AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS IoT

AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS IoT

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptCertificateTransfer Accepts a pending certificate transfer. Write
AddThingToBillingGroup Adds a thing to the specified billing group. Write

billinggroup*

thing*

AddThingToThingGroup Adds a thing to the specified thing group. Write

thing*

thinggroup*

AssociateTargetsWithJob Associates a group with a continuous job. Write

job*

thing*

thinggroup*

AttachPolicy Attaches a policy to the specified target. Permissions management

cert

thinggroup

AttachPrincipalPolicy Attaches the specified policy to the specified principal (certificate or other credential). Permissions management

cert

AttachSecurityProfile Associates a Device Defender security profile with a thing group or with this account. Write

securityprofile*

thinggroup

AttachThingPrincipal Attaches the specified principal to the specified thing. Write
CancelAuditTask Cancels an audit that is in progress. The audit can be either scheduled or on-demand. Write
CancelCertificateTransfer Cancels a pending transfer for the specified certificate. Write
CancelJob Cancels a job. Write

job*

CancelJobExecution Cancels a job execution on a particular device. Write

job*

thing*

ClearDefaultAuthorizer Clears the default authorizer. Write
Connect Connect as the specified client Write

client*

CreateAuthorizer Creates an authorizer. Write

authorizer*

CreateBillingGroup Creates a billing group. Tagging

billinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCertificateFromCsr Creates an X.509 certificate using the specified certificate signing request. Write
CreateDynamicThingGroup Creates a Dynamic Thing Group Tagging

dynamicthinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJob Creates a job. Write

job*

thing*

thinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKeysAndCertificate Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key. Write
CreateOTAUpdate Creates an OTA update job. Write

otaupdate*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePolicy Creates an AWS IoT policy. Write
CreatePolicyVersion Creates a new version of the specified AWS IoT policy. Write

policy*

CreateRoleAlias Creates a role alias. Write

role*

rolealias*

CreateScheduledAudit Creates a scheduled audit that is run at a specified time interval. Tagging

scheduledaudit*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSecurityProfile Creates a Device Defender security profile. Tagging

securityprofile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateStream Creates a new AWS IoT stream Write

stream*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThing Creates a thing in the thing registry. Write

thing*

billinggroup

CreateThingGroup Creates a thing group. Tagging

thinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThingType Creates a new thing type. Tagging

thingtype*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTopicRule Creates a rule. Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAccountAuditConfiguration Deletes the audit configuration associated with the account. Write
DeleteAuthorizer Deletes the specified authorizer. Write

authorizer*

DeleteBillingGroup Deletes the specified billing group. Tagging

billinggroup*

DeleteCACertificate Deletes a registered CA certificate. Write

cacert*

DeleteCertificate Deletes the specified certificate. Write

cert*

DeleteDynamicThingGroup Deletes the specified Dynamic Thing Group Write
DeleteJob Deletes a job and its related job executions. Write

job*

DeleteJobExecution Deletes a job execution. Write

job*

thing*

DeleteOTAUpdate Deletes an OTA update job. Write

otaupdate*

DeletePolicy Deletes the specified policy. Write

policy*

DeletePolicyVersion Deletes the specified version of the specified policy. Write

policy*

DeleteRegistrationCode Deletes a CA certificate registration code. Write
DeleteRoleAlias Deletes the specified role alias. Write

rolealias*

DeleteScheduledAudit Deletes a scheduled audit. Write

scheduledaudit*

DeleteSecurityProfile Deletes a Device Defender security profile. Write

securityprofile*

DeleteStream Deletes a specified stream. Write

stream*

DeleteThing Deletes the specified thing. Write

thing*

DeleteThingGroup Deletes the specified thing group. Tagging

thinggroup*

DeleteThingShadow Deletes the specified thing shadow. Write

thing*

DeleteThingType Deletes the specified thing type. Tagging

thingtype*

DeleteTopicRule Deletes the specified rule. Write

rule*

DeleteV2LoggingLevel Deletes the specified v2 logging level. Write
DeprecateThingType Deprecates the specified thing type. Write

thingtype*

DescribeAccountAuditConfiguration Gets information about audit configurations for the account. Read
DescribeAuditTask Gets information about a Device Defender audit. Read
DescribeAuthorizer Describes an authorizer. Read

authorizer*

DescribeBillingGroup Gets information about the specified billing group. Read

billinggroup*

DescribeCACertificate Describes a registered CA certificate. Read

cacert*

DescribeCertificate Gets information about the specified certificate. Read

cert*

DescribeDefaultAuthorizer Describes the default authorizer. Read
DescribeEndpoint Returns a unique endpoint specific to the AWS account making the call. Read
DescribeEventConfigurations Returns account event configurations. Read
DescribeIndex Gets information about the specified index. Read

