Controlling access with AWS IoT FleetWise - AWS IoT FleetWise
Grant AWS IoT FleetWise access to an Amazon S3 destinationGrant AWS IoT FleetWise access to a Amazon Timestream destination

Controlling access with AWS IoT FleetWise

The following sections cover how to control access to and from your AWS IoT FleetWise resources. The information they cover includes how to grant your application access so AWS IoT FleetWise can transfer vehicle data during campaigns. They also describe how you can grant AWS IoT FleetWise access to your Amazon S3 (S3) bucket or Amazon Timestream database and table to store data.

The technology for managing all these forms of access is AWS Identity and Access Management (IAM). For more information about IAM, see What is IAM?.

Grant AWS IoT FleetWise access to an Amazon S3 destination

When you use an Amazon S3 destination, AWS IoT FleetWise delivers vehicle data to your S3 bucket and can optionally use an AWS KMS key that you own for data encryption. If error logging is enabled, AWS IoT FleetWise also sends data delivery errors to your CloudWatch log group and streams. You're required to have an IAM role when creating a delivery stream.

AWS IoT FleetWise uses a bucket policy with the service principal for the S3 destination. For more information about adding bucket policies, see Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.

Use the following access policy to enable AWS IoT FleetWise to access your S3 bucket. If you don't own the S3 bucket, add s3:PutObjectAcl to the list of Amazon S3 actions. This grants the bucket owner full access to the objects delivered by AWS IoT FleetWise. For more information about how you can secure access to objects in your buckets, see Bucket policy examples in the Amazon Simple Storage Service User Guide.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotfleetwise.amazonaws.com"
        ]
      },
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotfleetwise.amazonaws.com"
        ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "campaign-arn",
          "aws:SourceAccount": "account-id"
        }
      }
    }
  ]
}

The following bucket policy is for all campaigns in an account in an AWS Region.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotfleetwise.amazonaws.com"
        ]
      },
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotfleetwise.amazonaws.com"
        ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Condition": {
        "StringLike": {
          "aws:SourceArn": "arn:aws:iotfleetwise:region:account-id:campaign/*",
          "aws:SourceAccount": "account-id"
        }
      }
    }
  ]
}

If you have a KMS key attached to your S3 bucket, the key will need the following policy. For information about key management, see Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.

{
  "Version": "2012-10-17",
  "Effect": "Allow",
  "Principal": {
    "Service": "iotfleetwise.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey",
    "kms:Decrypt"
   ],
  "Resource": "key-arn"
}
Important

When you create a bucket, S3 creates a default access control lists (ACL) that grants the resource owner full control over the resource. If AWS IoT FleetWise can't deliver data to S3, make sure you disable the ACL on the S3 bucket. For more information, see Disabling ACLs for all new buckets and enforcing Object Ownership in the Amazon Simple Storage Service User Guide.

Grant AWS IoT FleetWise access to a Amazon Timestream destination

When you use a Timestream destination, AWS IoT FleetWise delivers vehicle data to a Timestream table. You must attach the policies to the IAM role to allow AWS IoT FleetWise to send data to Timestream.

If you use the console to create a campaign, AWS IoT FleetWise automatically attaches the required policy to the role.

Before you start, check the following:

Important

  • You must use the same AWS Region when you create Timestream resources for AWS IoT FleetWise. If you switch AWS Regions, you might have issues accessing the Timestream resources.

  • AWS IoT FleetWise is available in US East (N. Virginia) and Europe (Frankfurt).

  • For the list of supported Regions, see Timestream endpoints and quotas in the AWS General Reference.

  • You must have a Timestream database. For a tutorial, see Create a database in the Amazon Timestream Developer Guide.

  • You must have a table created in the specified Timestream database. For a tutorial, see Create a table in the Amazon Timestream Developer Guide.

You can use the AWS CLI to create an IAM role with a trust policy for Timestream. To create an IAM role, run the following command.

To create an IAM role with a trust policy

  • Replace TimestreamExecutionRole with the name of the role you're creating.

  • Replace trust-policy with the JSON file that contains the trust policy.

aws iam create-role --role-name TimestreamExecutionRole --assume-role-policy-document file://trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "timestreamTrustPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "iotfleetwise.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
           "aws:SourceArn": [
            "arn:aws:iotfleetwise:region:account-id:campaign/campaign-name"
           ],
           "aws:SourceAccount": [
            "account-id"
          ]
        }
      }
    }
  ]
}

Create a permissions policy to give AWS IoT FleetWise permissions to write data into Timestream. To create a permissions policy, run the following command.

To create a permissions policy

  • Replace AWSIoTFleetwiseAccessTimestreamPermissionsPolicy with the name of the policy you're creating.

  • Replace permissions-policy with the name of the JSON file that contains the permissions policy.

aws iam create-policy --policy-name AWSIoTFleetwiseAccessTimestreamPermissionsPolicy --policy-document file://permissions-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "timestreamIngestion",
      "Effect": "Allow",
      "Action": [
        "timestream:WriteRecords",
        "timestream:Select",
        "timestream:DescribeTable"
      ],
      "Resource": "table-arn"
    },
    {
      "Sid": "timestreamDescribeEndpoint",
      "Effect": "Allow",
      "Action": [
        "timestream:DescribeEndpoints"
      ],
      "Resource": "*"
    }
  ]
}
To attach the permissions policy to your IAM role

  1. From the output, copy the Amazon Resource Name (ARN) of the permissions policy.

  2. To attach the IAM permissions policy to your IAM role, run the following command.

    • Replace permissions-policy-arn with the ARN that you copied in the previous step.

    • Replace TimestreamExecutionRole with the name of the IAM role that you created.

    aws iam attach-role-policy --policy-arn permissions-policy-arn --role-name TimestreamExecutionRole

For more information, see Access management for AWS resources in the IAM User Guide.