Publish/Subscribe Policy Examples
The policy you use depends on how you are connecting to AWS IoT. You can connect to AWS IoT using an MQTT client, HTTP, or WebSocket. When you connect with an MQTT client, you are authenticating with an X.509 certificate. When you connect over HTTP or the WebSocket protocol, you are authenticating with Signature Version 4 and Amazon Cognito.
Policies for MQTT Clients
When you specify topic filters in AWS IoT policies for MQTT clients, MQTT wildcard
characters "+" and "#" are treated as literal characters. Their use might result
in
unexpected behavior. For example, the following policy allows a client to subscribe
to the
topic filter foo/+/bar only:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/+/bar" ] } ] }
Note
The MQTT wildcard character '+' is not treated as a wildcard within a policy. Attempts
to subscribe to topic filters that match the pattern foo/+/bar like
foo/baz/bar or foo/goo/bar fails and causes the client to
disconnect.
You can use "*" as a wildcard in the resource attribute of the policy. For example, the following policy allows the certificate holder to publish to all topics and subscribe to all topic filters in the AWS account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": [ "*" ] } ] }
The following policy allows the certificate holder to publish to all topics in the AWS account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Connect" ], "Resource": [ "*" ] } ] }
You can also use the "*" wildcard at the end of a topic filter. For example, the following
policy allows the certificate holder to subscribe to a topic filter matching
the pattern
foo/bar/*:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar/*" ] } ] }
The following policy allows the certificate holder to publish to the foo/bar
and foo/baz topics:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar", "arn:aws:iot:us-east-1:123456789012:topic/foo/baz" ] } ] }
The following policy prevents the certificate holder from publishing to the
foo/bar topic:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] } ] }
The following policy allows the certificate holder to publish on topic foo
and prevents the certificate holder from publishing to topic bar:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo" ] }, { "Effect": "Deny", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/bar" ] } ] }
The following policy allows the certificate holder to subscribe to topic filter
foo/bar:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] } ] }
The following policy allows the certificate holder to publish on the
arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/8050373158915119971
topic and allows the certificate holder to subscribe to the topic filter
arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/8050373158915119971:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/iotmonitor/provisioning/8050373158915119971" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/iotmonitor/provisioning/8050373158915119971" ] } ] }
Policies for HTTP and WebSocket Clients
For the following operations, AWS IoT uses AWS IoT policies attached to Amazon Cognito
identities
(through the AttachPolicy API) to scope down the permissions attached to the
Amazon Cognito identity pool with authenticated identities. That means an Amazon
Cognito identity needs
permission from the IAM role policy attached to the pool and the AWS IoT policy
attached to
the Amazon Cognito identity through the AWS IoT AttachPolicy API.
-
iot:Connect -
iot:Publish -
iot:Subscribe -
iot:Receive -
iot:GetThingShadow -
iot:UpdateThingShadow -
iot:DeleteThingShadow
Note
For other AWS IoT operations or for unauthenticated identities, AWS IoT does not scope down the permissions attached to the Amazon Cognito identity pool role. For both authenticated and unauthenticated identities, this is the most permissive policy that we recommend attaching to the Amazon Cognito pool role.
To allow unauthenticated Amazon Cognito identities to publish messages over HTTP on any topic, attach the following policy to the Amazon Cognito identity pool role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow", "iot:DeleteThingShadow" ], "Resource": ["*"] }] }
To allow unauthenticated Amazon Cognito identities to publish MQTT messages over HTTP on any topic in your account, attach the following policy to the Amazon Cognito identity pool role:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["*"] }] }
Note
This example is for illustration only. Unless your service absolutely requires it, we recommend the use of a more restrictive policy, one that does not allow unauthenticated Amazon Cognito identities to publish on any topic.
To allow unauthenticated Amazon Cognito identities to publish MQTT messages over HTTP
on
topic1 in your account, attach the following policy to your Amazon Cognito identity
pool role:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }
For an authenticated Amazon Cognito identity to publish MQTT messages over HTTP on
topic1 in your AWS account, you must specify two policies, as outlined
here. The first policy must be attached to an Amazon Cognito identity pool
role. It allows identities
from that pool to make a publish call. The second policy must be attached to
an Amazon Cognito user
using the AWS IoT AttachPolicy API. It allows the specified Amazon Cognito user access to the
topic1 topic.
Amazon Cognito identity pool policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }
Amazon Cognito user policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }
Similarly, the following example policy allows the Amazon Cognito user to publish
MQTT messages
over HTTP on the topic1 and topic2 topics. Two policies are
required. The first policy gives the Amazon Cognito identity pool role the
ability to make the
publish call. The second policy gives the Amazon Cognito user access to the
topic1 and
topic2 topics.
Amazon Cognito identity pool policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["*"] }] }
Amazon Cognito user policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/topic1", "arn:aws:iot:us-east-1:123456789012:topic/topic2" ] }] }
The following policies allow multiple Amazon Cognito users to publish to a topic.
Two policies per
Amazon Cognito identity are required. The first policy gives the Amazon Cognito
identity pool role the ability
to make the publish call. The second and third policies give the Amazon Cognito
users access to the
topics topic1 and topic2, respectively.
Amazon Cognito identity pool policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["*"] }] }
Amazon Cognito user1 policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic1"] }] }
Amazon Cognito user2 policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/topic2"] }] }
Receive Policy Examples
The following policy prevents the certificate holder using any client ID from receiving messages from a topic:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/restricted" ] }, { "Effect": "Allow", "Action": [ "iot:*" ], "Resource": [ "*" ] } ] }
The following policy allows the certificate holder using any client ID to subscribe and receive messages on one topic:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [*] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topicfilter/foo/bar" ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo/bar" ] } ] }
