Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Controlling access to tunnels

PDF
Focus mode
Controlling access to tunnels - AWS IoT Core
Tunnel access prerequisitesTunnel access policies

Secure tunneling provides service-specific actions, resources, and condition context keys for use in IAM permissions policies.

Tunnel access prerequisites

Tunnel access policies

You must use the following policies for authorizing permissions to use the secure tunneling API. For more information about AWS IoT security see Identity and access management for AWS IoT.

The iot:OpenTunnel policy action grants a principal permission to call OpenTunnel.

In the Resource element of the IAM policy statement:

  • Specify the wildcard tunnel ARN:

    arn:aws:iot:aws-region:aws-account-id:tunnel/*

  • Specify a thing ARN to manage the OpenTunnel permission for specific IoT things:

    arn:aws:iot:aws-region:aws-account-id:thing/thing-name

For example, the following policy statement allows you to open a tunnel to the IoT thing named TestDevice.

{
    "Effect": "Allow",
    "Action": "iot:OpenTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*",
        "arn:aws:iot:aws-region:aws-account-id:thing/TestDevice"
    ]
}

The iot:OpenTunnel policy action supports the following condition keys:

  • iot:ThingGroupArn

  • iot:TunnelDestinationService

  • aws:RequestTag/tag-key

  • aws:SecureTransport

  • aws:TagKeys

The following policy statement allows you to open a tunnel to the thing if the thing belongs to a thing group with a name that starts with TestGroup and the configured destination service on the tunnel is SSH.

{
    "Effect": "Allow",
    "Action": "iot:OpenTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "ForAnyValue:StringLike": {
            "iot:ThingGroupArn": [
                "arn:aws:iot:aws-region:aws-account-id:thinggroup/TestGroup*"
            ]
        },
        "ForAllValues:StringEquals": {
            "iot:TunnelDestinationService": [
                "SSH"
            ]
        }
    }
}

You can also use resource tags to control permission to open tunnels. For example, the following policy statement allows a tunnel to be opened if the tag key Owner is present with a value of Admin and no other tags are specified. For general information about using tags, see Tagging your AWS IoT resources.

{
    "Effect": "Allow",
    "Action": "iot:OpenTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/Owner": "Admin"
        },
        "ForAllValues:StringEquals": {
            "aws:TagKeys": "Owner"
        }
    }
}

The iot:OpenTunnel policy action grants a principal permission to call OpenTunnel.

In the Resource element of the IAM policy statement:

  • Specify the wildcard tunnel ARN:

    arn:aws:iot:aws-region:aws-account-id:tunnel/*

  • Specify a thing ARN to manage the OpenTunnel permission for specific IoT things:

    arn:aws:iot:aws-region:aws-account-id:thing/thing-name

For example, the following policy statement allows you to open a tunnel to the IoT thing named TestDevice.

{
    "Effect": "Allow",
    "Action": "iot:OpenTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*",
        "arn:aws:iot:aws-region:aws-account-id:thing/TestDevice"
    ]
}

The iot:OpenTunnel policy action supports the following condition keys:

  • iot:ThingGroupArn

  • iot:TunnelDestinationService

  • aws:RequestTag/tag-key

  • aws:SecureTransport

  • aws:TagKeys

The following policy statement allows you to open a tunnel to the thing if the thing belongs to a thing group with a name that starts with TestGroup and the configured destination service on the tunnel is SSH.

{
    "Effect": "Allow",
    "Action": "iot:OpenTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "ForAnyValue:StringLike": {
            "iot:ThingGroupArn": [
                "arn:aws:iot:aws-region:aws-account-id:thinggroup/TestGroup*"
            ]
        },
        "ForAllValues:StringEquals": {
            "iot:TunnelDestinationService": [
                "SSH"
            ]
        }
    }
}

You can also use resource tags to control permission to open tunnels. For example, the following policy statement allows a tunnel to be opened if the tag key Owner is present with a value of Admin and no other tags are specified. For general information about using tags, see Tagging your AWS IoT resources.

{
    "Effect": "Allow",
    "Action": "iot:OpenTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/Owner": "Admin"
        },
        "ForAllValues:StringEquals": {
            "aws:TagKeys": "Owner"
        }
    }
}

The iot:RotateTunnelAccessToken policy action grants a principal permission to call RotateTunnelAccessToken.

