Accessing cross-account resources using AWS IoT rules
You can configure AWS IoT rules for cross-account access so that data ingested on MQTT topics of one account can be routed into the AWS services, such as Amazon SQS and Lambda, of another account. The following explains how to set up AWS IoT rules for cross-account data ingestion, from an MQTT topic in one account, to a destination in another account.
Cross-account rules can be configured using resource-based permissions on the destination resource. Therefore, only destinations that support resource-based permissions can be enabled for the cross-account access with AWS IoT rules. The supported destinations include Amazon SQS, Amazon SNS, Amazon S3, and AWS Lambda.
Note
For the supported destinations, except for Amazon SQS, you must define the rule in the same AWS Region as another service's resource so that the rule action can interact with that resource. For more information about AWS IoT rule actions, see AWS IoT rule actions. For more information about rule's SQS action, see SQS.
Prerequisites
-
Familiarity with AWS IoT rules
-
An understanding of IAM users, roles, and resource-based permission
-
Having AWS CLI installed
Cross-account setup for Amazon SQS
Scenario: Account A sends data from an MQTT message to account B's Amazon SQS queue.
| AWS account | Account referred to as | Description |
|---|---|---|
|
Account A | Rule action: sqs:SendMessage |
|
Account B | Amazon SQS queue
|
Note
Your destination Amazon SQS queue doesn't have to be in the same AWS Region as your AWS IoT rule. For more information about rule's SQS action, see SQS.
Do the Account A tasks
Note
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule with the rule's Amazon Resource Name
(ARN) as a resource, and permissions to iam:PassRole action
with a resource as the role's ARN.
-
Configure AWS CLI using account A’s IAM user.
-
Create an IAM role that trusts AWS IoT rules engine, and attaches a policy that allows access to account B's Amazon SQS queue. See example commands and policy documents in Granting AWS IoT the required access.
-
To create a rule that is attached to a topic, run the create-topic-rule command.
aws iot create-topic-rule --rule-namemyRule--topic-rule-payload file://./my-rule.jsonThe following is an example payload file with a rule that inserts all messages sent to the
iot/testtopic into the specified Amazon SQS queue. The SQL statement filters the messages and the role ARN grants AWS IoT permissions to add the message to the Amazon SQS queue.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "sqs": { "queueUrl": "https://sqs.region.amazonaws.com/2222-2222-2222/ExampleQueue", "roleArn": "arn:aws:iam::1111-1111-1111:role/my-iot-role", "useBase64": false } } ] }For more information about how to define an Amazon SQS action in an AWS IoT rule, see AWS IoT rule actions - Amazon SQS.
Do the Account B tasks
-
Configure AWS CLI using account B’s IAM user.
-
To give permissions for the Amazon SQS queue resource to account A, run the add-permission command.
aws sqs add-permission --queue-urlhttps://sqs.region.amazonaws.com/2222-2222-2222/ExampleQueue--labelSendMessagesToMyQueue--aws-account-ids1111-1111-1111--actions SendMessage
Cross-account setup for Amazon SNS
Scenario: Account A sends data from an MQTT message to an Amazon SNS topic of account B.
| AWS account | Account referred to as | Description |
|---|---|---|
|
Account A | Rule action: sns:Publish |
|
Account B | Amazon SNS topic ARN:
|
Do the Account A tasks
Notes
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule with rule ARN as a resource and
permissions to the iam:PassRole action with a resource as role
ARN.
-
Configure AWS CLI using account A’s IAM user.
-
Create an IAM role that trusts AWS IoT rules engine, and attaches a policy that allows access to account B's Amazon SNS topic. For example commands and policy documents, see Granting AWS IoT the required access.
-
To create a rule that is attached to a topic, run the create-topic-rule command.
aws iot create-topic-rule --rule-namemyRule--topic-rule-payload file://./my-rule.jsonThe following is an example payload file with a rule that inserts all messages sent to the
iot/testtopic into the specified Amazon SNS topic. The SQL statement filters the messages, and the role ARN grants AWS IoT permissions to send the message to the Amazon SNS topic.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "sns": { "targetArn": "arn:aws:sns:region:2222-2222-2222:ExampleTopic", "roleArn": "arn:aws:iam::1111-1111-1111:role/my-iot-role" } } ] }For more information about how to define an Amazon SNS action in an AWS IoT rule, see AWS IoT rule actions - Amazon SNS.
Do the Account B tasks
-
Configure AWS CLI using account B’s IAM user.