index*

DescribeJob Describes a job. Read

job*

DescribeJobExecution Describes a job execution. Read

job

thing

DescribeRoleAlias Describes a role alias. Read

rolealias*

DescribeScheduledAudit Gets information about a scheduled audit. Read

scheduledaudit*

DescribeSecurityProfile Gets information about a Device Defender security profile. Read

securityprofile*

DescribeStream Gets information about the specified stream. Read

stream*

DescribeThing Gets information about the specified thing. Read

thing*

DescribeThingGroup Gets information about the specified thing group. Read

thinggroup*

DescribeThingRegistrationTask Gets information about the bulk thing registration task. Read
DescribeThingType Gets information about the specified thing type. Read

thingtype*

DetachPolicy Detaches a policy from the specified target. Permissions management

cert

thinggroup

DetachPrincipalPolicy Removes the specified policy from the specified certificate. Permissions management

cert

DetachSecurityProfile Disassociates a Device Defender security profile from a thing group or from this account. Write

securityprofile*

thinggroup

DetachThingPrincipal Detaches the specified principal from the specified thing. Write
DisableTopicRule Disables the specified rule. Write

rule*

EnableTopicRule Enables the specified rule. Write

rule*

GetEffectivePolicies Gets effective policies. Read

cert

GetIndexingConfiguration Gets current fleet indexing configuration Read
GetJobDocument Gets a job document. Read

job*

GetLoggingOptions Gets the logging options. Read
GetOTAUpdate Gets the information about the OTA update job. Read

otaupdate*

GetPendingJobExecutions Gets the list of all jobs for a thing that are not in a terminal state. Read

thing*

GetPolicy Gets information about the specified policy with the policy document of the default version. Read

policy*

GetPolicyVersion Gets information about the specified policy version. Read

policy*

GetRegistrationCode Gets a registration code used to register a CA certificate with AWS IoT. Read
GetStatistics Get statistics for IoT fleet index Read

index*

GetThingShadow Gets the thing shadow. Read

thing*

GetTopicRule Gets information about the specified rule. Read

rule*

GetV2LoggingOptions Gets v2 logging options. Read
ListActiveViolations Lists the active violations for a given Device Defender security profile or Thing. List

securityprofile

thing

ListAttachedPolicies Lists the policies attached to the specified thing group. List
ListAuditFindings Lists the findings (results) of a Device Defender audit or of the audits performed during a specified time period. List
ListAuditTasks Lists the Device Defender audits that have been performed during a given time period. List
ListAuthorizers Lists the authorizers registered in your account. List
ListBillingGroups Lists all billing groups. List
ListCACertificates Lists the CA certificates registered for your AWS account. List
ListCertificates Lists your certificates. List
ListCertificatesByCA List the device certificates signed by the specified CA certificate. List
ListIndices Lists all indices for fleet index List
ListJobExecutionsForJob Lists the job executions for a job. List

job*

ListJobExecutionsForThing Lists the job executions for the specified thing. List

thing*

ListJobs Lists jobs. List
ListOTAUpdates Lists OTA update jobs in the account. List
ListOutgoingCertificates Lists certificates that are being transfered but not yet accepted. List
ListPolicies Lists your policies. List
ListPolicyPrincipals Lists the principals associated with the specified policy. List
ListPolicyVersions Lists the versions of the specified policy, and identifies the default version. List
ListPrincipalPolicies Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format. List
ListPrincipalThings Lists the things associated with the specified principal. List
ListRoleAliases Lists role aliases. List
ListScheduledAudits Lists all of your scheduled audits. List
ListSecurityProfiles Lists the Device Defender security profiles you have created. List
ListSecurityProfilesForTarget Lists the Device Defender security profiles attached to a target. List

thinggroup

ListStreams Lists the streams in your account. List
ListTagsForResource Lists all tags for a given resource. List

billinggroup

dynamicthinggroup

job

otaupdate

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

ListTargetsForPolicy List targets for the specified policy. List

policy*

ListTargetsForSecurityProfile Lists the targets associated with a given Device Defender security profile. List

securityprofile*

ListThingGroups Lists all thing groups. List
ListThingGroupsForThing List thing groups to which the specified thing belongs. List

thing*

ListThingPrincipals Lists the principals associated with the specified thing. List
ListThingRegistrationTaskReports Lists information about bulk thing registration tasks. List
ListThingRegistrationTasks Lists bulk thing registration tasks. List
ListThingTypes Lists all thing types. List
ListThings Lists all things. List
ListThingsInBillingGroup Lists all things in the specified billing group. List

billinggroup*

ListThingsInThingGroup Lists all things in the specified thing group. List

thinggroup*

ListTopicRules Lists the rules for the specific topic. List
ListV2LoggingLevels Lists the v2 logging levels. List
ListViolationEvents Lists the Device Defender security profile violations discovered during the given time period. List

