Actions, resources, and condition keys for AWS IoT - AWS Identity and Access Management

Actions, resources, and condition keys for AWS IoT

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html.

AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS IoT

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptCertificateTransfer Accepts a pending certificate transfer. Write

cert*

AddThingToBillingGroup Adds a thing to the specified billing group. Write

billinggroup*

thing*

AddThingToThingGroup Adds a thing to the specified thing group. Write

thing*

thinggroup*

AssociateTargetsWithJob Associates a group with a continuous job. Write

job*

thing*

thinggroup*

AttachPolicy Attaches a policy to the specified target. Permissions management

cert

thinggroup

AttachPrincipalPolicy Attaches the specified policy to the specified principal (certificate or other credential). Permissions management

cert

AttachSecurityProfile Associates a Device Defender security profile with a thing group or with this account. Write

securityprofile*

dimension

thinggroup

AttachThingPrincipal Attaches the specified principal to the specified thing. Write
CancelAuditMitigationActionsTask Cancels a mitigation action task that is in progress. Write
CancelAuditTask Cancels an audit that is in progress. The audit can be either scheduled or on-demand. Write
CancelCertificateTransfer Cancels a pending transfer for the specified certificate. Write

cert*

CancelJob Cancels a job. Write

job*

CancelJobExecution Cancels a job execution on a particular device. Write

job*

thing*

ClearDefaultAuthorizer Clears the default authorizer. Write
CloseTunnel Closes a tunnel. Write

tunnel*

iot:Delete

Connect Connect as the specified client Write

client*

CreateAuditSuppression Creates a Device Defender audit suppression. Write
CreateAuthorizer Creates an authorizer. Write

authorizer*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBillingGroup Creates a billing group. Tagging

billinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCertificateFromCsr Creates an X.509 certificate using the specified certificate signing request. Write
CreateDimension Defines a dimension that can be used to to limit the scope of a metric used in a security profile. Write

dimension*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomainConfiguration Creates a domain configuration. Write

domainconfiguration*

aws:RequestTag/${TagKey}

aws:TagKeys

iot:DomainName

CreateDynamicThingGroup Creates a Dynamic Thing Group Tagging

dynamicthinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJob Creates a job. Write

job*

thing*

thinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKeysAndCertificate Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key. Write
CreateMitigationAction Defines an action that can be applied to audit findings by using StartAuditMitigationActionsTask. Write

mitigationaction*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOTAUpdate Creates an OTA update job. Write

otaupdate*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePolicy Creates an AWS IoT policy. Write

policy*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePolicyVersion Creates a new version of the specified AWS IoT policy. Write

policy*

CreateProvisioningClaim Creates a provisioning claim. Write

provisioningtemplate*

CreateProvisioningTemplate Creates a fleet provisioning template. Write

provisioningtemplate*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateProvisioningTemplateVersion Creates a new version of a fleet provisioning template. Write

provisioningtemplate*

CreateRoleAlias Creates a role alias. Write

rolealias*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateScheduledAudit Creates a scheduled audit that is run at a specified time interval. Write

scheduledaudit*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSecurityProfile Creates a Device Defender security profile. Write

securityprofile*

dimension

aws:RequestTag/${TagKey}

aws:TagKeys

CreateStream Creates a new AWS IoT stream Write

stream*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThing Creates a thing in the thing registry. Write

thing*

billinggroup

CreateThingGroup Creates a thing group. Tagging

thinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThingType Creates a new thing type. Tagging

thingtype*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTopicRule Creates a rule. Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAccountAuditConfiguration Deletes the audit configuration associated with the account. Write
DeleteAuditSuppression Deletes a Device Defender audit suppression. Write
DeleteAuthorizer Deletes the specified authorizer. Write