-
To give permission on the Amazon SNS topic resource to account A, run the add-permission command.
aws sns add-permission --topic-arnarn:aws:sns:region:2222-2222-2222:ExampleTopic--labelPublish-Permission--aws-account-id1111-1111-1111--action-name Publish
Cross-account setup for Amazon S3
Scenario: Account A sends data from an MQTT message to an Amazon S3 bucket of account B.
| AWS account | Account referred to as | Description |
|---|---|---|
|
Account A | Rule action: s3:PutObject |
|
Account B | Amazon S3 bucket ARN:
|
Do the Account A tasks
Note
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule with the rule ARN as a resource and
permissions to iam:PassRole action with a resource as role
ARN.
-
Configure AWS CLI using account A’s IAM user.
-
Create an IAM role that trusts AWS IoT rules engine and attaches a policy that allows access to account B's Amazon S3 bucket. For example commands and policy documents, see Granting AWS IoT the required access.
-
To create a rule that is attached to your target S3 bucket, run the create-topic-rule command.
aws iot create-topic-rule --rule-namemy-rule--topic-rule-payload file://./my-rule.jsonThe following is an example payload file with a rule that inserts all messages sent to the
iot/testtopic into the specified Amazon S3 bucket. The SQL statement filters the messages, and the role ARN grants AWS IoT permissions to add the message to the Amazon S3 bucket.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "s3": { "bucketName": "amzn-s3-demo-bucket", "key": "${topic()}/${timestamp()}", "roleArn": "arn:aws:iam::1111-1111-1111:role/my-iot-role" } } ] }For more information about how to define an Amazon S3 action in an AWS IoT rule, see AWS IoT rule actions - Amazon S3.
Do the Account B tasks
-
Configure AWS CLI using account B’s IAM user.
-
Create a bucket policy that trusts account A's principal.
The following is an example payload file that defines a bucket policy that trusts the principal of another account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddCannedAcl", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::1111-1111-1111:root" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" } ] }For more information, see bucket policy examples.
-
To attach the bucket policy to the specified bucket, run the put-bucket-policy command.
aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://./amzn-s3-demo-bucket-policy.json -
To make the cross-account access work, make sure you have the correct Block all public access settings. For more information, see Security Best Practices for Amazon S3.
Cross-account setup for AWS Lambda
Scenario: Account A invokes an AWS Lambda function of account B, passing in an MQTT message.
| AWS account | Account referred to as | Description |
|---|---|---|
|
Account A | Rule action: lambda:InvokeFunction |
|
Account B | Lambda function ARN: |
Do the Account A tasks
Notes
To run the following commands, your IAM user should have permissions to
iot:CreateTopicRule with rule ARN as a resource, and
permissions to iam:PassRole action with resource as role
ARN.
-
Configure AWS CLI using account A’s IAM user.
-
Run the create-topic-rule command to create a rule that defines cross-account access to account B's Lambda function.
aws iot create-topic-rule --rule-namemy-rule--topic-rule-payload file://./my-rule.jsonThe following is an example payload file with a rule that inserts all messages sent to the
iot/testtopic into the specified Lambda function. The SQL statement filters the messages and the role ARN grants AWS IoT permission to pass in the data to the Lambda function.{ "sql": "SELECT * FROM 'iot/test'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "lambda": { "functionArn": "arn:aws:lambda:region:2222-2222-2222:function:example-function" } } ] }For more information about how to define an AWS Lambda action in an AWS IoT rule, read AWS IoT rule actions - Lambda.
Do the Account B tasks
-
Configure AWS CLI using account B’s IAM user.
-
Run Lambda's add-permission command to give AWS IoT rules permission to activate the Lambda function. To run the following command, your IAM user should have permission to
lambda:AddPermissionaction.aws lambda add-permission --function-nameexample-function--regionus-east-1--principal iot.amazonaws.com --source-arnarn:aws:iot:region:1111-1111-1111:rule/example-rule--source-account1111-1111-1111--statement-id"unique_id"--action "lambda:InvokeFunction"Options:
--principal
This field gives permission to AWS IoT (represented by
iot.amazonaws.com) to call the Lambda function.--source-arn
This field confirms that only
arn:aws:iot:region:1111-1111-1111:rule/example-rulein AWS IoT triggers this Lambda function and no other rule in the same or different account can activate this Lambda function.--source-account
This field confirms that AWS IoT activates this Lambda function only on behalf of the
1111-1111-1111account.Notes
If you see an error message "The rule could not be found" from your AWS Lambda function’s console under Configuration, ignore the error message and proceed to test the connection.
