Actions, Resources, and Condition Keys for AWS IoT
AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Actions Defined by AWS IoT
You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions
for anyone performing an operation in AWS. When you use an action in a policy,
you usually allow or deny access to the API operation or CLI command with the
same name. However, in some cases, a single action controls access to more than
one operation. Alternatively, some operations require several different actions.
For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AcceptCertificateTransfer | Accepts a pending certificate transfer. | Write | |||
| AddThingToThingGroup | Adds a thing to the specified thing group. | Write | |||
| AssociateTargetsWithJob | Associates a group with a continuous job. | Write | |||
| AttachPolicy | Attaches a policy to the specified target. | Permissions management | |||
| AttachPrincipalPolicy | Attaches the specified policy to the specified principal (certificate or other credential). | Permissions management | |||
| AttachThingPrincipal | Attaches the specified principal to the specified thing. | Write | |||
| CancelCertificateTransfer | Cancels a pending transfer for the specified certificate. | Write | |||
| CancelJob | Cancels a job. | Write | |||
| ClearDefaultAuthorizer | Clears the default authorizer. | Write | |||
| Connect | Connect as the specified client | Write | |||
| CreateAuthorizer | Creates an authorizer. | Write | |||
| CreateCertificateFromCsr | Creates an X.509 certificate using the specified certificate signing request. | Write | |||
| CreateJob | Creates a job. | Write | |||
| CreateKeysAndCertificate | Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key. | Write | |||
| CreateOTAUpdate | Creates an OTA update job. | Write | |||
| CreatePolicy | Creates an AWS IoT policy. | Write | |||
| CreatePolicyVersion | Creates a new version of the specified AWS IoT policy. | Write | |||
| CreateRoleAlias | Creates a role alias. | Write | |||
| CreateStream | Creates a new AWS IoT stream | Write | |||
| CreateThing | Creates a thing in the thing registry. | Write | |||
| CreateThingGroup | Creates a thing group. | Write | |||
| CreateThingType | Creates a new thing type. | Write | |||
| CreateTopicRule | Creates a rule. | Write | |||
| DeleteAuthorizer | Deletes the specified authorizer. | Write | |||
| DeleteCACertificate | Deletes a registered CA certificate. | Write | |||
| DeleteCertificate | Deletes the specified certificate. | Write | |||
| DeleteOTAUpdate | Deletes an OTA update job. | Write | |||
| DeletePolicy | Deletes the specified policy. | Write | |||
| DeletePolicyVersion | Deletes the specified version of the specified policy. | Write | |||
| DeleteRegistrationCode | Deletes a CA certificate registration code. | Write | |||
| DeleteRoleAlias | Deletes the specified role alias. | Write | |||
| DeleteStream | Deletes a specified stream. | Write | |||
| DeleteThing | Deletes the specified thing. | Write | |||
| DeleteThingGroup | Deletes the specified thing group. | Write | |||
| DeleteThingShadow | Deletes the specified thing shadow. | Write | |||
| DeleteThingType | Deletes the specified thing type. | Write | |||
| DeleteTopicRule | Deletes the specified rule. | Write | |||
| DeleteV2LoggingLevel | Deletes the specified v2 logging level. | Write | |||
| DeprecateThingType | Deprecates the specified thing type. | Write | |||
| DescribeAuthorizer | Describes an authorizer. | Read | |||
| DescribeCACertificate | Describes a registered CA certificate. | Read | |||
| DescribeCertificate | Gets information about the specified certificate. | Read | |||
| DescribeDefaultAuthorizer | Describes the default authorizer. | Read | |||
| DescribeEndpoint | Returns a unique endpoint specific to the AWS account making the call. | Read | |||
| DescribeEventConfigurations | Returns account event configurations. | Read | |||
| DescribeIndex | Gets information about the specified index. | Read | |||
| DescribeJob | Describes a job. | Read | |||
| DescribeJobExecution | Describes a job execution. | Read | |||
| DescribeRoleAlias | Describes a role alias. | Read | |||
| DescribeStream | Gets information about the specified stream. | Read | |||
| DescribeThing | Gets information about the specified thing. | Read | |||
| DescribeThingGroup | Gets information about the specified thing group. | Read | |||
| DescribeThingRegistrationTask | Gets information about the bulk thing registration task. | Read | |||
| DescribeThingType | Gets information about the specified thing type. | Read | |||
| DetachPolicy | Detaches a policy from the specified target. | Permissions management | |||
| DetachPrincipalPolicy | Removes the specified policy from the specified certificate. | Permissions management | |||
| DetachThingPrincipal | Detaches the specified principal from the specified thing. | Write | |||
| DisableTopicRule | Disables the specified rule. | Write | |||
| EnableTopicRule | Enables the specified rule. | Write | |||
| GetEffectivePolicies | Gets effective policies. | Read | |||
| GetIndexingConfiguration | Gets current fleet indexing configuration | Read | |||
| GetJobDocument | Gets a job document. | Read | |||
| GetLoggingOptions | Gets the logging options. | Read | |||
| GetOTAUpdate | Gets the information about the OTA update job. | Read | |||
| GetPolicy | Gets information about the specified policy with the policy document of the default version. | Read | |||
| GetPolicyVersion | Gets information about the specified policy version. | Read | |||
| GetRegistrationCode | Gets a registration code used to register a CA certificate with AWS IoT. | Read | |||
| GetThingShadow | Gets the thing shadow. | Read | |||
| GetTopicRule | Gets information about the specified rule. | Read | |||
| GetV2LoggingOptions | Gets v2 logging options. | Read | |||
| ListAttachedPolicies | Lists the policies attached to the specified thing group. | List | |||
| ListAuthorizers | Lists the authorizers registered in your account. | List | |||