authorizer*

DeleteBillingGroup Deletes the specified billing group. Tagging

billinggroup*

DeleteCACertificate Deletes a registered CA certificate. Write

cacert*

DeleteCertificate Deletes the specified certificate. Write

cert*

DeleteDimension Removes the specified dimension from your AWS account. Write

dimension*

DeleteDomainConfiguration Deletes a domain configuration. Write

domainconfiguration*

DeleteDynamicThingGroup Deletes the specified Dynamic Thing Group Tagging

dynamicthinggroup*

DeleteJob Deletes a job and its related job executions. Write

job*

DeleteJobExecution Deletes a job execution. Write

job*

thing*

DeleteMitigationAction Deletes a defined mitigation action from your AWS account. Write

mitigationaction*

DeleteOTAUpdate Deletes an OTA update job. Write

otaupdate*

DeletePolicy Deletes the specified policy. Write

policy*

DeletePolicyVersion Deletes the specified version of the specified policy. Write

policy*

DeleteProvisioningTemplate Deletes a fleet provisioning template. Write

provisioningtemplate*

DeleteProvisioningTemplateVersion Deletes a fleet provisioning template version. Write

provisioningtemplate*

DeleteRegistrationCode Deletes a CA certificate registration code. Write
DeleteRoleAlias Deletes the specified role alias. Write

rolealias*

DeleteScheduledAudit Deletes a scheduled audit. Write

scheduledaudit*

DeleteSecurityProfile Deletes a Device Defender security profile. Write

securityprofile*

dimension

DeleteStream Deletes a specified stream. Write

stream*

DeleteThing Deletes the specified thing. Write

thing*

DeleteThingGroup Deletes the specified thing group. Tagging

thinggroup*

DeleteThingShadow Deletes the specified thing shadow. Write

thing*

DeleteThingType Deletes the specified thing type. Tagging

thingtype*

DeleteTopicRule Deletes the specified rule. Write

rule*

DeleteV2LoggingLevel Deletes the specified v2 logging level. Write
DeprecateThingType Deprecates the specified thing type. Write

thingtype*

DescribeAccountAuditConfiguration Gets information about audit configurations for the account. Read
DescribeAuditFinding Gets information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and when the audit that returned the finding was started. Read
DescribeAuditMitigationActionsTask Gets information about an audit mitigation task that is used to apply mitigation actions to a set of audit findings. Read
DescribeAuditSuppression Gets information about a Device Defender audit suppression. Read
DescribeAuditTask Gets information about a Device Defender audit. Read
DescribeAuthorizer Describes an authorizer. Read

authorizer*

DescribeBillingGroup Gets information about the specified billing group. Read

billinggroup*

DescribeCACertificate Describes a registered CA certificate. Read

cacert*

DescribeCertificate Gets information about the specified certificate. Read

cert*

DescribeDefaultAuthorizer Describes the default authorizer. Read
DescribeDimension Provides details about a dimension that is defined in your AWS account. Read

dimension*

DescribeDomainConfiguration Gets information about the domain configuration. Read

domainconfiguration*

DescribeEndpoint Returns a unique endpoint specific to the AWS account making the call. Read
DescribeEventConfigurations Returns account event configurations. Read
DescribeIndex Gets information about the specified index. Read

index*

DescribeJob Describes a job. Read

job*

DescribeJobExecution Describes a job execution. Read

job

thing

DescribeMitigationAction Gets information about a mitigation action. Read

mitigationaction*

DescribeProvisioningTemplate Returns information about a fleet provisioning template. Read

provisioningtemplate*

DescribeProvisioningTemplateVersion Returns information about a fleet provisioning template version. Read

provisioningtemplate*

DescribeRoleAlias Describes a role alias. Read

rolealias*

DescribeScheduledAudit Gets information about a scheduled audit. Read

scheduledaudit*

DescribeSecurityProfile Gets information about a Device Defender security profile. Read

securityprofile*

DescribeStream Gets information about the specified stream. Read

stream*

DescribeThing Gets information about the specified thing. Read

thing*

DescribeThingGroup Gets information about the specified thing group. Read

thinggroup*

DescribeThingRegistrationTask Gets information about the bulk thing registration task. Read
DescribeThingType Gets information about the specified thing type. Read

thingtype*

DescribeTunnel Describes a tunnel. Read

tunnel*

DetachPolicy Detaches a policy from the specified target. Permissions management

cert

thinggroup

DetachPrincipalPolicy Removes the specified policy from the specified certificate. Permissions management

