Actions, Resources, and Condition Keys for AWS IoT
AWS IoT (service prefix: iot
) provides the following service-specific resources,
actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Actions Defined by AWS IoT
You can specify the following actions in the Action
element of an IAM
policy statement. By using policies, you define the permissions for anyone performing
an
operation in AWS. When you use an action in a policy, you usually allow or deny access
to
the API operation or CLI command with the same name. However, in some cases, a single
action
controls access to more than one operation. Alternatively, some operations require
several
different actions. For details about the columns in the following table, see The Actions Table.
Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
---|---|---|---|---|---|
AcceptCertificateTransfer | Accepts a pending certificate transfer. |
Write |
|||
AddThingToThingGroup | Adds a thing to the specified thing group. |
Write |
|||
AssociateTargetsWithJob | Associates a group with a continuous job. |
Write |
|||
AttachPolicy | Attaches a policy to the specified target. |
Permissions management |
|||
AttachPrincipalPolicy | Attaches the specified policy to the specified principal (certificate or other credential). |
Permissions management |
|||
AttachThingPrincipal | Attaches the specified principal to the specified thing. |
Write |
|||
CancelCertificateTransfer | Cancels a pending transfer for the specified certificate. |
Write |
|||
CancelJob | Cancels a job. |
Write |
|||
ClearDefaultAuthorizer | Clears the default authorizer. |
Write |
|||
Connect | Connect as the specified client |
Write |
|||
CreateAuthorizer | Creates an authorizer. |
Write |
|||
CreateCertificateFromCsr | Creates an X.509 certificate using the specified certificate signing request. |
Write |
|||
CreateJob | Creates a job. |
Write |
|||
CreateKeysAndCertificate | Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key. |
Write |
|||
CreateOTAUpdateJob | Creates an OTA update job. |
Write |
|||
CreatePolicy | Creates an AWS IoT policy. |
Write |
|||
CreatePolicyVersion | Creates a new version of the specified AWS IoT policy. |
Write |
|||
CreateRoleAlias | Creates a role alias. |
Write |
|||
CreateStream | Creates a new AWS IoT stream |
Write |
|||
CreateThing | Creates a thing in the thing registry. |
Write |
|||
CreateThingGroup | Creates a thing group. |
Write |
|||
CreateThingType | Creates a new thing type. |
Write |
|||
CreateTopicRule | Creates a rule. |
Write |
|||
DeleteAuthorizer | Deletes the specified authorizer. |
Write |
|||
DeleteCACertificate | Deletes a registered CA certificate. |
Write |
|||
DeleteCertificate | Deletes the specified certificate. |
Write |
|||
DeleteOTAUpdateJob | Deletes an OTA update job. |
Write |
|||
DeletePolicy | Deletes the specified policy. |
Write |
|||
DeletePolicyVersion | Deletes the specified version of the specified policy. |
Write |
|||
DeleteRegistrationCode | Deletes a CA certificate registration code. |
Write |
|||
DeleteRoleAlias | Deletes the specified role alias. |
Write |
|||
DeleteStream | Deletes a specified stream. |
Write |
|||
DeleteThing | Deletes the specified thing. |
Write |
|||
DeleteThingGroup | Deletes the specified thing group. |
Write |
|||
DeleteThingShadow | Deletes the specified thing shadow. |
Write |
|||
DeleteThingType | Deletes the specified thing type. |
Write |
|||
DeleteTopicRule | Deletes the specified rule. |
Write |
|||
DeleteV2LoggingLevel | Deletes the specified v2 logging level. |
Write |
|||
DeprecateThingType | Deprecates the specified thing type. |
Write |
|||
DescribeAuthorizer | Describes an authorizer. |
Read Write |
|||
DescribeCACertificate | Describes a registered CA certificate. |
Read Write |
|||
DescribeCertificate | Gets information about the specified certificate. |
Read Write |
|||
DescribeDefaultAuthorizer | Describes the default authorizer. |
Read Write |
|||
DescribeEndpoint | Returns a unique endpoint specific to the AWS account making the call. |
Read Write |
|||
DescribeEventConfigurations | Returns account event configurations. |
Read Write |
|||
DescribeIndex | Gets information about the specified index. |
Read Write |
|||
DescribeJob | Describes a job. |
Read Write |
|||
