Actions, resources, and condition keys for AWS IoT
AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Actions defined by AWS IoT
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptCertificateTransfer | Grants permission to accept a pending certificate transfer | Write | |||
| AddThingToBillingGroup | Grants permission to add a thing to the specified billing group | Write | |||
| AddThingToThingGroup | Grants permission to add a thing to the specified thing group | Write | |||
| AssociateSbomWithPackageVersion | Grants permission to associate SBOM files to a package version | Write |
iot:GetIndexingConfiguration |
||
| AssociateTargetsWithJob | Grants permission to associate a group with a continuous job | Write | |||
| AttachPolicy | Grants permission to attach a policy to the specified target | Permissions management | |||
| AttachPrincipalPolicy | Grants permission to attach the specified policy to the specified principal (certificate or other credential) | Permissions management | |||
| AttachSecurityProfile | Grants permission to associate a Device Defender security profile with a thing group or with this account | Write | |||
| AttachThingPrincipal | Grants permission to attach the specified principal to the specified thing | Write | |||
| CancelAuditMitigationActionsTask | Grants permission to cancel a mitigation action task that is in progress | Write | |||
| CancelAuditTask | Grants permission to cancel an audit that is in progress. The audit can be either scheduled or on-demand | Write | |||
| CancelCertificateTransfer | Grants permission to cancel a pending transfer for the specified certificate | Write | |||
| CancelDetectMitigationActionsTask | Grants permission to cancel a Device Defender ML Detect mitigation action | Write | |||
| CancelJob | Grants permission to cancel a job | Write | |||
| CancelJobExecution | Grants permission to cancel a job execution on a particular device | Write | |||
| ClearDefaultAuthorizer | Grants permission to clear the default authorizer | Write | |||
| CloseTunnel | Grants permission to close a tunnel | Write | |||
| ConfirmTopicRuleDestination | Grants permission to confirm a http url TopicRuleDestinationDestination | Write | |||
| Connect | Grants permission to connect as the specified client | Write | |||
| CreateAuditSuppression | Grants permission to create a Device Defender audit suppression | Write | |||
| CreateAuthorizer | Grants permission to create an authorizer | Write | |||
| CreateBillingGroup | Grants permission to create a billing group | Write | |||
| CreateCertificateFromCsr | Grants permission to create an X.509 certificate using the specified certificate signing request | Write | |||
| CreateCertificateProvider | Grants permission to create a certificate provider | Write | |||
| CreateCustomMetric | Grants permission to create a custom metric for device side metric reporting and monitoring | Write | |||
| CreateDimension | Grants permission to define a dimension that can be used to to limit the scope of a metric used in a security profile | Write | |||
| CreateDomainConfiguration | Grants permission to create a domain configuration | Write | |||
| CreateDynamicThingGroup | Grants permission to create a Dynamic Thing Group | Write | |||
| CreateFleetMetric | Grants permission to create a fleet metric | Write | |||
| CreateJob | Grants permission to create a job | Write | |||
| CreateJobTemplate | Grants permission to create a job template | Write | |||
| CreateKeysAndCertificate | Grants permission to create a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key | Write | |||
| CreateMitigationAction | Grants permission to define an action that can be applied to audit findings by using StartAuditMitigationActionsTask | Write | |||
| CreateOTAUpdate | Grants permission to create an OTA update job | Write | |||
| CreatePackage | Grants permission to create a software package that you can deploy to your devices | Write |
iot:GetIndexingConfiguration |
||
| CreatePackageVersion | Grants permission to create a version under the specified package | Write |
iot:GetIndexingConfiguration s3:GetObjectVersion |
||
| CreatePolicy | Grants permission to create an AWS IoT policy | Write | |||
| CreatePolicyVersion | Grants permission to create a new version of the specified AWS IoT policy | Write | |||
| CreateProvisioningClaim | Grants permission to create a provisioning claim | Write | |||
| CreateProvisioningTemplate | Grants permission to create a fleet provisioning template | Write |
iam:PassRole |
||
| CreateProvisioningTemplateVersion | Grants permission to create a new version of a fleet provisioning template | Write | |||
