rule. | Write | |||
| DeleteAccountAuditConfiguration | Deletes the audit configuration associated with the account. | Write | |||
| DeleteAuthorizer | Deletes the specified authorizer. | Write | |||
| DeleteBillingGroup | Deletes the specified billing group. | Tagging | |||
| DeleteCACertificate | Deletes a registered CA certificate. | Write | |||
| DeleteCertificate | Deletes the specified certificate. | Write | |||
| DeleteDynamicThingGroup | Deletes the specified Dynamic Thing Group | Write | |||
| DeleteJob | Deletes a job and its related job executions. | Write | |||
| DeleteJobExecution | Deletes a job execution. | Write | |||
| DeleteOTAUpdate | Deletes an OTA update job. | Write | |||
| DeletePolicy | Deletes the specified policy. | Write | |||
| DeletePolicyVersion | Deletes the specified version of the specified policy. | Write | |||
| DeleteRegistrationCode | Deletes a CA certificate registration code. | Write | |||
| DeleteRoleAlias | Deletes the specified role alias. | Write | |||
| DeleteScheduledAudit | Deletes a scheduled audit. | Write | |||
| DeleteSecurityProfile | Deletes a Device Defender security profile. | Write | |||
| DeleteStream | Deletes a specified stream. | Write | |||
| DeleteThing | Deletes the specified thing. | Write | |||
| DeleteThingGroup | Deletes the specified thing group. | Tagging | |||
| DeleteThingShadow | Deletes the specified thing shadow. | Write | |||
| DeleteThingType | Deletes the specified thing type. | Tagging | |||
| DeleteTopicRule | Deletes the specified rule. | Write | |||
| DeleteV2LoggingLevel | Deletes the specified v2 logging level. | Write | |||
| DeprecateThingType | Deprecates the specified thing type. | Write | |||
| DescribeAccountAuditConfiguration | Gets information about audit configurations for the account. | Read | |||
| DescribeAuditTask | Gets information about a Device Defender audit. | Read | |||
| DescribeAuthorizer | Describes an authorizer. | Read | |||
| DescribeBillingGroup | Gets information about the specified billing group. | Read | |||
| DescribeCACertificate | Describes a registered CA certificate. | Read | |||
| DescribeCertificate | Gets information about the specified certificate. | Read | |||
| DescribeDefaultAuthorizer | Describes the default authorizer. | Read | |||
| DescribeEndpoint | Returns a unique endpoint specific to the AWS account making the call. | Read | |||
| DescribeEventConfigurations | Returns account event configurations. | Read | |||
| DescribeIndex | Gets information about the specified index. | Read | |||
| DescribeJob | Describes a job. | Read | |||
| DescribeJobExecution | Describes a job execution. | Read | |||
| DescribeRoleAlias | Describes a role alias. | Read | |||
| DescribeScheduledAudit | Gets information about a scheduled audit. | Read | |||
| DescribeSecurityProfile | Gets information about a Device Defender security profile. | Read | |||
| DescribeStream | Gets information about the specified stream. | Read | |||
| DescribeThing | Gets information about the specified thing. | Read | |||
| DescribeThingGroup | Gets information about the specified thing group. | Read | |||
| DescribeThingRegistrationTask | Gets information about the bulk thing registration task. | Read | |||
| DescribeThingType | Gets information about the specified thing type. | Read | |||
| DetachPolicy | Detaches a policy from the specified target. | Permissions management | |||
| DetachPrincipalPolicy | Removes the specified policy from the specified certificate. | Permissions management | |||
| DetachSecurityProfile | Disassociates a Device Defender security profile from a thing group or from this account. | Write | |||
| DetachThingPrincipal | Detaches the specified principal from the specified thing. | Write | |||
| DisableTopicRule | Disables the specified rule. | Write | |||
| EnableTopicRule | Enables the specified rule. | Write | |||
| GetEffectivePolicies | Gets effective policies. | Read | |||
| GetIndexingConfiguration | Gets current fleet indexing configuration | Read | |||
| GetJobDocument | Gets a job document. | Read | |||
| GetLoggingOptions | Gets the logging options. | Read | |||
| GetOTAUpdate | Gets the information about the OTA update job. | Read | |||
| GetPendingJobExecutions | Gets the list of all jobs for a thing that are not in a terminal state. | Read | |||
| GetPolicy | Gets information about the specified policy with the policy document of the default version. | Read | |||
| GetPolicyVersion | Gets information about the specified policy version. | Read | |||
| GetRegistrationCode | Gets a registration code used to register a CA certificate with AWS IoT. | Read | |||