cert

DetachSecurityProfile Disassociates a Device Defender security profile from a thing group or from this account. Write

securityprofile*

dimension

thinggroup

DetachThingPrincipal Detaches the specified principal from the specified thing. Write
DisableTopicRule Disables the specified rule. Write

rule*

EnableTopicRule Enables the specified rule. Write

rule*

GetCardinality Get cardinality for IoT fleet index Read

index*

GetEffectivePolicies Gets effective policies. Read

cert

GetIndexingConfiguration Gets current fleet indexing configuration Read
GetJobDocument Gets a job document. Read

job*

GetLoggingOptions Gets the logging options. Read
GetOTAUpdate Gets the information about the OTA update job. Read

otaupdate*

GetPendingJobExecutions Gets the list of all jobs for a thing that are not in a terminal state. Read

thing*

GetPercentiles Get percentiles for IoT fleet index Read

index*

GetPolicy Gets information about the specified policy with the policy document of the default version. Read

policy*

GetPolicyVersion Gets information about the specified policy version. Read

policy*

GetRegistrationCode Gets a registration code used to register a CA certificate with AWS IoT. Read
GetStatistics Get statistics for IoT fleet index Read

index*

GetThingShadow Gets the thing shadow. Read

thing*

GetTopicRule Gets information about the specified rule. Read

rule*

GetV2LoggingOptions Gets v2 logging options. Read
ListActiveViolations Lists the active violations for a given Device Defender security profile or Thing. List

securityprofile

thing

ListAttachedPolicies Lists the policies attached to the specified thing group. List
ListAuditFindings Lists the findings (results) of a Device Defender audit or of the audits performed during a specified time period. List
ListAuditMitigationActionsExecutions Gets the status of audit mitigation action tasks that were executed. List
ListAuditMitigationActionsTasks Gets a list of audit mitigation action tasks that match the specified filters. List
ListAuditSuppressions Lists your Device Defender audit suppressions. List
ListAuditTasks Lists the Device Defender audits that have been performed during a given time period. List
ListAuthorizers Lists the authorizers registered in your account. List
ListBillingGroups Lists all billing groups. List
ListCACertificates Lists the CA certificates registered for your AWS account. List
ListCertificates Lists your certificates. List
ListCertificatesByCA List the device certificates signed by the specified CA certificate. List
ListDimensions Lists the dimensions that are defined for your AWS account. List
ListDomainConfigurations Lists the domain configuration created by your AWS account. List
ListIndices Lists all indices for fleet index List
ListJobExecutionsForJob Lists the job executions for a job. List

job*

ListJobExecutionsForThing Lists the job executions for the specified thing. List

thing*

ListJobs Lists jobs. List
ListMitigationActions Gets a list of all mitigation actions that match the specified filter criteria. List
ListNamedShadowsForThing Lists all named shadows for a given thing. List

thing*

ListOTAUpdates Lists OTA update jobs in the account. List
ListOutgoingCertificates Lists certificates that are being transfered but not yet accepted. List
ListPolicies Lists your policies. List
ListPolicyPrincipals Lists the principals associated with the specified policy. List
ListPolicyVersions Lists the versions of the specified policy, and identifies the default version. List

policy*

ListPrincipalPolicies Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format. List
ListPrincipalThings Lists the things associated with the specified principal. List
ListProvisioningTemplateVersions A list of fleet provisioning template versions. List

provisioningtemplate*

ListProvisioningTemplates Lists the fleet provisioning templates in your AWS account. List
ListRoleAliases Lists role aliases. List
ListScheduledAudits Lists all of your scheduled audits. List
ListSecurityProfiles Lists the Device Defender security profiles you have created. List

dimension

ListSecurityProfilesForTarget Lists the Device Defender security profiles attached to a target. List

thinggroup

ListStreams Lists the streams in your account. List
ListTagsForResource Lists all tags for a given resource. List