In the Resource element of the IAM policy statement:

  • Specify a fully qualified tunnel ARN:

    arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

    You can also use the wildcard tunnel ARN:

    arn:aws:iot:aws-region:aws-account-id:tunnel/*

  • Specify a thing ARN to manage the RotateTunnelAccessToken permission for specific IoT things:

    arn:aws:iot:aws-region:aws-account-id:thing/thing-name

For example, the following policy statement allows you to rotate either a tunnel's source access token or a client's destination access token for the IoT thing named TestDevice.

{
    "Effect": "Allow",
    "Action": "iot:RotateTunnelAccessToken",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*",
        "arn:aws:iot:aws-region:aws-account-id:thing/TestDevice"
    ]
}

The iot:RotateTunnelAccessToken policy action supports the following condition keys:

  • iot:ThingGroupArn

  • iot:TunnelDestinationService

  • iot:ClientMode

  • aws:SecureTransport

The following policy statement allows you to rotate the destination access token to the thing if the thing belongs to a thing group with a name that starts with TestGroup, the configured destination service on the tunnel is SSH, and the client is in DESTINATION mode.

{
    "Effect": "Allow",
    "Action": "iot:RotateTunnelAccessToken",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "ForAnyValue:StringLike": {
            "iot:ThingGroupArn": [
                "arn:aws:iot:aws-region:aws-account-id:thinggroup/TestGroup*"
            ]
        },
        "ForAllValues:StringEquals": {
            "iot:TunnelDestinationService": [
                "SSH"
            ],
            "iot:ClientMode": "DESTINATION"
        }
    }
}

The iot:RotateTunnelAccessToken policy action grants a principal permission to call RotateTunnelAccessToken.

In the Resource element of the IAM policy statement:

  • Specify a fully qualified tunnel ARN:

    arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

    You can also use the wildcard tunnel ARN:

    arn:aws:iot:aws-region:aws-account-id:tunnel/*

  • Specify a thing ARN to manage the RotateTunnelAccessToken permission for specific IoT things:

    arn:aws:iot:aws-region:aws-account-id:thing/thing-name

For example, the following policy statement allows you to rotate either a tunnel's source access token or a client's destination access token for the IoT thing named TestDevice.

{
    "Effect": "Allow",
    "Action": "iot:RotateTunnelAccessToken",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*",
        "arn:aws:iot:aws-region:aws-account-id:thing/TestDevice"
    ]
}

The iot:RotateTunnelAccessToken policy action supports the following condition keys:

  • iot:ThingGroupArn

  • iot:TunnelDestinationService

  • iot:ClientMode

  • aws:SecureTransport

The following policy statement allows you to rotate the destination access token to the thing if the thing belongs to a thing group with a name that starts with TestGroup, the configured destination service on the tunnel is SSH, and the client is in DESTINATION mode.

{
    "Effect": "Allow",
    "Action": "iot:RotateTunnelAccessToken",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "ForAnyValue:StringLike": {
            "iot:ThingGroupArn": [
                "arn:aws:iot:aws-region:aws-account-id:thinggroup/TestGroup*"
            ]
        },
        "ForAllValues:StringEquals": {
            "iot:TunnelDestinationService": [
                "SSH"
            ],
            "iot:ClientMode": "DESTINATION"
        }
    }
}

The iot:DescribeTunnel policy action grants a principal permission to call DescribeTunnel.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:DescribeTunnel policy action supports the following condition keys:

  • aws:ResourceTag/tag-key

  • aws:SecureTransport

The following policy statement allows you to call DescribeTunnel if the requested tunnel is tagged with the key Owner with a value of Admin.

{
    "Effect": "Allow",
    "Action": "iot:DescribeTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "StringEquals": {
            "aws:ResourceTag/Owner": "Admin"
        }
    }
}

The iot:DescribeTunnel policy action grants a principal permission to call DescribeTunnel.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:DescribeTunnel policy action supports the following condition keys:

  • aws:ResourceTag/tag-key

  • aws:SecureTransport

The following policy statement allows you to call DescribeTunnel if the requested tunnel is tagged with the key Owner with a value of Admin.

