Example: Secure access to an AWS IoT Events alarm model

This example demonstrates how to create an IAM policy that allows AWS IoT Events to securely access alarm models. The policy uses conditions to ensure that only the specified AWS account and AWS IoT Events service can assume the role.

In this example, the role can access any alarm model within the specified AWS account, as indicated by the * wildcard in the alarm model ARN. The aws:SourceAccount and aws:SourceArn conditions work together to prevent the confused deputy problem.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotevents.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account_id"
        },
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:iotevents:region:account_id:alarmModel/*"
        }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Example: Secure access to a detector model

Example: Access a resource in a specified region