securityprofile

thing

Publish Publish to the specified topic. Write

topic*

Receive Receive from the specified topic. Write

topic*

RegisterCACertificate Registers a CA certificate with AWS IoT. Write
RegisterCertificate Registers a device certificate with AWS IoT. Write
RegisterThing Registers your thing. Write
RejectCertificateTransfer Rejects a pending certificate transfer. Write

cert*

RemoveThingFromBillingGroup Removes thing from the specified billing group. Write

billinggroup*

thing*

RemoveThingFromThingGroup Removes thing from the specified thing group. Write

thing*

thinggroup*

ReplaceTopicRule Replaces the specified rule. Write

rule*

SearchIndex Search IoT fleet index Read

index*

SetDefaultAuthorizer Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer. Permissions management

authorizer*

SetDefaultPolicyVersion Sets the specified version of the specified policy as the policy's default (operative) version. Permissions management

policy*

SetLoggingOptions Sets the logging options. Write
SetV2LoggingLevel Sets the v2 logging level. Write
SetV2LoggingOptions Sets the v2 logging options. Write
StartNextPendingJobExecution Gets and starts the next pending job execution for a thing. Write

thing*

StartOnDemandAuditTask Starts an on-demand Device Defender audit. Write
StartThingRegistrationTask Starts a bulk thing registration task. Write
StopThingRegistrationTask Stops a bulk thing registration task. Write
Subscribe Subscribe to the specified TopicFilter. Write

topicfilter*

TagResource Tag a specified resource Tagging

billinggroup

dynamicthinggroup

job

otaupdate

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

aws:RequestTag/${TagKey}

aws:TagKeys

TestAuthorization Test the policies evaluation for group policies Read

cert

TestInvokeAuthorizer Invoke the specified custom authorizer for testing purposes. Read

authorizer*

TransferCertificate Transfers the specified certificate to the specified AWS account. Write

cert*

UntagResource Untag a specified resource Tagging

billinggroup

dynamicthinggroup

job

otaupdate

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

aws:TagKeys

UpdateAccountAuditConfiguration Configures or reconfigures the Device Defender audit settings for this account. Write
UpdateAuthorizer Updates an authorizer Write

authorizer*

UpdateBillingGroup Updates information associated with the specified billing group. Write

billinggroup*

UpdateCACertificate Updates a registered CA certificate. Write

cacert*

UpdateCertificate Updates the status of the specified certificate. This operation is idempotent. Write

cert*

UpdateDynamicThingGroup Updates a Dynamic Thing Group Write
UpdateEventConfigurations Updates event configurations. Write
UpdateIndexingConfiguration Updates fleet indexing configuration Write
UpdateJob Updates a job. Write

job*

UpdateJobExecution Updates a job execution. Write

thing*

UpdateRoleAlias Updates the role alias Write

rolealias*

role

UpdateScheduledAudit Updates a scheduled audit, including what checks are performed and how often the audit takes place. Write

scheduledaudit*

UpdateSecurityProfile Updates a Device Defender security profile. Write

securityprofile*

UpdateStream Updates the data for a stream. Write

stream*

UpdateThing Updates information associated with the specified thing. Write

thing*

UpdateThingGroup Updates information associated with the specified thing group. Write

thinggroup*

UpdateThingGroupsForThing Updates the thing groups to which the thing belongs. Write

thing*

thinggroup

UpdateThingShadow Updates the thing shadow. Write

thing*

ValidateSecurityProfileBehaviors Validates a Device Defender security profile behaviors specification. Read

Resources Defined by AWS IoT

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
client arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
index arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
job arn:${Partition}:iot:${Region}:${Account}:job/${JobId}

aws:ResourceTag/${TagKey}

thing arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
thinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}

aws:ResourceTag/${TagKey}

billinggroup arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}

aws:ResourceTag/${TagKey}

dynamicthinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}

aws:ResourceTag/${TagKey}

thingtype arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}

aws:ResourceTag/${TagKey}

topic arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
topicfilter arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
rolealias arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}
role arn:${Partition}:iam::${Account}:role/${Role}
authorizer arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}
policy arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}
cert arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
cacert arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}
stream arn:${Partition}:iot:${Region}:${Account}:stream/${streamId}

aws:ResourceTag/${TagKey}

otaupdate arn:${Partition}:iot:${Region}:${Account}:otaupdate/${otaUpdateId}

aws:ResourceTag/${TagKey}

scheduledaudit arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}

aws:ResourceTag/${TagKey}

securityprofile arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:iot:${Region}:${Account}:rule/${ruleName}

aws:ResourceTag/${TagKey}

Condition Keys for AWS IoT

AWS IoT defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} A tag key that is present in the request that the user makes to IoT. String
aws:ResourceTag/${TagKey} The tag key component of a tag attached to an IoT resource. String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String