Controlling access with AWS IoT FleetWise
Important
Access to certain AWS IoT FleetWise features is currently gated. For more information, see AWS Region and feature availability in AWS IoT FleetWise.
The following sections cover how to control access to and from your AWS IoT FleetWise resources. The information they cover includes how to grant your application access so AWS IoT FleetWise can transfer vehicle data during campaigns. They also describe how you can grant AWS IoT FleetWise access to your Amazon S3 (S3) bucket or Amazon Timestream database and table to store data, or to MQTT messages used to send data from vehicles.
The technology for managing all these forms of access is AWS Identity and Access Management (IAM). For more information about IAM, see What is IAM?.
Contents
Grant AWS IoT FleetWise permission to send and receive data on an MQTT topic
When you use an MQTT topic, your vehicles send data using the AWS IoT MQTT message broker. You must grant AWS IoT FleetWise permission to subscribe to the MQTT topic you specify. If you also use AWS IoT Rules to take action, or route data to other destinations, you must attach policies to an IAM role to allow AWS IoT FleetWise to forward data to IoT Rules.
In addition, your other apps or devices can subscribe to the topic you specify to receive vehicle data in near real-time, and these apps or devices must be granted permissions and access as needed.
For more information about using MQTT and the roles and permissions required, see:
Before you start, check the following:
Important
-
You must use the same AWS Region when you create vehicle campaign resources for AWS IoT FleetWise. If you switch AWS Regions, you might have issues accessing the resources.
-
AWS IoT FleetWise is available in US East (N. Virginia) and Europe (Frankfurt).
You can use the AWS CLI to create an IAM role with a trust policy for MQTT messaging. To create an IAM role, run the following command.
To create an IAM role with a trust policy
-
Replace
IotTopicExecutionRolewith the name of the role you're creating. -
Replace
trust-policywith the JSON file that contains the trust policy.
aws iam create-role --role-nameIotTopicExecutionRole--assume-role-policy-document file://trust-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "mqttTopicTrustPolicy", "Effect": "Allow", "Principal": { "Service": "iotfleetwise.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": [ "arn:aws:iotfleetwise:region:account-id:campaign/campaign-name" ], "aws:SourceAccount": [ "account-id" ] } } } ] }
Create a permissions policy to give AWS IoT FleetWise permissions to publish messages to the MQTT topic you specified. To create a permissions policy, run the following command.
To create a permissions policy
-
Replace
AWSIoTFleetwiseAccessIotTopicPermissionsPolicywith the name of the policy you're creating. -
Replace
permissions-policywith the name of the JSON file that contains the permissions policy.
aws iam create-policy --policy-nameAWSIoTFleetwiseAccessIotTopicPermissionsPolicy--policy-document file://permissions-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "topic-arn" ] } ] }
To attach the permissions policy to your IAM role
-
From the output, copy the Amazon Resource Name (ARN) of the permissions policy.
-
To attach the IAM permissions policy to your IAM role, run the following command.
-
Replace
permissions-policy-arnwith the ARN that you copied in the previous step. -
Replace
IotTopicExecutionRolewith the name of the IAM role that you created.
aws iam attach-role-policy --policy-arnpermissions-policy-arn--role-nameIotTopicExecutionRole -
For more information, see Access management for AWS resources in the IAM User Guide.
Grant AWS IoT FleetWise access to an Amazon S3 destination
When you use an Amazon S3 destination, AWS IoT FleetWise delivers vehicle data to your S3 bucket and can optionally use an AWS KMS key that you own for data encryption. If error logging is enabled, AWS IoT FleetWise also sends data delivery errors to your CloudWatch log group and streams. You're required to have an IAM role when creating a delivery stream.
AWS IoT FleetWise uses a bucket policy with the service principal for the S3 destination. For more information about adding bucket policies, see Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.
Use the following access policy to enable AWS IoT FleetWise to access your S3 bucket. If you
don't own the S3 bucket, add s3:PutObjectAcl to the list of Amazon S3 actions.