authorizer

billinggroup

cacert

dimension

domainconfiguration

dynamicthinggroup

job

mitigationaction

otaupdate

policy

provisioningtemplate

rolealias

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

ListTargetsForPolicy List targets for the specified policy. List

policy*

ListTargetsForSecurityProfile Lists the targets associated with a given Device Defender security profile. List

securityprofile*

ListThingGroups Lists all thing groups. List
ListThingGroupsForThing List thing groups to which the specified thing belongs. List

thing*

ListThingPrincipals Lists the principals associated with the specified thing. List
ListThingRegistrationTaskReports Lists information about bulk thing registration tasks. List
ListThingRegistrationTasks Lists bulk thing registration tasks. List
ListThingTypes Lists all thing types. List
ListThings Lists all things. List
ListThingsInBillingGroup Lists all things in the specified billing group. List

billinggroup*

ListThingsInThingGroup Lists all things in the specified thing group. List

thinggroup*

ListTopicRules Lists the rules for the specific topic. List
ListTunnels Lists tunnels. List
ListV2LoggingLevels Lists the v2 logging levels. List
ListViolationEvents Lists the Device Defender security profile violations discovered during the given time period. List

securityprofile

thing

OpenTunnel Opens a tunnel. Write

aws:RequestTag/${TagKey}

aws:TagKeys

iot:ThingGroupArn

iot:TunnelDestinationService

Publish Publish to the specified topic. Write

topic*

Receive Receive from the specified topic. Write

topic*

RegisterCACertificate Registers a CA certificate with AWS IoT. Write

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterCertificate Registers a device certificate with AWS IoT. Write
RegisterCertificateWithoutCA Registers a device certificate with AWS IoT without a registered CA (certificate authority). Write
RegisterThing Registers your thing. Write
RejectCertificateTransfer Rejects a pending certificate transfer. Write

cert*

RemoveThingFromBillingGroup Removes thing from the specified billing group. Write

billinggroup*

thing*

RemoveThingFromThingGroup Removes thing from the specified thing group. Write

thing*

thinggroup*

ReplaceTopicRule Replaces the specified rule. Write

rule*

SearchIndex Search IoT fleet index Read

index*

SetDefaultAuthorizer Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer. Permissions management

authorizer*

SetDefaultPolicyVersion Sets the specified version of the specified policy as the policy's default (operative) version. Permissions management

policy*

SetLoggingOptions Sets the logging options. Write
SetV2LoggingLevel Sets the v2 logging level. Write
SetV2LoggingOptions Sets the v2 logging options. Write
StartAuditMitigationActionsTask Starts a task that applies a set of mitigation actions to the specified target. Write
StartNextPendingJobExecution Gets and starts the next pending job execution for a thing. Write

thing*

StartOnDemandAuditTask Starts an on-demand Device Defender audit. Write
StartThingRegistrationTask Starts a bulk thing registration task. Write
StopThingRegistrationTask Stops a bulk thing registration task. Write
Subscribe Subscribe to the specified TopicFilter. Write

topicfilter*

TagResource Tag a specified resource Tagging

authorizer

billinggroup

cacert

dimension

domainconfiguration

dynamicthinggroup

job

mitigationaction

otaupdate

policy

provisioningtemplate

rolealias

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

aws:RequestTag/${TagKey}

aws:TagKeys

TestAuthorization Test the policies evaluation for group policies Read

cert

TestInvokeAuthorizer Invoke the specified custom authorizer for testing purposes. Read

authorizer*

TransferCertificate Transfers the specified certificate to the specified AWS account. Write

cert*

UntagResource Untag a specified resource Tagging

authorizer

billinggroup

cacert

dimension

domainconfiguration

dynamicthinggroup

job

mitigationaction

otaupdate

policy

provisioningtemplate

rolealias

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

aws:TagKeys

UpdateAccountAuditConfiguration Configures or reconfigures the Device Defender audit settings for this account. Write
UpdateAuditSuppression Updates a Device Defender audit suppression. Write
UpdateAuthorizer Updates an authorizer Write

authorizer*

UpdateBillingGroup Updates information associated with the specified billing group. Write

