Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS IoT

AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS IoT

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptCertificateTransfer Accepts a pending certificate transfer. Write
AddThingToThingGroup Adds a thing to the specified thing group. Write

thing*

thinggroup*

AssociateTargetsWithJob Associates a group with a continuous job. Write

job*

thing*

thinggroup*

AttachPolicy Attaches a policy to the specified target. Permissions management

cert

thinggroup

AttachPrincipalPolicy Attaches the specified policy to the specified principal (certificate or other credential). Permissions management

cert

AttachThingPrincipal Attaches the specified principal to the specified thing. Write
CancelCertificateTransfer Cancels a pending transfer for the specified certificate. Write
CancelJob Cancels a job. Write

job*

ClearDefaultAuthorizer Clears the default authorizer. Write
Connect Connect as the specified client Write

client*

CreateAuthorizer Creates an authorizer. Write

authorizer*

CreateCertificateFromCsr Creates an X.509 certificate using the specified certificate signing request. Write
CreateJob Creates a job. Write

thing*

thinggroup*

CreateKeysAndCertificate Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key. Write
CreateOTAUpdate Creates an OTA update job. Write
CreatePolicy Creates an AWS IoT policy. Write
CreatePolicyVersion Creates a new version of the specified AWS IoT policy. Write

policy*

CreateRoleAlias Creates a role alias. Write

role*

rolealias*

CreateStream Creates a new AWS IoT stream Write
CreateThing Creates a thing in the thing registry. Write
CreateThingGroup Creates a thing group. Write
CreateThingType Creates a new thing type. Write
CreateTopicRule Creates a rule. Write
DeleteAuthorizer Deletes the specified authorizer. Write

authorizer*

DeleteCACertificate Deletes a registered CA certificate. Write

cacert*

DeleteCertificate Deletes the specified certificate. Write

cert*

DeleteOTAUpdate Deletes an OTA update job. Write
DeletePolicy Deletes the specified policy. Write

policy*

DeletePolicyVersion Deletes the specified version of the specified policy. Write

policy*

DeleteRegistrationCode Deletes a CA certificate registration code. Write
DeleteRoleAlias Deletes the specified role alias. Write

rolealias*

DeleteStream Deletes a specified stream. Write
DeleteThing Deletes the specified thing. Write
DeleteThingGroup Deletes the specified thing group. Write

thinggroup*

DeleteThingShadow Deletes the specified thing shadow. Write

thing*

DeleteThingType Deletes the specified thing type. Write
DeleteTopicRule Deletes the specified rule. Write
DeleteV2LoggingLevel Deletes the specified v2 logging level. Write
DeprecateThingType Deprecates the specified thing type. Write
DescribeAuthorizer Describes an authorizer. Read

authorizer*

DescribeCACertificate Describes a registered CA certificate. Read

cacert*

DescribeCertificate Gets information about the specified certificate. Read

cert*

DescribeDefaultAuthorizer Describes the default authorizer. Read
DescribeEndpoint Returns a unique endpoint specific to the AWS account making the call. Read
DescribeEventConfigurations Returns account event configurations. Read
DescribeIndex Gets information about the specified index. Read

index*

DescribeJob Describes a job. Read

job*

DescribeJobExecution Describes a job execution. Read

job*

DescribeRoleAlias Describes a role alias. Read

rolealias*

DescribeStream Gets information about the specified stream. Read
DescribeThing Gets information about the specified thing. Read
DescribeThingGroup Gets information about the specified thing group. Read

thinggroup*

DescribeThingRegistrationTask Gets information about the bulk thing registration task. Read
DescribeThingType Gets information about the specified thing type. Read
DetachPolicy Detaches a policy from the specified target. Permissions management

cert

thinggroup

DetachPrincipalPolicy Removes the specified policy from the specified certificate. Permissions management

cert

DetachThingPrincipal Detaches the specified principal from the specified thing. Write
DisableTopicRule Disables the specified rule. Write
EnableTopicRule Enables the specified rule. Write
GetEffectivePolicies Gets effective policies. Read

cert

GetIndexingConfiguration Gets current fleet indexing configuration Read
GetJobDocument Gets a job document. Read

job*

GetLoggingOptions Gets the logging options. Read
GetOTAUpdate Gets the information about the OTA update job. Read
GetPolicy Gets information about the specified policy with the policy document of the default version. Read

policy*

GetPolicyVersion Gets information about the specified policy version. Read

policy*

GetRegistrationCode Gets a registration code used to register a CA certificate with AWS IoT. Read
GetThingShadow Gets the thing shadow. Read

