Example: Secure access to an AWS IoT Events detector model

This example demonstrates how to create an IAM policy that securely grants access to a specific detector model in AWS IoT Events. The policy uses conditions to ensure that only the specified AWS account and AWS IoT Events service can assume the role, adding an extra layer of security. In this example, the role can only access the detector model named WindTurbine01.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotevents.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account_id"
        },
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:iotevents:region:account_id:detectorModel/WindTurbine01"
        }
      }
    }
  ]
 }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cross-service confused deputy prevention for AWS IoT Events

Example: Secure access to an AWS IoT Events alarm model