{
    "Effect": "Allow",
    "Action": "iot:DescribeTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "StringEquals": {
            "aws:ResourceTag/Owner": "Admin"
        }
    }
}

The iot:ListTunnels policy action grants a principal permission to call ListTunnels.

In the Resource element of the IAM policy statement:

  • Specify the wildcard tunnel ARN:

    arn:aws:iot:aws-region:aws-account-id:tunnel/*

  • Specify a thing ARN to manage the ListTunnels permission on selected IoT things:

    arn:aws:iot:aws-region:aws-account-id:thing/thing-name

The iot:ListTunnels policy action supports the condition key aws:SecureTransport.

The following policy statement allows you to list tunnels for the thing named TestDevice.

{
    "Effect": "Allow",
    "Action": "iot:ListTunnels",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*",
        "arn:aws:iot:aws-region:aws-account-id:thing/TestDevice"
    ]
}

The iot:ListTunnels policy action grants a principal permission to call ListTunnels.

In the Resource element of the IAM policy statement:

  • Specify the wildcard tunnel ARN:

    arn:aws:iot:aws-region:aws-account-id:tunnel/*

  • Specify a thing ARN to manage the ListTunnels permission on selected IoT things:

    arn:aws:iot:aws-region:aws-account-id:thing/thing-name

The iot:ListTunnels policy action supports the condition key aws:SecureTransport.

The following policy statement allows you to list tunnels for the thing named TestDevice.

{
    "Effect": "Allow",
    "Action": "iot:ListTunnels",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*",
        "arn:aws:iot:aws-region:aws-account-id:thing/TestDevice"
    ]
}

The iot:ListTagsForResource policy action grants a principal permission to call ListTagsForResource.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:ListTagsForResource policy action supports the condition key aws:SecureTransport.

The iot:ListTagsForResource policy action grants a principal permission to call ListTagsForResource.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:ListTagsForResource policy action supports the condition key aws:SecureTransport.

The iot:CloseTunnel policy action grants a principal permission to call CloseTunnel.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:CloseTunnel policy action supports the following condition keys:

  • iot:Delete

  • aws:ResourceTag/tag-key

  • aws:SecureTransport

The following policy statement allows you to call CloseTunnel if the request's Delete parameter is false and the requested is tagged with the key Owner with a value of QATeam.

{
    "Effect": "Allow",
    "Action": "iot:CloseTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "Bool": {
            "iot:Delete": "false"
        },
        "StringEquals": {
            "aws:ResourceTag/Owner": "QATeam"
        }
    }
}

The iot:CloseTunnel policy action grants a principal permission to call CloseTunnel.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:CloseTunnel policy action supports the following condition keys:

  • iot:Delete

  • aws:ResourceTag/tag-key

  • aws:SecureTransport

The following policy statement allows you to call CloseTunnel if the request's Delete parameter is false and the requested is tagged with the key Owner with a value of QATeam.

{
    "Effect": "Allow",
    "Action": "iot:CloseTunnel",
    "Resource": [
        "arn:aws:iot:aws-region:aws-account-id:tunnel/*"
    ],
    "Condition": {
        "Bool": {
            "iot:Delete": "false"
        },
        "StringEquals": {
            "aws:ResourceTag/Owner": "QATeam"
        }
    }
}

The iot:TagResource policy action grants a principal permission to call TagResource.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:TagResource policy action supports the condition key aws:SecureTransport.

The iot:TagResource policy action grants a principal permission to call TagResource.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:TagResource policy action supports the condition key aws:SecureTransport.

The iot:UntagResource policy action grants a principal permission to call UntagResource.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:UntagResource policy action supports the condition key aws:SecureTransport.

The iot:UntagResource policy action grants a principal permission to call UntagResource.

In the Resource element of the IAM policy statement, specify a fully qualified tunnel ARN:

arn:aws:iot:aws-region: aws-account-id:tunnel/tunnel-id

You can also use the wildcard tunnel ARN:

arn:aws:iot:aws-region:aws-account-id:tunnel/*

The iot:UntagResource policy action supports the condition key aws:SecureTransport.

On this page

Related resources

AWS IoT Core API Reference
AWS CLI commands for AWS IoT Core
SDKs & Tools 

Related resources

AWS IoT Core API Reference
AWS CLI commands for AWS IoT Core
SDKs & Tools 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.