This grants the bucket owner full access to the objects delivered by AWS IoT FleetWise. For more
information about how you can secure access to objects in your buckets, see Bucket policy examples in the Amazon Simple Storage Service User
Guide.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "iotfleetwise.amazonaws.com" ] }, "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::bucket-name" }, { "Effect": "Allow", "Principal": { "Service": [ "iotfleetwise.amazonaws.com" ] }, "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::bucket-name/*", "Condition": { "StringEquals": { "aws:SourceArn": "campaign-arn", "aws:SourceAccount": "account-id" } } } ] }
The following bucket policy is for all campaigns in an account in an AWS Region.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "iotfleetwise.amazonaws.com" ] }, "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::bucket-name" }, { "Effect": "Allow", "Principal": { "Service": [ "iotfleetwise.amazonaws.com" ] }, "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::bucket-name/*", "Condition": { "StringLike": { "aws:SourceArn": "arn:aws:iotfleetwise:region:account-id:campaign/*", "aws:SourceAccount": "account-id" } } } ] }
If you have a KMS key attached to your S3 bucket, the key will need the following policy. For information about key management, see Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.
{ "Version": "2012-10-17", "Effect": "Allow", "Principal": { "Service": "iotfleetwise.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "key-arn" }
Important
When you create a bucket, S3 creates a default access control lists (ACL) that grants the resource owner full control over the resource. If AWS IoT FleetWise can't deliver data to S3, make sure you disable the ACL on the S3 bucket. For more information, see Disabling ACLs for all new buckets and enforcing Object Ownership in the Amazon Simple Storage Service User Guide.
Grant AWS IoT FleetWise access to an Amazon Timestream destination
When you use a Timestream destination, AWS IoT FleetWise delivers vehicle data to a Timestream table. You must attach the policies to the IAM role to allow AWS IoT FleetWise to send data to Timestream.
If you use the console to create a campaign, AWS IoT FleetWise automatically attaches the required policy to the role.
Note
Amazon Timestream is not available in the Asia Pacific (Mumbai) Region.
Before you start, check the following:
Important
-
You must use the same AWS Region when you create Timestream resources for AWS IoT FleetWise. If you switch AWS Regions, you might have issues accessing the Timestream resources.
-
AWS IoT FleetWise is available in US East (N. Virginia), Europe (Frankfurt), and Asia Pacific (Mumbai).
-
For the list of supported Regions, see Timestream endpoints and quotas in the AWS General Reference.
-
You must have a Timestream database. For a tutorial, see Create a database in the Amazon Timestream Developer Guide.
-
You must have a table created in the specified Timestream database. For a tutorial, see Create a table in the Amazon Timestream Developer Guide.
You can use the AWS CLI to create an IAM role with a trust policy for Timestream. To create an IAM role, run the following command.
To create an IAM role with a trust policy
-
Replace
TimestreamExecutionRolewith the name of the role you're creating. -
Replace
trust-policywith the .json file that contains the trust policy.
aws iam create-role --role-nameTimestreamExecutionRole--assume-role-policy-document file://trust-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "timestreamTrustPolicy", "Effect": "Allow", "Principal": { "Service": "iotfleetwise.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": [ "arn:aws:iotfleetwise:region:account-id:campaign/campaign-name" ], "aws:SourceAccount": [ "account-id" ] } } } ] }
Create a permissions policy to give AWS IoT FleetWise permissions to write data into Timestream. To create a permissions policy, run the following command.
To create a permissions policy
-
Replace
AWSIoTFleetwiseAccessTimestreamPermissionsPolicywith the name of the policy you're creating. -
Replace
permissions-policywith the name of the JSON file that contains the permissions policy.
aws iam create-policy --policy-nameAWSIoTFleetwiseAccessTimestreamPermissionsPolicy--policy-document file://permissions-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "timestreamIngestion", "Effect": "Allow", "Action": [ "timestream:WriteRecords", "timestream:Select", "timestream:DescribeTable" ], "Resource": "table-arn" }, { "Sid": "timestreamDescribeEndpoint", "Effect": "Allow", "Action": [ "timestream:DescribeEndpoints" ], "Resource": "*" } ] }
To attach the permissions policy to your IAM role
-
From the output, copy the Amazon Resource Name (ARN) of the permissions policy.
-
To attach the IAM permissions policy to your IAM role, run the following command.