| CreateRoleAlias | Grants permission to create a role alias | Write |
iam:PassRole |
||
| CreateScheduledAudit | Grants permission to create a scheduled audit that is run at a specified time interval | Write | |||
| CreateSecurityProfile | Grants permission to create a Device Defender security profile | Write | |||
| CreateStream | Grants permission to create a new AWS IoT stream | Write | |||
| CreateThing | Grants permission to create a thing in the thing registry | Write | |||
| CreateThingGroup | Grants permission to create a thing group | Write | |||
| CreateThingType | Grants permission to create a new thing type | Write | |||
| CreateTopicRule | Grants permission to create a rule | Write | |||
| CreateTopicRuleDestination | Grants permission to create a TopicRuleDestination | Write | |||
| DeleteAccountAuditConfiguration | Grants permission to delete the audit configuration associated with the account | Write | |||
| DeleteAuditSuppression | Grants permission to delete a Device Defender audit suppression | Write | |||
| DeleteAuthorizer | Grants permission to delete the specified authorizer | Write | |||
| DeleteBillingGroup | Grants permission to delete the specified billing group | Write | |||
| DeleteCACertificate | Grants permission to delete a registered CA certificate | Write | |||
| DeleteCertificate | Grants permission to delete the specified certificate | Write | |||
| DeleteCertificateProvider | Grants permission to delete a certificate provider | Write | |||
| DeleteCustomMetric | Grants permission to deletes the specified custom metric from your AWS account | Write | |||
| DeleteDimension | Grants permission to remove the specified dimension from your AWS account | Write | |||
| DeleteDomainConfiguration | Grants permission to delete a domain configuration | Write | |||
| DeleteDynamicThingGroup | Grants permission to delete the specified Dynamic Thing Group | Write | |||
| DeleteFleetMetric | Grants permission to delete the specified fleet metric | Write | |||
| DeleteJob | Grants permission to delete a job and its related job executions | Write | |||
| DeleteJobExecution | Grants permission to delete a job execution | Write | |||
| DeleteJobTemplate | Grants permission to delete a job template | Write | |||
| DeleteMitigationAction | Grants permission to delete a defined mitigation action from your AWS account | Write | |||
| DeleteOTAUpdate | Grants permission to delete an OTA update job | Write | |||
| DeletePackage | Grants permission to delete a package | Write | |||
| DeletePackageVersion | Grants permission to delete a version of the specified package | Write | |||
| DeletePolicy | Grants permission to delete the specified policy | Write | |||
| DeletePolicyVersion | Grants permission to Delete the specified version of the specified policy | Write | |||
| DeleteProvisioningTemplate | Grants permission to delete a fleet provisioning template | Write | |||
| DeleteProvisioningTemplateVersion | Grants permission to delete a fleet provisioning template version | Write | |||
| DeleteRegistrationCode | Grants permission to delete a CA certificate registration code | Write | |||
| DeleteRoleAlias | Grants permission to delete the specified role alias | Write | |||
| DeleteScheduledAudit | Grants permission to delete a scheduled audit | Write | |||
| DeleteSecurityProfile | Grants permission to delete a Device Defender security profile | Write | |||
| DeleteStream | Grants permission to delete a specified stream | Write | |||
| DeleteThing | Grants permission to delete the specified thing | Write | |||
| DeleteThingGroup | Grants permission to delete the specified thing group | Write | |||
| DeleteThingShadow | Grants permission to delete the specified thing shadow | Write | |||
| DeleteThingType | Grants permission to delete the specified thing type | Write | |||
| DeleteTopicRule | Grants permission to delete the specified rule | Write | |||
| DeleteTopicRuleDestination | Grants permission to delete a TopicRuleDestination | Write | |||
| DeleteV2LoggingLevel | Grants permission to delete the specified v2 logging level | Write | |||
| DeprecateThingType | Grants permission to deprecate the specified thing type | Write | |||
| DescribeAccountAuditConfiguration | Grants permission to get information about audit configurations for the account | Read | |||
| DescribeAuditFinding | Grants permission to get information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and when the audit that returned the finding was started | Read | |||
| DescribeAuditMitigationActionsTask | Grants permission to get information about an audit mitigation task that is used to apply mitigation actions to a set of audit findings | Read | |||