DescribeJobExecution | Describes a job execution. |
Read Write |
|||
DescribeRoleAlias | Describes a role alias. |
Read Write |
|||
DescribeStream | Gets information about the specified stream. |
Read Write |
|||
DescribeThing | Gets information about the specified thing. |
Read Write |
|||
DescribeThingGroup | Gets information about the specified thing group. |
Read Write |
|||
DescribeThingRegistrationTask | Gets information about the bulk thing registration task. |
Read Write |
|||
DescribeThingType | Gets information about the specified thing type. |
Read Write |
|||
DetachPolicy | Detaches a policy from the specified target. |
Permissions management |
|||
DetachPrincipalPolicy | Removes the specified policy from the specified certificate. |
Permissions management |
|||
DetachThingPrincipal | Detaches the specified principal from the specified thing. |
Write |
|||
DisableTopicRule | Disables the specified rule. |
Write |
|||
EnableTopicRule | Enables the specified rule. |
Write |
|||
GetEffectivePolicies | Gets effective policies. |
Read Write |
|||
GetIndexingConfiguration | Gets current fleet indexing configuration |
Read Write |
|||
GetJobDocument | Gets a job document. |
Read Write |
|||
GetLoggingOptions | Gets the logging options. |
Read Write |
|||
GetOTAUpdateJob | Gets the information about the OTA update job. |
Read Write |
|||
GetPolicy | Gets information about the specified policy with the policy document of the default version. |
Read Write |
|||
GetPolicyVersion | Gets information about the specified policy version. |
Read Write |
|||
GetRegistrationCode | Gets a registration code used to register a CA certificate with AWS IoT. |
Read Write |
|||
GetThingShadow | Gets the thing shadow. |
Read Write |
|||
GetTopicRule | Gets information about the specified rule. |
Read Write |
|||
GetV2LoggingOptions | Gets v2 logging options. |
Read Write |
|||
ListAttachedPolicies | Lists the policies attached to the specified thing group. |
List Read Write |
|||
ListAuthorizers | Lists the authorizers registered in your account. |
List Read Write |
|||
ListCACertificates | Lists the CA certificates registered for your AWS account. |
List Read Write |
|||
ListCertificates | Lists your certificates. |
List Read Write |
|||
ListCertificatesByCA | List the device certificates signed by the specified CA certificate. |
List Read Write |
|||
ListIndices | Lists all indices for fleet index |
List Read Write |
|||
ListJobExecutionsForJob | Lists the job executions for a job. |
List Read Write |
|||
ListJobExecutionsForThing | Lists the job executions for the specified thing. |
List Read Write |
|||
ListJobs | Lists jobs. |
List Read Write |
|||
ListOTAUpdateJobs | Lists OTA update jobs in the account. |
List Read Write |
|||
ListOutgoingCertificates | Lists certificates that are being transfered but not yet accepted. |
List Read Write |
|||
ListPolicies | Lists your policies. |
List Read Write |
|||
ListPolicyPrincipals | Lists the principals associated with the specified policy. |
List Read Write |
|||
ListPolicyVersions | Lists the versions of the specified policy, and identifies the default version. |
List Read Write |
|||
ListPrincipalPolicies | Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format. |
List Read Write |
|||
ListPrincipalThings | Lists the things associated with the specified principal. |
List Read Write |
|||
ListRoleAliases | Lists role aliases. |
List Read Write |
|||
ListStreams | Lists the streams in your account. |
List Read Write |
|||
ListTargetsForPolicy | List targets for the specified policy. |
List Read Write |
|||
ListThingGroups | Lists all thing groups. |
List Read Write |
|||
ListThingGroupsForThing | List thing groups to which the specified thing belongs. |
List Read Write |
|||
ListThingPrincipals | Lists the principals associated with the specified thing. |
List Read Write |
|||
ListThingRegistrationTaskReports | Lists information about bulk thing registration tasks. |
List Read Write |
|||
ListThingRegistrationTasks | Lists bulk thing registration tasks. |
List Read Write |
|||
ListThingTypes | Lists all thing types. |
List Read Write |
|||
ListThings | Lists all things. |
List Read Write |
|||
ListThingsInThingGroup | Lists all things in the specified group. |
List Read Write |
|||
