IAM IoT Policies
AWS Identity and Access Management defines a policy action for each operation defined by AWS IoT, including control plane and data plane APIs.
AWS IoT API Permissions
The following table lists the AWS IoT API, the IAM permissions required, and the resource the API manipulates.
| API | Required permission (policy actions) | Resources |
|---|---|---|
| AcceptCertificateTransfer | iot:AcceptCertificateTransfer |
arn:aws:iot: Note The AWS account specified in the ARN must be the account to which the certificate is being transferred. |
| AddThingToThingGroup | iot:AddThingToThingGroup |
arn:aws:iot: arn:aws:iot: |
| AssociateTargetsWithJob | iot:AssociateTargetsWithJob | none |
| AttachPolicy | iot:AttachPolicy |
arn:aws:iot: or arn:aws:iot: |
| AttachPrincipalPolicy | iot:AttachPrincipalPolicy |
arn:aws:iot: |
| AttachThingPrincipal | iot:AttachThingPrincipal |
arn:aws:iot: |
| CancelCertificateTransfer | iot:CancelCertificateTransfer |
arn:aws:iot: Note The AWS account specified in the ARN must be the account to which the certificate is being transferred. |
| CancelJob | iot:CancelJob |
arn:aws:iot: |
| CancelJobExecution | iot:CancelJobExecution |
arn:aws:iot: arn:aws:iot: |
| ClearDefaultAuthorizer | iot:ClearDefaultAuthorizer | none |
| CreateAuthorizer | iot:CreateAuthorizer |
arn:aws:iot: |
| CreateCertificateFromCsr | iot:CreateCertificateFromCsr | * |
| CreateJob | iot:CreateJob |
arn:aws:iot: |
| CreateKeysAndCertificate | iot:CreateKeysAndCertificate | * |
| CreatePolicy | iot:CreatePolicy | * |
| CreatePolicyVersion | iot:CreatePolicyVersion |
arn:aws:iot: Note This must be an AWS IoT policy, not an IAM policy. |
| CreateRoleAlias | iot:CreateRoleAlias |
(parameter: roleAlias) arn:aws:iot: |
| CreateThing | iot:CreateThing |
arn:aws:iot: |
| CreateThingGroup | iot:CreateThingGroup |
arn:aws:iot: for group being created and for parent group, if used |
| CreateThingType | iot:CreateThingType |
arn:aws:iot: |
| CreateTopicRule | iot:CreateTopicRule |
arn:aws:iot: |
| DeleteAuthorizer | iot:DeleteAuthorizer |
arn:aws:iot: |
| DeleteCACertificate | iot:DeleteCACertificate |
arn:aws:iot: |
| DeleteCertificate | iot:DeleteCertificate |
arn:aws:iot: |
| DeleteJob | iot:DeleteJob |
|
| DeleteJobExecution | iot:DeleteJobExecution |
|
| DeletePolicy | iot:DeletePolicy |
arn:aws:iot: |
| DeletePolicyVersion | iot:DeletePolicyVersion |
arn:aws:iot: |
| DeleteRegistrationCode | iot:DeleteRegistrationCode | * |
| DeleteRoleAlias | iot:DeleteRoleAlias |
arn:aws:iot: |
| DeleteThing | iot:DeleteThing |
arn:aws:iot: |
| DeleteThingGroup | iot:DeleteThingGroup |
arn:aws:iot: |
| DeleteThingType | iot:DeleteThingType |
arn:aws:iot: |
| DeleteTopicRule | iot:DeleteTopicRule |
arn:aws:iot: |
| DeleteV2LoggingLevel | iot:DeleteV2LoggingLevel |
arn:aws:iot: |
| DeprecateThingType | iot:DeprecateThingType |
arn:aws:iot: |
| DescribeAuthorizer | iot:DescribeAuthorizer |
arn:aws:iot: (parameter: authorizerName) none |
| DescribeCACertificate | iot:DescribeCACertificate |
arn:aws:iot: |
| DescribeCertificate | iot:DescribeCertificate |
arn:aws:iot: |
| DescribeDefaultAuthorizer | iot:DescribeDefaultAuthorizer | none |
| DescribeEndpoint | iot:DescribeEndpoint | * |