| DescribeAuditSuppression | Grants permission to get information about a Device Defender audit suppression | Read | |||
| DescribeAuditTask | Grants permission to get information about a Device Defender audit | Read | |||
| DescribeAuthorizer | Grants permission to describe an authorizer | Read | |||
| DescribeBillingGroup | Grants permission to get information about the specified billing group | Read | |||
| DescribeCACertificate | Grants permission to describe a registered CA certificate | Read | |||
| DescribeCertificate | Grants permission to get information about the specified certificate | Read | |||
| DescribeCertificateProvider | Grants permission to describe a certificate provider | Read | |||
| DescribeCustomMetric | Grants permission to describe a custom metric that is defined in your AWS account | Read | |||
| DescribeDefaultAuthorizer | Grants permission to describe the default authorizer | Read | |||
| DescribeDetectMitigationActionsTask | Grants permission to describe a Device Defender ML Detect mitigation action | Read | |||
| DescribeDimension | Grants permission to get details about a dimension that is defined in your AWS account | Read | |||
| DescribeDomainConfiguration | Grants permission to get information about the domain configuration | Read | |||
| DescribeEndpoint | Grants permission to get a unique endpoint specific to the AWS account making the call | Read | |||
| DescribeEventConfigurations | Grants permission to get account event configurations | Read | |||
| DescribeFleetMetric | Grants permission to get information about the specified fleet metric | Read | |||
| DescribeIndex | Grants permission to get information about the specified index | Read | |||
| DescribeJob | Grants permission to describe a job | Read | |||
| DescribeJobExecution | Grants permission to describe a job execution | Read | |||
| DescribeJobTemplate | Grants permission to describe a job template | Read | |||
| DescribeManagedJobTemplate | Grants permission to describe a managed job template | Read | |||
| DescribeMitigationAction | Grants permission to get information about a mitigation action | Read | |||
| DescribeProvisioningTemplate | Grants permission to get information about a fleet provisioning template | Read | |||
| DescribeProvisioningTemplateVersion | Grants permission to get information about a fleet provisioning template version | Read | |||
| DescribeRoleAlias | Grants permission to describe a role alias | Read | |||
| DescribeScheduledAudit | Grants permission to get information about a scheduled audit | Read | |||
| DescribeSecurityProfile | Grants permission to get information about a Device Defender security profile | Read | |||
| DescribeStream | Grants permission to get information about the specified stream | Read | |||
| DescribeThing | Grants permission to get information about the specified thing | Read | |||
| DescribeThingGroup | Grants permission to get information about the specified thing group | Read | |||
| DescribeThingRegistrationTask | Grants permission to get information about the bulk thing registration task | Read | |||
| DescribeThingType | Grants permission to get information about the specified thing type | Read | |||
| DescribeTunnel | Grants permission to describe a tunnel | Read | |||
| DetachPolicy | Grants permission to detach a policy from the specified target | Permissions management | |||
| DetachPrincipalPolicy | Grants permission to remove the specified policy from the specified certificate | Permissions management | |||
| DetachSecurityProfile | Grants permission to disassociate a Device Defender security profile from a thing group or from this account | Write | |||
| DetachThingPrincipal | Grants permission to detach the specified principal from the specified thing | Write | |||
| DisableTopicRule | Grants permission to disable the specified rule | Write | |||
| DisassociateSbomFromPackageVersion | Grants permission to disassociate SBOM files from a package version | Write | |||
| EnableTopicRule | Grants permission to enable the specified rule | Write | |||
| GetBehaviorModelTrainingSummaries | Grants permission to fetch a Device Defender's ML Detect Security Profile training model's status | List | |||
| GetBucketsAggregation | Grants permission to get buckets aggregation for IoT fleet index | Read | |||
| GetCardinality | Grants permission to get cardinality for IoT fleet index | Read | |||
| GetEffectivePolicies | Grants permission to get effective policies | Read | |||
| GetIndexingConfiguration | Grants permission to get current fleet indexing configuration | Read | |||