| ListCACertificates | Lists the CA certificates registered for your AWS account. | List | |||
| ListCertificates | Lists your certificates. | List | |||
| ListCertificatesByCA | List the device certificates signed by the specified CA certificate. | List | |||
| ListIndices | Lists all indices for fleet index | List | |||
| ListJobExecutionsForJob | Lists the job executions for a job. | List | |||
| ListJobExecutionsForThing | Lists the job executions for the specified thing. | List | |||
| ListJobs | Lists jobs. | List | |||
| ListOTAUpdates | Lists OTA update jobs in the account. | List | |||
| ListOutgoingCertificates | Lists certificates that are being transfered but not yet accepted. | List | |||
| ListPolicies | Lists your policies. | List | |||
| ListPolicyPrincipals | Lists the principals associated with the specified policy. | List | |||
| ListPolicyVersions | Lists the versions of the specified policy, and identifies the default version. | List | |||
| ListPrincipalPolicies | Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format. | List | |||
| ListPrincipalThings | Lists the things associated with the specified principal. | List | |||
| ListRoleAliases | Lists role aliases. | List | |||
| ListStreams | Lists the streams in your account. | List | |||
| ListTargetsForPolicy | List targets for the specified policy. | List | |||
| ListThingGroups | Lists all thing groups. | List | |||
| ListThingGroupsForThing | List thing groups to which the specified thing belongs. | List | |||
| ListThingPrincipals | Lists the principals associated with the specified thing. | List | |||
| ListThingRegistrationTaskReports | Lists information about bulk thing registration tasks. | List | |||
| ListThingRegistrationTasks | Lists bulk thing registration tasks. | List | |||
| ListThingTypes | Lists all thing types. | List | |||
| ListThings | Lists all things. | List | |||
| ListThingsInThingGroup | Lists all things in the specified group. | List | |||
| ListTopicRules | Lists the rules for the specific topic. | List | |||
| ListV2LoggingLevels | Lists the v2 logging levels. | List | |||
| Publish | Publish to the specified topic. | Write | |||
| Receive | Receive from the specified topic. | Write | |||
| RegisterCACertificate | Registers a CA certificate with AWS IoT. | Write | |||
| RegisterCertificate | Registers a device certificate with AWS IoT. | Write | |||
| RegisterThing | Registers your thing. | Write | |||
| RejectCertificateTransfer | Rejects a pending certificate transfer. | Write | |||
| RemoveThingFromThingGroup | Removes thing from the specified thing group. | Write | |||
| ReplaceTopicRule | Replaces the specified rule. | Write | |||
| SearchIndex | Search IoT fleet index | Read | |||
| SetDefaultAuthorizer | Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer. | Permissions management | |||
| SetDefaultPolicyVersion | Sets the specified version of the specified policy as the policy's default (operative) version. | Permissions management | |||
| SetLoggingOptions | Sets the logging options. | Write | |||
| SetV2LoggingLevel | Sets the v2 logging level. | Write | |||
| SetV2LoggingOptions | Sets the v2 logging options. | Write | |||
| StartThingRegistrationTask | Starts a bulk thing registration task. | Write | |||
| StopThingRegistrationTask | Stops a bulk thing registration task. | Write | |||
| Subscribe | Subscribe to the specified TopicFilter. | Write | |||
| TestAuthorization | Test the policies evaluation for group policies | Read | |||
| TestInvokeAuthorizer | Invoke the specified custom authorizer for testing purposes. | Read | |||
| TransferCertificate | Transfers the specified certificate to the specified AWS account. | Write | |||
| UpdateAuthorizer | Updates an authorizer | Write | |||
| UpdateCACertificate | Updates a registered CA certificate. | Write | |||
| UpdateCertificate | Updates the status of the specified certificate. This operation is idempotent. | Write | |||
| UpdateEventConfigurations | Updates event configurations. | Write | |||
| UpdateIndexingConfiguration | Updates fleet indexing configuration | Write | |||
| UpdateRoleAlias | Updates the role alias | Write | |||
| UpdateStream | Updates the data for a stream. | Write | |||
| UpdateThing | Updates information associated with the specified thing. | Write | |||
| UpdateThingGroup | Updates information associated with the specified thing group. | Write | |||
| UpdateThingGroupsForThing | Updates the thing groups to which the thing belongs. | Write | |||
| UpdateThingShadow | Updates the thing shadow. | Write |
Resources Defined by IoT
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The Resource Types Table.
| Resource Types | ARN | Condition Keys |
|---|---|---|
| client |
arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
|
|
| index |
arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
|
|
| job |
arn:${Partition}:iot:${Region}:${Account}:job/${JobId}
|
|
| thing |
arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
|
|
| thinggroup |
arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
|
|
| thingtype |
arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}
|
|
| topic |
arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
|
|
| topicfilter |
arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
|
|
| rolealias |
arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}
|
|
| role |
arn:${Partition}:iam::${Account}:role/${Role}
|
|
| authorizer |
arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}
|
|
| policy |
arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}
|
|
| cert |
arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
|
|
| cacert |
arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}
|
|
| stream |
arn:${Partition}:iot:${Region}:${Account}:stream/${streamId}
|
|
| otaupdate |
arn:${Partition}:iot:${Region}:${Account}:otaupdate/${otaUpdateId}
|
Condition Keys for AWS IoT
IoT has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are
available to all services, see Available Keys for Conditions in the IAM Policy Reference.
