Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS IoT

AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS IoT

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptCertificateTransfer Accepts a pending certificate transfer.

Write

AddThingToThingGroup Adds a thing to the specified thing group.

Write

thing*

thinggroup*

AssociateTargetsWithJob Associates a group with a continuous job.

Write

job*

thing*

thinggroup*

AttachPolicy Attaches a policy to the specified target.

Permissions management

cert

thinggroup

AttachPrincipalPolicy Attaches the specified policy to the specified principal (certificate or other credential).

Permissions management

cert

AttachThingPrincipal Attaches the specified principal to the specified thing.

Write

CancelCertificateTransfer Cancels a pending transfer for the specified certificate.

Write

CancelJob Cancels a job.

Write

job*

ClearDefaultAuthorizer Clears the default authorizer.

Write

Connect Connect as the specified client

Write

client*

CreateAuthorizer Creates an authorizer.

Write

authorizer*

CreateCertificateFromCsr Creates an X.509 certificate using the specified certificate signing request.

Write

CreateJob Creates a job.

Write

thing*

thinggroup*

CreateKeysAndCertificate Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key.

Write

CreateOTAUpdateJob Creates an OTA update job.

Write

CreatePolicy Creates an AWS IoT policy.

Write

CreatePolicyVersion Creates a new version of the specified AWS IoT policy.

Write

policy*

CreateRoleAlias Creates a role alias.

Write

role*

rolealias*

CreateStream Creates a new AWS IoT stream

Write

CreateThing Creates a thing in the thing registry.

Write

CreateThingGroup Creates a thing group.

Write

CreateThingType Creates a new thing type.

Write

CreateTopicRule Creates a rule.

Write

DeleteAuthorizer Deletes the specified authorizer.

Write

authorizer*

DeleteCACertificate Deletes a registered CA certificate.

Write

cacert*

DeleteCertificate Deletes the specified certificate.

Write

cert*

DeleteOTAUpdateJob Deletes an OTA update job.

Write

DeletePolicy Deletes the specified policy.

Write

policy*

DeletePolicyVersion Deletes the specified version of the specified policy.

Write

policy*

DeleteRegistrationCode Deletes a CA certificate registration code.

Write

DeleteRoleAlias Deletes the specified role alias.

Write

rolealias*

DeleteStream Deletes a specified stream.

Write

DeleteThing Deletes the specified thing.

Write

DeleteThingGroup Deletes the specified thing group.

Write

thinggroup*

DeleteThingShadow Deletes the specified thing shadow.

Write

thing*

DeleteThingType Deletes the specified thing type.

Write

DeleteTopicRule Deletes the specified rule.

Write

DeleteV2LoggingLevel Deletes the specified v2 logging level.

Write

DeprecateThingType Deprecates the specified thing type.

Write

DescribeAuthorizer Describes an authorizer.

Read Write

authorizer*

DescribeCACertificate Describes a registered CA certificate.

Read Write

cacert*

DescribeCertificate Gets information about the specified certificate.

Read Write

cert*

DescribeDefaultAuthorizer Describes the default authorizer.

Read Write

DescribeEndpoint Returns a unique endpoint specific to the AWS account making the call.

Read Write

DescribeEventConfigurations Returns account event configurations.

Read Write

DescribeIndex Gets information about the specified index.

Read Write

index*

DescribeJob Describes a job.

Read Write

job*

DescribeJobExecution Describes a job execution.

Read Write

job*

DescribeRoleAlias Describes a role alias.

Read Write

rolealias*

DescribeStream Gets information about the specified stream.

Read Write

DescribeThing Gets information about the specified thing.

Read Write

DescribeThingGroup Gets information about the specified thing group.

Read Write

thinggroup*

DescribeThingRegistrationTask Gets information about the bulk thing registration task.

Read Write

DescribeThingType Gets information about the specified thing type.

Read Write

DetachPolicy Detaches a policy from the specified target.

Permissions management

cert

thinggroup

DetachPrincipalPolicy Removes the specified policy from the specified certificate.

Permissions management

cert

DetachThingPrincipal Detaches the specified principal from the specified thing.

Write

DisableTopicRule Disables the specified rule.

Write

EnableTopicRule Enables the specified rule.

Write

GetEffectivePolicies Gets effective policies.

Read Write

cert

GetIndexingConfiguration Gets current fleet indexing configuration

Read Write

GetJobDocument Gets a job document.

Read Write

job*

GetLoggingOptions Gets the logging options.

Read Write

GetOTAUpdateJob Gets the information about the OTA update job.

Read Write

GetPolicy Gets information about the specified policy with the policy document of the default version.

Read Write

policy*

GetPolicyVersion Gets information about the specified policy version.

Read Write

policy*

GetRegistrationCode Gets a registration code used to register a CA certificate with AWS IoT.

Read Write

GetThingShadow Gets the thing shadow.

Read Write

thing*

GetTopicRule Gets information about the specified rule.