| GetStatistics | Get statistics for IoT fleet index | Read | |||
| GetThingShadow | Gets the thing shadow. | Read | |||
| GetTopicRule | Gets information about the specified rule. | Read | |||
| GetV2LoggingOptions | Gets v2 logging options. | Read | |||
| ListActiveViolations | Lists the active violations for a given Device Defender security profile or Thing. | List | |||
| ListAttachedPolicies | Lists the policies attached to the specified thing group. | List | |||
| ListAuditFindings | Lists the findings (results) of a Device Defender audit or of the audits performed during a specified time period. | List | |||
| ListAuditTasks | Lists the Device Defender audits that have been performed during a given time period. | List | |||
| ListAuthorizers | Lists the authorizers registered in your account. | List | |||
| ListBillingGroups | Lists all billing groups. | List | |||
| ListCACertificates | Lists the CA certificates registered for your AWS account. | List | |||
| ListCertificates | Lists your certificates. | List | |||
| ListCertificatesByCA | List the device certificates signed by the specified CA certificate. | List | |||
| ListIndices | Lists all indices for fleet index | List | |||
| ListJobExecutionsForJob | Lists the job executions for a job. | List | |||
| ListJobExecutionsForThing | Lists the job executions for the specified thing. | List | |||
| ListJobs | Lists jobs. | List | |||
| ListOTAUpdates | Lists OTA update jobs in the account. | List | |||
| ListOutgoingCertificates | Lists certificates that are being transfered but not yet accepted. | List | |||
| ListPolicies | Lists your policies. | List | |||
| ListPolicyPrincipals | Lists the principals associated with the specified policy. | List | |||
| ListPolicyVersions | Lists the versions of the specified policy, and identifies the default version. | List | |||
| ListPrincipalPolicies | Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format. | List | |||
| ListPrincipalThings | Lists the things associated with the specified principal. | List | |||
| ListRoleAliases | Lists role aliases. | List | |||
| ListScheduledAudits | Lists all of your scheduled audits. | List | |||
| ListSecurityProfiles | Lists the Device Defender security profiles you have created. | List | |||
| ListSecurityProfilesForTarget | Lists the Device Defender security profiles attached to a target. | List | |||
| ListStreams | Lists the streams in your account. | List | |||
| ListTagsForResource | Lists all tags for a given resource. | List | |||
| ListTargetsForPolicy | List targets for the specified policy. | List | |||
| ListTargetsForSecurityProfile | Lists the targets associated with a given Device Defender security profile. | List | |||
| ListThingGroups | Lists all thing groups. | List | |||
| ListThingGroupsForThing | List thing groups to which the specified thing belongs. | List | |||
| ListThingPrincipals | Lists the principals associated with the specified thing. | List | |||
| ListThingRegistrationTaskReports | Lists information about bulk thing registration tasks. | List | |||
| ListThingRegistrationTasks | Lists bulk thing registration tasks. | List | |||
| ListThingTypes | Lists all thing types. | List | |||
| ListThings | Lists all things. | List | |||
| ListThingsInBillingGroup | Lists all things in the specified billing group. | List | |||
| ListThingsInThingGroup | Lists all things in the specified thing group. | List | |||
| ListTopicRules | Lists the rules for the specific topic. | List | |||
| ListV2LoggingLevels | Lists the v2 logging levels. | List | |||
| ListViolationEvents | Lists the Device Defender security profile violations discovered during the given time period. | List | |||
| Publish | Publish to the specified topic. | Write | |||
| Receive | Receive from the specified topic. | Write | |||
| RegisterCACertificate | Registers a CA certificate with AWS IoT. | Write | |||
| RegisterCertificate | Registers a device certificate with AWS IoT. | Write | |||
| RegisterThing | Registers your thing. | Write | |||
| RejectCertificateTransfer | Rejects a pending certificate transfer. | Write | |||
| RemoveThingFromBillingGroup | Removes thing from the specified billing group. | Write | |||
| RemoveThingFromThingGroup | Removes thing from the specified thing group. | Write | |||
| ReplaceTopicRule | Replaces the specified rule. | Write | |||
| SearchIndex | Search IoT fleet index | Read | |||
| SetDefaultAuthorizer | Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer. | Permissions management | |||