| GetJobDocument | Grants permission to get a job document | Read | |||
| GetLoggingOptions | Grants permission to get the logging options | Read | |||
| GetOTAUpdate | Grants permission to get the information about the OTA update job | Read | |||
| GetPackage | Grants permission to get the information about the package | Read | |||
| GetPackageConfiguration | Grants permission to get the package configuration of the account | Read | |||
| GetPackageVersion | Grants permission to get the version of the package | Read | |||
| GetPercentiles | Grants permission to get percentiles for IoT fleet index | Read | |||
| GetPolicy | Grants permission to get information about the specified policy with the policy document of the default version | Read | |||
| GetPolicyVersion | Grants permission to get information about the specified policy version | Read | |||
| GetRegistrationCode | Grants permission to get a registration code used to register a CA certificate with AWS IoT | Read | |||
| GetRetainedMessage | Grants permission to get the retained message on the specified topic | Read | |||
| GetStatistics | Grants permission to get statistics for IoT fleet index | Read | |||
| GetThingShadow | Grants permission to get the thing shadow | Read | |||
| GetTopicRule | Grants permission to get information about the specified rule | Read | |||
| GetTopicRuleDestination | Grants permission to get a TopicRuleDestination | Read | |||
| GetV2LoggingOptions | Grants permission to get v2 logging options | Read | |||
| ListActiveViolations | Grants permission to list the active violations for a given Device Defender security profile or Thing | List | |||
| ListAttachedPolicies | Grants permission to list the policies attached to the specified thing group | List | |||
| ListAuditFindings | Grants permission to list the findings (results) of a Device Defender audit or of the audits performed during a specified time period | List | |||
| ListAuditMitigationActionsExecutions | Grants permission to get the status of audit mitigation action tasks that were executed | List | |||
| ListAuditMitigationActionsTasks | Grants permission to get a list of audit mitigation action tasks that match the specified filters | List | |||
| ListAuditSuppressions | Grants permission to list your Device Defender audit suppressions | List | |||
| ListAuditTasks | Grants permission to list the Device Defender audits that have been performed during a given time period | List | |||
| ListAuthorizers | Grants permission to list the authorizers registered in your account | List | |||
| ListBillingGroups | Grants permission to list all billing groups | List | |||
| ListCACertificates | Grants permission to list the CA certificates registered for your AWS account | List | |||
| ListCertificateProviders | Grants permission to list certificate providers in the account | List | |||
| ListCertificates | Grants permission to list your certificates | List | |||
| ListCertificatesByCA | Grants permission to list the device certificates signed by the specified CA certificate | List | |||
| ListCustomMetrics | Grants permission to list the custom metrics in your AWS account | List | |||
| ListDetectMitigationActionsExecutions | Grants permission to lists mitigation actions executions for a Device Defender ML Detect Security Profile | List | |||
| ListDetectMitigationActionsTasks | Grants permission to list Device Defender ML Detect mitigation actions tasks | List | |||
| ListDimensions | Grants permission to list the dimensions that are defined for your AWS account | List | |||
| ListDomainConfigurations | Grants permission to list the domain configuration created by your AWS account | List | |||
| ListFleetMetrics | Grants permission to list the fleet metrics in your account | List | |||
| ListIndices | Grants permission to list all indices for fleet index | List | |||
| ListJobExecutionsForJob | Grants permission to list the job executions for a job | List | |||
| ListJobExecutionsForThing | Grants permission to list the job executions for the specified thing | List | |||
| ListJobTemplates | Grants permission to list job templates | List | |||
| ListJobs | Grants permission to list jobs | List | |||
| ListManagedJobTemplates | Grants permission to list managed job templates | List | |||
| ListMetricValues | Grants permissions to list the metric values for a thing based on the metricName, and dimension if specified | List | |||
| ListMitigationActions | Grants permission to get a list of all mitigation actions that match the specified filter criteria | List | |||
| ListNamedShadowsForThing | Grants permission to list all named shadows for a given thing | List | |||
