IAM IoT Policies
AWS Identity and Access Management defines a policy action for each operation defined by AWS IoT, including control plane and data plane APIs.
AWS IoT API Permissions
The following table lists the AWS IoT API, the IAM permissions required, and the resource the API manipulates.
| API | Required permission (policy actions) | Resources |
|---|---|---|
| AcceptCertificateTransfer | iot:AcceptCertificateTransfer |
arn:aws:iot: Note The AWS account specified in the ARN must be the account to which the certificate is being transferred. |
| AddLoggingRole | iot:AddLoggingRole | none |
| AddThingToThingGroup | iot:AddThingToThingGroup |
arn:aws:iot: arn:aws:iot: |
| AssociateTargetsWithJob | iot:AssociateTargetsWithJob | none |
| AttachPolicy | iot:AttachPolicy |
arn:aws:iot: or arn:aws:iot: |
| AttachPrincipalPolicy | iot:AttachPrincipalPolicy |
arn:aws:iot: |
| AttachThingPrincipal | iot:AttachThingPrincipal |
arn:aws:iot: |
| CancelCertificateTransfer | iot:CancelCertificateTransfer |
arn:aws:iot: Note The AWS account specified in the ARN must be the account to which the certificate is being transferred. |
| CancelJob | iot:CancelJob |
arn:aws:iot: |
| ClearDefaultAuthorizer | iot:ClearDefaultAuthorizer | none |
| CreateAuthorizer | iot:CreateAuthorizer |
arn:aws:iot: |
| CreateCertificateFromCsr | iot:CreateCertificateFromCsr | * |
| CreateJob | iot:CreateJob |
arn:aws:iot: |
| CreateKeysAndCertificate | iot:CreateKeysAndCertificate | * |
| CreateMessageSchema | iot:CreateMessageSchema | none |
| CreatePolicy | iot:CreatePolicy | * |
| CreatePolicyVersion | iot:CreatePolicyVersion |
arn:aws:iot: Note This must be an AWS IoT policy, not an IAM policy. |
| CreateRoleAlias | iot:CreateRoleAlias |
(parameter: roleAlias) arn:aws:iot: |
| CreateThing | iot:CreateThing |
arn:aws:iot: |
| CreateThingGroup | iot:CreateThingGroup |
arn:aws:iot: for group being created and for parent group, if used |
| CreateThingType | iot:CreateThingType |
arn:aws:iot: |
| CreateTopicRule | iot:CreateTopicRule |
arn:aws:iot: |
| DeleteAuthorizer | iot:DeleteAuthorizer |
arn:aws:iot: |
| DeleteCACertificate | iot:DeleteCACertificate |
arn:aws:iot: |
| DeleteCertificate | iot:DeleteCertificate |
arn:aws:iot: |
| DeleteJob | iot:DeleteJob |
|
| DeleteJobExecution | iot:DeleteJobExecution |
|
| DeleteLoggingLevel | iot:DeleteLoggingLevel |
arn:aws:iot: |
| DeleteLoggingRole | iot:DeleteLoggingRole | none |
| DeleteMessageSchema | iot:DeleteMessageSchema | none |
| DeletePolicy | iot:DeletePolicy |
arn:aws:iot: |
| DeletePolicyVersion | iot:DeletePolicyVersion |
arn:aws:iot: |
| DeleteRegistrationCode | iot:DeleteRegistrationCode | * |
| DeleteRoleAlias | iot:DeleteRoleAlias |
arn:aws:iot: |
| DeleteThing | iot:DeleteThing |
arn:aws:iot: |
| DeleteThingGroup | iot:DeleteThingGroup |
arn:aws:iot: |
| DeleteThingType | iot:DeleteThingType |
arn:aws:iot: |
| DeleteTopicRule | iot:DeleteTopicRule |
arn:aws:iot: |
| DeleteV2LoggingLevel | iot:DeleteV2LoggingLevel |
arn:aws:iot: |
| DeprecateThingType | iot:DeprecateThingType |
arn:aws:iot: |
| DescribeAuthorizer | iot:DescribeAuthorizer |
arn:aws:iot: (parameter: authorizerName) none |
| DescribeCACertificate | iot:DescribeCACertificate |
arn:aws:iot: |
| DescribeCertificate | iot:DescribeCertificate |
arn:aws:iot: |
| DescribeDefaultAuthorizer | iot:DescribeDefaultAuthorizer | none |