| DescribeEventConfigurations | iot:DescribeEventConfigurations | none |
| DescribeIndex | iot:DescribeIndex |
arn:aws:iot: |
| DescribeJob | iot:DescribeJob |
arn:aws:iot: |
| DescribeJobExecution | iot:DescribeJobExecution | none |
| DescribeRoleAlias | iot:DescribeRoleAlias |
arn:aws:iot: |
| DescribeThing | iot:DescribeThing |
arn:aws:iot: |
| DescribeThingGroup | iot:DescribeThingGroup |
arn:aws:iot: |
| DescribeThingRegistrationTask | iot:DescribeThingRegistrationTask | none |
| DescribeThingType | iot:DescribeThingType |
arn:aws:iot: |
| DetachPolicy | iot:DetachPolicy |
arn:aws:iot: or arn:aws:iot: |
| DetachPrincipalPolicy | iot:DetachPrincipalPolicy |
arn:aws:iot: |
| DetachThingPrincipal | iot:DetachThingPrincipal |
arn:aws:iot: |
| DisableTopicRule | iot:DisableTopicRule |
arn:aws:iot: |
| EnableTopicRule | iot:EnableTopicRule |
arn:aws:iot: |
| GetEffectivePolicies | iot:GetEffectivePolicies |
arn:aws:iot: |
| GetIndexingConfiguration | iot:GetIndexingConfiguration | none |
| GetJobDocument | iot:GetJobDocument |
arn:aws:iot: |
| GetLoggingOptions | iot:GetLoggingOptions | * |
| GetPolicy | iot:GetPolicy |
arn:aws:iot: |
| GetPolicyVersion | iot:GetPolicyVersion |
arn:aws:iot: |
| GetRegistrationCode | iot:GetRegistrationCode | * |
| GetTopicRule | iot:GetTopicRule |
arn:aws:iot: |
| ListAttachedPolicies | iot:ListAttachedPolicies |
arn:aws:iot: or arn:aws:iot: |
| ListAuthorizers | iot:ListAuthorizers | none |
| ListCACertificates | iot:ListCACertificates | * |
| ListCertificates | iot:ListCertificates | * |
| ListCertificatesByCA | iot:ListCertificatesByCA | * |
| ListIndices | iot:ListIndices | none |
| ListJobExecutionsForJob | iot:ListJobExecutionsForJob | none |
| ListJobExecutionsForThing | iot:ListJobExecutionsForThing | none |
| ListJobs | iot:ListJobs |
arn:aws:iot: if thingGroupName parameter used |
| ListOutgoingCertificates | iot:ListOutgoingCertificates | * |
| ListPolicies | iot:ListPolicies | * |
| ListPolicyPrincipals | iot:ListPolicyPrincipals |
arn:aws:iot: |
| ListPolicyVersions | iot:ListPolicyVersions |
arn:aws:iot: |
| ListPrincipalPolicies | iot:ListPrincipalPolicies |
arn:aws:iot: |
| ListPrincipalThings | iot:ListPrincipalThings |
arn:aws:iot: |
| ListRoleAliases | iot:ListRoleAliases | none |
| ListTargetsForPolicy | iot:ListTargetsForPolicy |
arn:aws:iot: |
| ListThingGroups | iot:ListThingGroups | none |
| ListThingGroupsForThing | iot:ListThingGroupsForThing |
arn:aws:iot: |
| ListThingPrincipals | iot:ListThingPrincipals |
arn:aws:iot: |
| ListThingRegistrationTaskReports | iot:ListThingRegistrationTaskReports | none |
| ListThingRegistrationTasks | iot:ListThingRegistrationTasks | none |
| ListThingTypes | iot:ListThingTypes | * |
| ListThings | iot:ListThings | * |
| ListThingsInThingGroup | iot:ListThingsInThingGroup |
arn:aws:iot: |
| ListTopicRules | iot:ListTopicRules | * |
| ListV2LoggingLevels | iot:ListV2LoggingLevels | none |
| RegisterCACertificate | iot:RegisterCACertificate | * |
| RegisterCertificate | iot:RegisterCertificate | * |
| RegisterThing | iot:RegisterThing | none |
| RejectCertificateTransfer | iot:RejectCertificateTransfer |
arn:aws:iot: |