| ListOTAUpdates | Grants permission to list OTA update jobs in the account | List | |||
| ListOutgoingCertificates | Grants permission to list certificates that are being transfered but not yet accepted | List | |||
| ListPackageVersions | Grants permission to list versions for a package in the account | List | |||
| ListPackages | Grants permission to list packages in the account | List | |||
| ListPolicies | Grants permission to list your policies | List | |||
| ListPolicyPrincipals | Grants permission to list the principals associated with the specified policy | List | |||
| ListPolicyVersions | Grants permission to list the versions of the specified policy, and identifies the default version | List | |||
| ListPrincipalPolicies | Grants permission to list the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format | List | |||
| ListPrincipalThings | Grants permission to list the things associated with the specified principal | List | |||
| ListProvisioningTemplateVersions | Grants permission to get a list of fleet provisioning template versions | List | |||
| ListProvisioningTemplates | Grants permission to list the fleet provisioning templates in your AWS account | List | |||
| ListRelatedResourcesForAuditFinding | Grants permission to list related resources for a single audit finding | List | |||
| ListRetainedMessages | Grants permission to list the retained messages for your account | List | |||
| ListRoleAliases | Grants permission to list role aliases | List | |||
| ListSbomValidationResults | Grants permission to list SBOM validation results of a package version | List | |||
| ListScheduledAudits | Grants permission to list all of your scheduled audits | List | |||
| ListSecurityProfiles | Grants permission to list the Device Defender security profiles you have created | List | |||
| ListSecurityProfilesForTarget | Grants permission to list the Device Defender security profiles attached to a target | List | |||
| ListStreams | Grants permission to list the streams in your account | List | |||
| ListTagsForResource | Grants permission to list all tags for a given resource | Read | |||
| ListTargetsForPolicy | Grants permission to list targets for the specified policy | List | |||
| ListTargetsForSecurityProfile | Grants permission to list the targets associated with a given Device Defender security profile | List | |||
| ListThingGroups | Grants permission to list all thing groups | List | |||
| ListThingGroupsForThing | Grants permission to list thing groups to which the specified thing belongs | List | |||
| ListThingPrincipals | Grants permission to list the principals associated with the specified thing | List | |||
| ListThingRegistrationTaskReports | Grants permission to list information about bulk thing registration tasks | List | |||
| ListThingRegistrationTasks | Grants permission to list bulk thing registration tasks | List | |||
| ListThingTypes | Grants permission to list all thing types | List | |||
| ListThings | Grants permission to list all things | List | |||
| ListThingsInBillingGroup | Grants permission to list all things in the specified billing group | List | |||
| ListThingsInThingGroup | Grants permission to list all things in the specified thing group | List | |||
| ListTopicRuleDestinations | Grants permission to list all TopicRuleDestinations | List | |||
| ListTopicRules | Grants permission to list the rules for the specific topic | List | |||
| ListTunnels | Grants permission to list tunnels | List | |||
| ListV2LoggingLevels | Grants permission to list the v2 logging levels | List | |||
| ListViolationEvents | Grants permission to list the Device Defender security profile violations discovered during the given time period | List | |||
| OpenTunnel | Grants permission to open a tunnel | Write | |||
| Publish | Grants permission to publish to the specified topic | Write | |||
| PutVerificationStateOnViolation | Grants permission to put verification state on a violation | Write | |||
| Receive | Grants permission to receive from the specified topic | Write | |||
| RegisterCACertificate | Grants permission to register a CA certificate with AWS IoT | Write |
iam:PassRole |
||
| RegisterCertificate | Grants permission to register a device certificate with AWS IoT | Write | |||
| RegisterCertificateWithoutCA | Grants permission to register a device certificate with AWS IoT without a registered CA (certificate authority) | Write | |||
| RegisterThing | Grants permission to register your thing | Write | |||
| RejectCertificateTransfer | Grants permission to reject a pending certificate transfer | Write | |||
| RemoveThingFromBillingGroup | Grants permission to remove thing from the specified billing group | Write | |||