billinggroup*

UpdateCACertificate Updates a registered CA certificate. Write

cacert*

UpdateCertificate Updates the status of the specified certificate. This operation is idempotent. Write

cert*

UpdateDimension Updates the definition for a dimension. Write

dimension*

UpdateDomainConfiguration Updates a domain configuration. Write

domainconfiguration*

UpdateDynamicThingGroup Updates a Dynamic Thing Group Write

dynamicthinggroup*

UpdateEventConfigurations Updates event configurations. Write
UpdateIndexingConfiguration Updates fleet indexing configuration Write
UpdateJob Updates a job. Write

job*

UpdateJobExecution Updates a job execution. Write

thing*

UpdateMitigationAction Updates the definition for the specified mitigation action. Write

mitigationaction*

UpdateProvisioningTemplate Updates a fleet provisioning template. Write

provisioningtemplate*

UpdateRoleAlias Updates the role alias Write

rolealias*

UpdateScheduledAudit Updates a scheduled audit, including what checks are performed and how often the audit takes place. Write

scheduledaudit*

UpdateSecurityProfile Updates a Device Defender security profile. Write

securityprofile*

dimension

UpdateStream Updates the data for a stream. Write

stream*

UpdateThing Updates information associated with the specified thing. Write

thing*

UpdateThingGroup Updates information associated with the specified thing group. Write

thinggroup*

UpdateThingGroupsForThing Updates the thing groups to which the thing belongs. Write

thing*

thinggroup

UpdateThingShadow Updates the thing shadow. Write

thing*

ValidateSecurityProfileBehaviors Validates a Device Defender security profile behaviors specification. Read

Resource types defined by AWS IoT

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
client arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
index arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
job arn:${Partition}:iot:${Region}:${Account}:job/${JobId}

aws:ResourceTag/${TagKey}

tunnel arn:${Partition}:iot:${Region}:${Account}:tunnel/${TunnelId}

aws:ResourceTag/${TagKey}

thing arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
thinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}

aws:ResourceTag/${TagKey}

billinggroup arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}

aws:ResourceTag/${TagKey}

dynamicthinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}

aws:ResourceTag/${TagKey}

thingtype arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}

aws:ResourceTag/${TagKey}

topic arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
topicfilter arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
rolealias arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}

aws:ResourceTag/${TagKey}

authorizer arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}

aws:ResourceTag/${TagKey}

policy arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}

aws:ResourceTag/${TagKey}

cert arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
cacert arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}

aws:ResourceTag/${TagKey}

stream arn:${Partition}:iot:${Region}:${Account}:stream/${streamId}

aws:ResourceTag/${TagKey}

otaupdate arn:${Partition}:iot:${Region}:${Account}:otaupdate/${otaUpdateId}

aws:ResourceTag/${TagKey}

scheduledaudit arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}

aws:ResourceTag/${TagKey}

mitigationaction arn:${Partition}:iot:${Region}:${Account}:mitigationaction/${MitigationActionName}

aws:ResourceTag/${TagKey}

securityprofile arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}

aws:ResourceTag/${TagKey}

dimension arn:${Partition}:iot:${Region}:${Account}:dimension/${DimensionName}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:iot:${Region}:${Account}:rule/${ruleName}

aws:ResourceTag/${TagKey}

provisioningtemplate arn:${Partition}:iot:${Region}:${Account}:provisioningtemplate/${provisioningTemplate}

aws:ResourceTag/${TagKey}

domainconfiguration arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${domainConfigurationName}

aws:ResourceTag/${TagKey}

Condition keys for AWS IoT

AWS IoT defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} A tag key that is present in the request that the user makes to IoT. String
aws:ResourceTag/${TagKey} The tag key component of a tag attached to an IoT resource. String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String
iot:Delete The flag indicating whether or not to also delete an IoT Tunnel immediately Bool
iot:DomainName Filters actions based on the domain name of an IoT DomainConfiguration String
iot:ThingGroupArn The list of all IoT Thing Group ARNs that the destination IoT Thing belongs to for an IoT Tunnel String
iot:TunnelDestinationService The list of all destination services for an IoT Tunnel String