| DescribeEndpoint | iot:DescribeEndpoint | * |
| DescribeEventConfigurations | iot:DescribeEventConfigurations | none |
| DescribeIndex | iot:DescribeIndex |
arn:aws:iot: |
| DescribeJob | iot:DescribeJob |
arn:aws:iot: |
| DescribeJobExecution | iot:DescribeJobExecution | none |
| DescribeRoleAlias | iot:DescribeRoleAlias |
arn:aws:iot: |
| DescribeThing | iot:DescribeThing |
arn:aws:iot: |
| DescribeThingGroup | iot:DescribeThingGroup |
arn:aws:iot: |
| DescribeThingRegistrationTask | iot:DescribeThingRegistrationTask | none |
| DescribeThingType | iot:DescribeThingType |
arn:aws:iot: |
| DetachPolicy | iot:DetachPolicy |
arn:aws:iot: or arn:aws:iot: |
| DetachPrincipalPolicy | iot:DetachPrincipalPolicy |
arn:aws:iot: |
| DetachThingPrincipal | iot:DetachThingPrincipal |
arn:aws:iot: |
| DisableTopicRule | iot:DisableTopicRule |
arn:aws:iot: |
| EnableTopicRule | iot:EnableTopicRule |
arn:aws:iot: |
| GetEffectivePolicies | iot:GetEffectivePolicies |
arn:aws:iot: |
| GetIndexingConfiguration | iot:GetIndexingConfiguration | none |
| GetJobDocument | iot:GetJobDocument |
arn:aws:iot: |
| GetLoggingOptions | iot:GetLoggingOptions | * |
| GetLoggingOptionsV2 | iot:GetLoggingOptionsV2 | none |
| GetLoggingRole | iot:GetLoggingRole | none |
| GetMessageSchema | iot:GetMessageSchema | none |
| GetPolicy | iot:GetPolicy |
arn:aws:iot: |
| GetPolicyVersion | iot:GetPolicyVersion |
arn:aws:iot: |
| GetRegistrationCode | iot:GetRegistrationCode | * |
| GetTopicRule | iot:GetTopicRule |
arn:aws:iot: |
| GetV2LoggingOptions | iot:GetV2LoggingOptions | none |
| ListAttachedPolicies | iot:ListAttachedPolicies |
arn:aws:iot: or arn:aws:iot: |
| ListAuthorizers | iot:ListAuthorizers | none |
| ListCACertificates | iot:ListCACertificates | * |
| ListCertificates | iot:ListCertificates | * |
| ListCertificatesByCA | iot:ListCertificatesByCA | * |
| ListIndices | iot:ListIndices | none |
| ListJobExecutionsForJob | iot:ListJobExecutionsForJob | none |
| ListJobExecutionsForThing | iot:ListJobExecutionsForThing | none |
| ListJobs | iot:ListJobs |
arn:aws:iot: if thingGroupName parameter used |
| ListLoggingLevels | iot:ListLoggingLevels | none |
| ListMessageSchemas | iot:ListMessageSchemas | none |
| ListOutgoingCertificates | iot:ListOutgoingCertificates | * |
| ListPolicies | iot:ListPolicies | * |
| ListPolicyPrincipals | iot:ListPolicyPrincipals |
arn:aws:iot: |
| ListPolicyVersions | iot:ListPolicyVersions |
arn:aws:iot: |
| ListPrincipalPolicies | iot:ListPrincipalPolicies |
arn:aws:iot: |
| ListPrincipalThings | iot:ListPrincipalThings |
arn:aws:iot: |
| ListRoleAliases | iot:ListRoleAliases | none |
| ListTargetsForPolicy | iot:ListTargetsForPolicy |
arn:aws:iot: |
| ListThingGroups | iot:ListThingGroups | none |
| ListThingGroupsForThing | iot:ListThingGroupsForThing |
arn:aws:iot: |
| ListThingPrincipals | iot:ListThingPrincipals |
arn:aws:iot: |
| ListThingRegistrationTaskReports | iot:ListThingRegistrationTaskReports | none |
| ListThingRegistrationTasks | iot:ListThingRegistrationTasks | none |
| ListThingTypes | iot:ListThingTypes | * |
| ListThings | iot:ListThings | * |
| ListThingsInThingGroup | iot:ListThingsInThingGroup |
arn:aws:iot: |
| ListTopicRules | iot:ListTopicRules | * |
| ListV2LoggingLevels | iot:ListV2LoggingLevels | none |