| RemoveThingFromThingGroup | Grants permission to remove thing from the specified thing group | Write | |||
| ReplaceTopicRule | Grants permission to replace the specified rule | Write | |||
| RetainPublish | Grants permission to publish a retained message to the specified topic | Write | |||
| RotateTunnelAccessToken | Grants permission to rotate the access token of a tunnel | Write | |||
| SearchIndex | Grants permission to search IoT fleet index | Read | |||
| SetDefaultAuthorizer | Grants permission to set the default authorizer. This will be used if a websocket connection is made without specifying an authorizer | Permissions management | |||
| SetDefaultPolicyVersion | Grants permission to set the specified version of the specified policy as the policy's default (operative) version | Permissions management | |||
| SetLoggingOptions | Grants permission to set the logging options | Write | |||
| SetV2LoggingLevel | Grants permission to set the v2 logging level | Write | |||
| SetV2LoggingOptions | Grants permission to set the v2 logging options | Write | |||
| StartAuditMitigationActionsTask | Grants permission to start a task that applies a set of mitigation actions to the specified target | Write | |||
| StartDetectMitigationActionsTask | Grants permission to start a Device Defender ML Detect mitigation actions task | Write | |||
| StartOnDemandAuditTask | Grants permission to start an on-demand Device Defender audit | Write | |||
| StartThingRegistrationTask | Grants permission to start a bulk thing registration task | Write | |||
| StopThingRegistrationTask | Grants permission to stop a bulk thing registration task | Write | |||
| Subscribe | Grants permission to subscribe to the specified TopicFilter | Write | |||
| TagResource | Grants permission to tag a specified resource | Tagging | |||
| TestAuthorization | Grants permission to test the policies evaluation for group policies | Read | |||
| TestInvokeAuthorizer | Grants permission to test invoke the specified custom authorizer for testing purposes | Read | |||
| TransferCertificate | Grants permission to transfer the specified certificate to the specified AWS account | Write | |||
| UntagResource | Grants permission to untag a specified resource | Tagging | |||
| UpdateAccountAuditConfiguration | Grants permission to configure or reconfigure the Device Defender audit settings for this account | Write | |||
| UpdateAuditSuppression | Grants permission to update a Device Defender audit suppression | Write | |||
| UpdateAuthorizer | Grants permission to update an authorizer | Write | |||
| UpdateBillingGroup | Grants permission to update information associated with the specified billing group | Write | |||
| UpdateCACertificate | Grants permission to update a registered CA certificate | Write |
iam:PassRole |
||
| UpdateCertificate | Grants permission to update the status of the specified certificate. This operation is idempotent | Write | |||
| UpdateCertificateProvider | Grants permission to update a certificate provider | Write | |||
| UpdateCustomMetric | Grants permission to update the specified custom metric | Write | |||
| UpdateDimension | Grants permission to update the definition for a dimension | Write | |||
| UpdateDomainConfiguration | Grants permission to update a domain configuration | Write | |||
| UpdateDynamicThingGroup | Grants permission to update a Dynamic Thing Group | Write | |||
| UpdateEventConfigurations | Grants permission to update event configurations | Write | |||
| UpdateFleetMetric | Grants permission to update a fleet metric | Write | |||
| UpdateIndexingConfiguration | Grants permission to update fleet indexing configuration | Write | |||
| UpdateJob | Grants permission to update a job | Write | |||
| UpdateMitigationAction | Grants permission to update the definition for the specified mitigation action | Write | |||
| UpdatePackage | Grants permission to update a package | Write |
iot:GetIndexingConfiguration |
||
| UpdatePackageConfiguration | Grants permission to update the package configuration of the account | Write |
iam:PassRole |
||
| UpdatePackageVersion | Grants permission to update the version of the specified package | Write |
iot:GetIndexingConfiguration s3:GetObjectVersion |
||
| UpdateProvisioningTemplate | Grants permission to update a fleet provisioning template | Write |
iam:PassRole |
||
| UpdateRoleAlias | Grants permission to update the role alias | Write |
iam:PassRole |
||
| UpdateScheduledAudit | Grants permission to update a scheduled audit, including what checks are performed and how often the audit takes place | Write | |||