| SetDefaultPolicyVersion | Sets the specified version of the specified policy as the policy's default (operative) version. | Permissions management | |||
| SetLoggingOptions | Sets the logging options. | Write | |||
| SetV2LoggingLevel | Sets the v2 logging level. | Write | |||
| SetV2LoggingOptions | Sets the v2 logging options. | Write | |||
| StartNextPendingJobExecution | Gets and starts the next pending job execution for a thing. | Write | |||
| StartOnDemandAuditTask | Starts an on-demand Device Defender audit. | Write | |||
| StartThingRegistrationTask | Starts a bulk thing registration task. | Write | |||
| StopThingRegistrationTask | Stops a bulk thing registration task. | Write | |||
| Subscribe | Subscribe to the specified TopicFilter. | Write | |||
| TagResource | Tag a specified resource | Tagging | |||
| TestAuthorization | Test the policies evaluation for group policies | Read | |||
| TestInvokeAuthorizer | Invoke the specified custom authorizer for testing purposes. | Read | |||
| TransferCertificate | Transfers the specified certificate to the specified AWS account. | Write | |||
| UntagResource | Untag a specified resource | Tagging | |||
| UpdateAccountAuditConfiguration | Configures or reconfigures the Device Defender audit settings for this account. | Write | |||
| UpdateAuthorizer | Updates an authorizer | Write | |||
| UpdateBillingGroup | Updates information associated with the specified billing group. | Write | |||
| UpdateCACertificate | Updates a registered CA certificate. | Write | |||
| UpdateCertificate | Updates the status of the specified certificate. This operation is idempotent. | Write | |||
| UpdateDynamicThingGroup | Updates a Dynamic Thing Group | Write | |||
| UpdateEventConfigurations | Updates event configurations. | Write | |||
| UpdateIndexingConfiguration | Updates fleet indexing configuration | Write | |||
| UpdateJob | Updates a job. | Write | |||
| UpdateJobExecution | Updates a job execution. | Write | |||
| UpdateRoleAlias | Updates the role alias | Write | |||
| UpdateScheduledAudit | Updates a scheduled audit, including what checks are performed and how often the audit takes place. | Write | |||
| UpdateSecurityProfile | Updates a Device Defender security profile. | Write | |||
| UpdateStream | Updates the data for a stream. | Write | |||
| UpdateThing | Updates information associated with the specified thing. | Write | |||
| UpdateThingGroup | Updates information associated with the specified thing group. | Write | |||
| UpdateThingGroupsForThing | Updates the thing groups to which the thing belongs. | Write | |||
| UpdateThingShadow | Updates the thing shadow. | Write | |||
| ValidateSecurityProfileBehaviors | Validates a Device Defender security profile behaviors specification. | Read |
Resources Defined by AWS IoT
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The Resource Types Table.
| Resource Types | ARN | Condition Keys |
|---|---|---|
| client |
arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
|
|
| index |
arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
|
|
| job |
arn:${Partition}:iot:${Region}:${Account}:job/${JobId}
|
|
| thing |
arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
|
|
| thinggroup |
arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
|
|
| billinggroup |
arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}
|
|
| dynamicthinggroup |
arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
|
|
| thingtype |
arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}
|
|
| topic |
arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
|
|
| topicfilter |
arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
|
|
| rolealias |
arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}
|
|
| role |
arn:${Partition}:iam::${Account}:role/${Role}
|
|
| authorizer |
arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}
|
|
| policy |
arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}
|
|
| cert |
arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
|
|
| cacert |
arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}
|
|
| stream |
arn:${Partition}:iot:${Region}:${Account}:stream/${streamId}
|
|
| otaupdate |
arn:${Partition}:iot:${Region}:${Account}:otaupdate/${otaUpdateId}
|
|
| scheduledaudit |
arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}
|
|
| securityprofile |
arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}
|
|
| rule |
arn:${Partition}:iot:${Region}:${Account}:rule/${ruleName}
|
Condition Keys for AWS IoT
AWS IoT defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The Condition Keys Table.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.