thing*

GetTopicRule Gets information about the specified rule. Read
GetV2LoggingOptions Gets v2 logging options. Read
ListAttachedPolicies Lists the policies attached to the specified thing group. List
ListAuthorizers Lists the authorizers registered in your account. List
ListCACertificates Lists the CA certificates registered for your AWS account. List
ListCertificates Lists your certificates. List
ListCertificatesByCA List the device certificates signed by the specified CA certificate. List
ListIndices Lists all indices for fleet index List
ListJobExecutionsForJob Lists the job executions for a job. List

job*

ListJobExecutionsForThing Lists the job executions for the specified thing. List

thing*

ListJobs Lists jobs. List
ListOTAUpdates Lists OTA update jobs in the account. List
ListOutgoingCertificates Lists certificates that are being transfered but not yet accepted. List
ListPolicies Lists your policies. List
ListPolicyPrincipals Lists the principals associated with the specified policy. List
ListPolicyVersions Lists the versions of the specified policy, and identifies the default version. List
ListPrincipalPolicies Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format. List
ListPrincipalThings Lists the things associated with the specified principal. List
ListRoleAliases Lists role aliases. List
ListStreams Lists the streams in your account. List
ListTargetsForPolicy List targets for the specified policy. List

policy*

ListThingGroups Lists all thing groups. List
ListThingGroupsForThing List thing groups to which the specified thing belongs. List

thing*

ListThingPrincipals Lists the principals associated with the specified thing. List
ListThingRegistrationTaskReports Lists information about bulk thing registration tasks. List
ListThingRegistrationTasks Lists bulk thing registration tasks. List
ListThingTypes Lists all thing types. List
ListThings Lists all things. List
ListThingsInThingGroup Lists all things in the specified group. List

thinggroup*

ListTopicRules Lists the rules for the specific topic. List
ListV2LoggingLevels Lists the v2 logging levels. List
Publish Publish to the specified topic. Write

topic*

Receive Receive from the specified topic. Write

topic*

RegisterCACertificate Registers a CA certificate with AWS IoT. Write
RegisterCertificate Registers a device certificate with AWS IoT. Write
RegisterThing Registers your thing. Write
RejectCertificateTransfer Rejects a pending certificate transfer. Write

cert*

RemoveThingFromThingGroup Removes thing from the specified thing group. Write

thing*

thinggroup*

ReplaceTopicRule Replaces the specified rule. Write
SearchIndex Search IoT fleet index Read

index*

SetDefaultAuthorizer Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer. Permissions management

authorizer*

SetDefaultPolicyVersion Sets the specified version of the specified policy as the policy's default (operative) version. Permissions management

policy*

SetLoggingOptions Sets the logging options. Write
SetV2LoggingLevel Sets the v2 logging level. Write
SetV2LoggingOptions Sets the v2 logging options. Write
StartThingRegistrationTask Starts a bulk thing registration task. Write
StopThingRegistrationTask Stops a bulk thing registration task. Write
Subscribe Subscribe to the specified TopicFilter. Write

topicfilter*

TestAuthorization Test the policies evaluation for group policies Read

cert

TestInvokeAuthorizer Invoke the specified custom authorizer for testing purposes. Read

authorizer*

TransferCertificate Transfers the specified certificate to the specified AWS account. Write

cert*

UpdateAuthorizer Updates an authorizer Write

authorizer*

UpdateCACertificate Updates a registered CA certificate. Write

cacert*

UpdateCertificate Updates the status of the specified certificate. This operation is idempotent. Write

cert*

UpdateEventConfigurations Updates event configurations. Write
UpdateIndexingConfiguration Updates fleet indexing configuration Write
UpdateRoleAlias Updates the role alias Write

rolealias*

role

UpdateStream Updates the data for a stream. Write
UpdateThing Updates information associated with the specified thing. Write
UpdateThingGroup Updates information associated with the specified thing group. Write

thinggroup*

UpdateThingGroupsForThing Updates the thing groups to which the thing belongs. Write

thing*

thinggroup

UpdateThingShadow Updates the thing shadow. Write

thing*

Resources Defined by IoT

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
client arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
index arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
job arn:${Partition}:iot:${Region}:${Account}:job/${JobId}
thing arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
thinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
thingtype arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}
topic arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
topicfilter arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
rolealias arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}
role arn:${Partition}:iam::${Account}:role/${Role}
authorizer arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}
policy arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}
cert arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
cacert arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}
stream arn:${Partition}:iot:${Region}:${Account}:stream/${streamId}
otaupdate arn:${Partition}:iot:${Region}:${Account}:otaupdate/${otaUpdateId}

Condition Keys for AWS IoT

IoT has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.