ListTopicRules | Lists the rules for the specific topic. |
List Read Write |
|||
ListV2LoggingLevels | Lists the v2 logging levels. |
List Read Write |
|||
Publish | Publish to the specified topic. |
Write |
|||
Receive | Receive from the specified topic. |
Write |
|||
RegisterCACertificate | Registers a CA certificate with AWS IoT. |
Write |
|||
RegisterCertificate | Registers a device certificate with AWS IoT. |
Write |
|||
RegisterThing | Registers your thing. |
Write |
|||
RejectCertificateTransfer | Rejects a pending certificate transfer. |
Write |
|||
RemoveThingFromThingGroup | Removes thing from the specified thing group. |
Write |
|||
ReplaceTopicRule | Replaces the specified rule. |
Write |
|||
SearchIndex | Search IoT fleet index |
Read Write |
|||
SetDefaultAuthorizer | Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer. |
Permissions management |
|||
SetDefaultPolicyVersion | Sets the specified version of the specified policy as the policy's default (operative) version. |
Permissions management |
|||
SetLoggingOptions | Sets the logging options. |
Write |
|||
SetV2LoggingLevel | Sets the v2 logging level. |
Write |
|||
SetV2LoggingOptions | Sets the v2 logging options. |
Write |
|||
StartThingRegistrationTask | Starts a bulk thing registration task. |
Write |
|||
StopThingRegistrationTask | Stops a bulk thing registration task. |
Write |
|||
Subscribe | Subscribe to the specified TopicFilter. |
Write |
|||
TestAuthorization | Test the policies evaluation for group policies |
Read Write |
|||
TestInvokeAuthorizer | Invoke the specified custom authorizer for testing purposes. |
Read Write |
|||
TransferCertificate | Transfers the specified certificate to the specified AWS account. |
Write |
|||
UpdateAuthorizer | Updates an authorizer |
Write |
|||
UpdateCACertificate | Updates a registered CA certificate. |
Write |
|||
UpdateCertificate | Updates the status of the specified certificate. This operation is idempotent. |
Write |
|||
UpdateEventConfigurations | Updates event configurations. |
Write |
|||
UpdateIndexingConfiguration | Updates fleet indexing configuration |
Write |
|||
UpdateRoleAlias | Updates the role alias |
Write |
|||
UpdateStream | Updates the data for a stream. |
Write |
|||
UpdateThing | Updates information associated with the specified thing. |
Write |
|||
UpdateThingGroup | Updates information associated with the specified thing group. |
Write |
|||
UpdateThingGroupsForThing | Updates the thing groups to which the thing belongs. |
Write |
|||
UpdateThingShadow | Updates the thing shadow. |
Write |
Resources Defined by IoT
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in
the Actions table identifies
the resource types that can be specified with that action. A resource type can also
define which condition keys you can include in a policy. These keys are displayed
in the
last column of the table. For details about the columns in the following table, see
The Resource Types Table.
Resource Types | ARN | Condition Keys |
---|---|---|
authorizer | arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName} | |
cacert | arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate} | |
cert | arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate} | |
client | arn:${Partition}:iot:${Region}:${Account}:client/${ClientId} | |
index | arn:${Partition}:iot:${Region}:${Account}:index/${IndexName} | |
job | arn:${Partition}:iot:${Region}:${Account}:job/${JobId} | |
policy | arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName} | |
role | arn:${Partition}:iam::${Account}:role/${Role} | |
rolealias | arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias} | |
thing | arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName} | |
thinggroup | arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName} | |
thingtype | arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName} | |
topic | arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName} | |
topicfilter | arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter} |
Condition Keys for AWS IoT
IoT has no service-specific context keys that can be used in the
Condition
element of policy statements. For the list of the global context keys
that are available to all services, see Available Keys for
Conditions in the IAM Policy Reference.