-
Replace
permissions-policy-arnwith the ARN that you copied in the previous step. -
Replace
TimestreamExecutionRolewith the name of the IAM role that you created.
aws iam attach-role-policy --policy-arnpermissions-policy-arn--role-nameTimestreamExecutionRole -
For more information, see Access management for AWS resources in the IAM User Guide.
Grant AWS IoT Device Management permission to generate the payload for remote commands with AWS IoT FleetWise
When you use the remote commands feature to start a command execution, AWS IoT Device Management will fetch the command and command parameters from the incoming request. It then requires permissions to access AWS IoT FleetWise resources to validate the request and generate the payload. The payload is then sent to the vehicle by AWS IoT Device Management over MQTT to the command request topic that your vehicle has subscribed to.
You must first create an IAM role that grants AWS IoT Device Management the required permissions for
generating the payload. Then, provide the ARN of this role to the CreateCommand API
using the roleArn field. The following shows some policy examples.
Important
For the IAM role, you must use the same AWS Region as the one where you created the vehicle and command resources. If you switch AWS Region, you might have issues accessing the resources.
The IAM role need to have the following trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RemoteCommandsTrustPolicy", "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
The following example shows how to grant permissions to generate the payload for all vehicles registered as AWS IoT things.
Note
-
This policy can be overly permissive. Use the principle of least privilege to make sure that you grant only the necessary permissions.
-
To deny permissions instead, change
"Effect": "Allow"to"Effect": "Deny"in the IAM policy.
In this example, replace:
-
<AWS_REGION>with your AWS Region where you are using the AWS IoT FleetWise resources. -
<ACCOUNT_ID>with your AWS account number.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iotfleetwise:GenerateCommandPayload", "Resource": "*" } ] }
The following example shows how to grant permissions to generate the payload for a specific vehicle registered as an AWS IoT thing.
In this example, replace:
-
<AWS_REGION>with your AWS Region where you are using the AWS IoT FleetWise resources. -
<ACCOUNT_ID>with your AWS account number. -
<VEHICLE_NAME>with the IoT thing name for your vehicle .
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iotfleetwise:GenerateCommandPayload", "Resource": "arn:aws:iot:<AWS_REGION>:<ACCOUNT_ID>:thing/<VEHICLE_NAME>" } ] }
The following example shows how to grant permissions to generate the payload for the actuator for a specific vehicle.
In this example, replace:
-
<AWS_REGION>with your AWS Region where you are using the AWS IoT FleetWise resources. -
<ACCOUNT_ID>with your AWS account number. -
<VEHICLE_NAME>with the IoT thing name for your vehicle. -
<SIGNAL_FQN>with the name of the signal, such as<Vehicle.actuator2>.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": "iotfleetwise:GenerateCommandPayload", "Resource": "arn:aws:iot:<AWS_REGION>:<ACCOUNT_ID>:thing/<VEHICLE_NAME>", "Condition": { "ForAnyValue:StringEquals": { "iotfleetwise:Signals": ["<SIGNAL_FQN>"] } } } ] }
The following example shows how to grant permissions to generate the payload for a specific vehicle and state template.
In this example, replace:
-
<AWS_REGION>is your AWS Region where you are using the AWS IoT FleetWise resources. -
<ACCOUNT_ID>is your AWS account number. -
<VEHICLE_NAME>is the IoT thing name for your vehicle. -
<STATE_TEMPLATE_ID>with the identifier of your state template.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": "iotfleetwise:GenerateCommandPayload", "Resource": [ "arn:aws:iot:<AWS_REGION>:<ACCOUNT_ID>:thing/<VEHICLE_NAME>", "arn:aws:iotfleetwise:<AWS_REGION>:<ACCOUNT_ID>:state-template/<STATE_TEMPLATE_ID>"] } ] }
If you've enabled customer managed KMS keys for AWS IoT FleetWise, then the following example shows how to grant permissions to generate the payload.
In this example, replace:
-
<AWS_REGION>with your AWS Region where you are using the AWS IoT FleetWise resources. -
<ACCOUNT_ID>with your AWS account number. -
<KMS_KEY_ID>with the ID of your KMS key.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iotfleetwise:GenerateCommandPayload", "Resource": "*" }, { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:<AWS_REGION>:<ACCOUNT_ID>:key/<KMS_KEY_ID>" } ] }