| RemoveThingFromThingGroup | iot:RemoveThingFromThingGroup |
arn:aws:iot: arn:aws:iot: |
| ReplaceTopicRule | iot:ReplaceTopicRule |
arn:aws:iot: |
| SearchIndex | iot:SearchIndex |
arn:aws:iot: |
| SetDefaultAuthorizer | iot:SetDefaultAuthorizer |
arn:aws:iot: |
| SetDefaultPolicyVersion | iot:SetDefaultPolicyVersion |
arn:aws:iot: |
| SetLoggingOptions | iot:SetLoggingOptions |
arn:aws:iot: |
| SetV2LoggingLevel | iot:SetV2LoggingLevel |
arn:aws:iot: |
| SetV2LoggingOptions | iot:SetV2LoggingOptions |
arn:aws:iot: |
| StartThingRegistrationTask | iot:StartThingRegistrationTask | none |
| StopThingRegistrationTask | iot:StopThingRegistrationTask | none |
| TestAuthorization | iot:TestAuthorization |
arn:aws:iot: |
| TestInvokeAuthorizer | iot:TestInvokeAuthorizer | none |
| TransferCertificate | iot:TransferCertificate |
arn:aws:iot: |
| UpdateAuthorizer | iot:UpdateAuthorizer |
arn:aws:iot: |
| UpdateCACertificate | iot:UpdateCACertificate |
arn:aws:iot: |
| UpdateCertificate | iot:UpdateCertificate |
arn:aws:iot: |
| UpdateEventConfigurations | iot:UpdateEventConfigurations | none |
| UpdateIndexingConfiguration | iot:UpdateIndexingConfiguration | none |
| UpdateRoleAlias | iot:UpdateRoleAlias |
arn:aws:iot: |
| UpdateThing | iot:UpdateThing |
arn:aws:iot: |
| UpdateThingGroup | iot:UpdateThingGroup |
arn:aws:iot: |
| UpdateThingGroupsForThing | iot:UpdateThingGroupsForThing |
arn:aws:iot: |
IAM Managed Policies
AWS IoT provides a set of IAM managed policies you can either use as-is or as a starting point for creating custom IAM policies. These templates allow access to configuration and data operations. Configuration operations allow you to create things, certificates, policies, and rules. Data operations send data over MQTT or HTTP protocols. The following table describes these templates.
| Policy Template | Description |
|---|---|
| AWSIoTConfigAccess | Allows the associated identity access to all AWS IoT configuration operations. This policy can affect data processing and storage. |
| AWSIoTConfigReadOnlyAccess | Allows the associated identity to access read-only configuration operations. |
| AWSIoTDataAccess | Allows the associated identity full access to all AWS IoT data operations. Data operations send data over MQTT or HTTP protocols. |
| AWSIoTEventsFullAccess | Allows the associated identity full access to AWS IoT events. |
| AWSIoTEventsReadOnlyAccess | Allows the associated identity read only access to AWS IoT events. |
| AWSIoTFullAccess | Allows the associated identity full access to all AWS IoT configuration and messaging operations. |
| AWSIotLogging |
Allows the associated identity to create Amazon CloudWatch Logs groups and strean logs to the groups. This policy is attached to your CloudWatch logging role. |
|
AWSIoTOTAUpdate |
Allows the associated identity to create AWS IoT jobs, AWS IoT code signing jobs, and to describe AWS code signer jobs. |
| AWSIoTRuleActions | Allows the associated identity access to all AWS services supported in AWS IoT rule actions. |
| AWSIoTThingsRegistration | Allows the associated identity to register things in bulk using the StartThingRegistrationTask API. This policy can affect data processing and storage. |