| UpdateSecurityProfile | Grants permission to update a Device Defender security profile | Write | |||
| UpdateStream | Grants permission to update the data for a stream | Write | |||
| UpdateThing | Grants permission to update information associated with the specified thing | Write | |||
| UpdateThingGroup | Grants permission to update information associated with the specified thing group | Write | |||
| UpdateThingGroupsForThing | Grants permission to update the thing groups to which the thing belongs | Write | |||
| UpdateThingShadow | Grants permission to update the thing shadow | Write | |||
| UpdateThingType | Grants permission to update information associated with the specified thing type | Write | |||
| UpdateTopicRuleDestination | Grants permission to update a TopicRuleDestination | Write | |||
| ValidateSecurityProfileBehaviors | Grants permission to validate a Device Defender security profile behaviors specification | Read |
Resource types defined by AWS IoT
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| client |
arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
|
|
| index |
arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
|
|
| fleetmetric |
arn:${Partition}:iot:${Region}:${Account}:fleetmetric/${FleetMetricName}
|
|
| job |
arn:${Partition}:iot:${Region}:${Account}:job/${JobId}
|
|
| jobtemplate |
arn:${Partition}:iot:${Region}:${Account}:jobtemplate/${JobTemplateId}
|
|
| tunnel |
arn:${Partition}:iot:${Region}:${Account}:tunnel/${TunnelId}
|
|
| thing |
arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
|
|
| thinggroup |
arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
|
|
| billinggroup |
arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}
|
|
| dynamicthinggroup |
arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}
|
|
| thingtype |
arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}
|
|
| topic |
arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
|
|
| topicfilter |
arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
|
|
| rolealias |
arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}
|
|
| authorizer |
arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}
|
|
| policy |
arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}
|
|
| cert |
arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
|
|
| cacert |
arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}
|
|
| stream |
arn:${Partition}:iot:${Region}:${Account}:stream/${StreamId}
|
|
| otaupdate |
arn:${Partition}:iot:${Region}:${Account}:otaupdate/${OtaUpdateId}
|
|
| scheduledaudit |
arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}
|
|
| mitigationaction |
arn:${Partition}:iot:${Region}:${Account}:mitigationaction/${MitigationActionName}
|
|
| securityprofile |
arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}
|
|
| custommetric |
arn:${Partition}:iot:${Region}:${Account}:custommetric/${MetricName}
|
|
| dimension |
arn:${Partition}:iot:${Region}:${Account}:dimension/${DimensionName}
|
|
| rule |
arn:${Partition}:iot:${Region}:${Account}:rule/${RuleName}
|
|
| destination |
arn:${Partition}:iot:${Region}:${Account}:destination/${DestinationType}/${Uuid}
|
|
| provisioningtemplate |
arn:${Partition}:iot:${Region}:${Account}:provisioningtemplate/${ProvisioningTemplate}
|
|
| domainconfiguration |
arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName}/${Id}
|
|
| package |
arn:${Partition}:iot:${Region}:${Account}:package/${PackageName}
|
|
| packageversion |
arn:${Partition}:iot:${Region}:${Account}:package/${PackageName}/version/${VersionName}
|
|
| certificateprovider |
arn:${Partition}:iot:${Region}:${Account}:certificateprovider/${CertificateProviderName}
|
Condition keys for AWS IoT
AWS IoT defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by a tag key that is present in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by a tag key component of a tag associated to the IoT resource in the request | String |
| aws:TagKeys | Filters access by a list of tag keys associated to the IoT resource in the request | ArrayOfString |
| iot:ClientMode | Filters access by the mode of the client for IoT Tunnel | String |
| iot:Delete | Filters access by a flag indicating whether or not to also delete an IoT Tunnel immediately when making iot:CloseTunnel request | Bool |
| iot:DomainName | Filters access by based on the domain name of an IoT DomainConfiguration | String |
| iot:ThingGroupArn | Filters access by a list of IoT Thing Group ARNs that the destination IoT Thing belongs to for an IoT Tunnel | ArrayOfARN |
| iot:TunnelDestinationService | Filters access by a list of destination services for an IoT Tunnel | ArrayOfString |