Read Write

GetV2LoggingOptions Gets v2 logging options.

Read Write

ListAttachedPolicies Lists the policies attached to the specified thing group.

List Read Write

ListAuthorizers Lists the authorizers registered in your account.

List Read Write

ListCACertificates Lists the CA certificates registered for your AWS account.

List Read Write

ListCertificates Lists your certificates.

List Read Write

ListCertificatesByCA List the device certificates signed by the specified CA certificate.

List Read Write

ListIndices Lists all indices for fleet index

List Read Write

ListJobExecutionsForJob Lists the job executions for a job.

List Read Write

job*

ListJobExecutionsForThing Lists the job executions for the specified thing.

List Read Write

thing*

ListJobs Lists jobs.

List Read Write

ListOTAUpdateJobs Lists OTA update jobs in the account.

List Read Write

ListOutgoingCertificates Lists certificates that are being transfered but not yet accepted.

List Read Write

ListPolicies Lists your policies.

List Read Write

ListPolicyPrincipals Lists the principals associated with the specified policy.

List Read Write

ListPolicyVersions Lists the versions of the specified policy, and identifies the default version.

List Read Write

ListPrincipalPolicies Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format.

List Read Write

ListPrincipalThings Lists the things associated with the specified principal.

List Read Write

ListRoleAliases Lists role aliases.

List Read Write

ListStreams Lists the streams in your account.

List Read Write

ListTargetsForPolicy List targets for the specified policy.

List Read Write

policy*

ListThingGroups Lists all thing groups.

List Read Write

ListThingGroupsForThing List thing groups to which the specified thing belongs.

List Read Write

thing*

ListThingPrincipals Lists the principals associated with the specified thing.

List Read Write

ListThingRegistrationTaskReports Lists information about bulk thing registration tasks.

List Read Write

ListThingRegistrationTasks Lists bulk thing registration tasks.

List Read Write

ListThingTypes Lists all thing types.

List Read Write

ListThings Lists all things.

List Read Write

ListThingsInThingGroup Lists all things in the specified group.

List Read Write

thinggroup*

ListTopicRules Lists the rules for the specific topic.

List Read Write

ListV2LoggingLevels Lists the v2 logging levels.

List Read Write

Publish Publish to the specified topic.

Write

topic*

Receive Receive from the specified topic.

Write

topic*

RegisterCACertificate Registers a CA certificate with AWS IoT.

Write

RegisterCertificate Registers a device certificate with AWS IoT.

Write

RegisterThing Registers your thing.

Write

RejectCertificateTransfer Rejects a pending certificate transfer.

Write

cert*

RemoveThingFromThingGroup Removes thing from the specified thing group.

Write

thing*

thinggroup*

ReplaceTopicRule Replaces the specified rule.

Write

SearchIndex Search IoT fleet index

Read Write

index*

SetDefaultAuthorizer Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer.

Permissions management

authorizer*

SetDefaultPolicyVersion Sets the specified version of the specified policy as the policy's default (operative) version.

Permissions management

policy*

SetLoggingOptions Sets the logging options.

Write

SetV2LoggingLevel Sets the v2 logging level.

Write

SetV2LoggingOptions Sets the v2 logging options.

Write

StartThingRegistrationTask Starts a bulk thing registration task.

Write

StopThingRegistrationTask Stops a bulk thing registration task.

Write

Subscribe Subscribe to the specified TopicFilter.

Write

topicfilter*

TestAuthorization Test the policies evaluation for group policies

Read Write

cert

TestInvokeAuthorizer Invoke the specified custom authorizer for testing purposes.

Read Write

authorizer*

TransferCertificate Transfers the specified certificate to the specified AWS account.

Write

cert*

UpdateAuthorizer Updates an authorizer

Write

authorizer*

UpdateCACertificate Updates a registered CA certificate.

Write

cacert*

UpdateCertificate Updates the status of the specified certificate. This operation is idempotent.

Write

cert*

UpdateEventConfigurations Updates event configurations.

Write

UpdateIndexingConfiguration Updates fleet indexing configuration

Write

UpdateRoleAlias Updates the role alias

Write

rolealias*

role

UpdateStream Updates the data for a stream.

Write

UpdateThing Updates information associated with the specified thing.

Write

UpdateThingGroup Updates information associated with the specified thing group.

Write

thinggroup*

UpdateThingGroupsForThing Updates the thing groups to which the thing belongs.

Write

thing*

thinggroup

UpdateThingShadow Updates the thing shadow.

Write

thing*

Resources Defined by IoT

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
authorizer arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}
cacert arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}
cert arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
client arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
index arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
job arn:${Partition}:iot:${Region}:${Account}:job/${JobId}
policy arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}
role arn:${Partition}:iam::${Account}:role/${Role}
rolealias arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}
thing arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
thinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
thingtype arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}
topic arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
topicfilter arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}

Condition Keys for AWS IoT

IoT has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.