| RegisterCACertificate | iot:RegisterCACertificate | * |
| RegisterCertificate | iot:RegisterCertificate | * |
| RegisterThing | iot:RegisterThing | none |
| RejectCertificateTransfer | iot:RejectCertificateTransfer |
arn:aws:iot: |
| RemoveThingFromThingGroup | iot:RemoveThingFromThingGroup |
arn:aws:iot: arn:aws:iot: |
| ReplaceTopicRule | iot:ReplaceTopicRule |
arn:aws:iot: |
| SearchIndex | iot:SearchIndex |
arn:aws:iot: |
| SetDefaultAuthorizer | iot:SetDefaultAuthorizer |
arn:aws:iot: |
| SetDefaultPolicyVersion | iot:SetDefaultPolicyVersion |
arn:aws:iot: |
| SetLoggingLevel | iot:SetLoggingLevel | none |
| SetLoggingOptions | iot:SetLoggingOptions |
arn:aws:iot: |
| SetLoggingOptionsV2 | iot:SetLoggingOptionsV2 |
arn:aws:iot: |
| SetV2LoggingLevel | iot:SetV2LoggingLevel |
arn:aws:iot: |
| SetV2LoggingOptions | iot:SetV2LoggingOptions |
arn:aws:iot: |
| StartThingRegistrationTask | iot:StartThingRegistrationTask | none |
| StopThingRegistrationTask | iot:StopThingRegistrationTask | none |
| TestAuthorization | iot:TestAuthorization |
arn:aws:iot: |
| TestInvokeAuthorizer | iot:TestInvokeAuthorizer | none |
| TransferCertificate | iot:TransferCertificate |
arn:aws:iot: |
| UpdateAuthorizer | iot:UpdateAuthorizer |
arn:aws:iot: |
| UpdateCACertificate | iot:UpdateCACertificate |
arn:aws:iot: |
| UpdateCertificate | iot:UpdateCertificate |
arn:aws:iot: |
| UpdateEventConfigurations | iot:UpdateEventConfigurations | none |
| UpdateIndexingConfiguration | iot:UpdateIndexingConfiguration | none |
| UpdateMessageSchema | iot:UpdateMessageSchema | none |
| UpdateRoleAlias | iot:UpdateRoleAlias |
arn:aws:iot: |
| UpdateThing | iot:UpdateThing |
arn:aws:iot: |
| UpdateThingGroup | iot:UpdateThingGroup |
arn:aws:iot: |
| UpdateThingGroupsForThing | iot:UpdateThingGroupsForThing |
arn:aws:iot: |
IAM Policy Templates
AWS IoT provides a set of IAM policy templates you can either use as-is or as a starting point for creating custom IAM policies. These templates allow access to configuration and data operations. Configuration operations allow you to create things, certificates, policies, and rules. Data operations send data over MQTT or HTTP protocols. The following table describes these templates.
| Policy Template | Description |
|---|---|
| AWSIotLogging |
Allows the associated identity to configure CloudWatch logging. This policy is attached to your CloudWatch logging role. |
| AWSIoTConfigAccess | Allows the associated identity access to all AWS IoT configuration operations. This policy can affect data processing and storage. |
| AWSIoTConfigReadOnlyAccess | Allows the associated identity to call read-only configuration operations. |
| AWSIoTDataAccess | Allows the associated identity full access to all AWS IoT data operations. Data operations send data over MQTT or HTTP protocols. |
| AWSIoTFullAccess | Allows the associated identity full access to all AWS IoT configuration and data operations. |
|
AWSIoTOTAUpdate |
Allows the associated identity access to create AWS IoT jobs and AWS IoT code signing jobs. |
| AWSIoTRuleActions | Allows the associated identity access to all AWS services supported in AWS IoT rule actions. |
| AWSIoTThingsRegistration | Allows the associated identity to register things in bulk using StartThingRegistrationTask. This policy can affect data processing and storage. |
