Actions, resources, and condition keys for AWS IoT - Service Authorization Reference

Actions, resources, and condition keys for AWS IoT

AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS IoT

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptCertificateTransfer Grants permission to accept a pending certificate transfer Write

cert*

AddThingToBillingGroup Grants permission to add a thing to the specified billing group Write

billinggroup*

thing*

AddThingToThingGroup Grants permission to add a thing to the specified thing group Write

thing*

thinggroup*

AssociateSbomWithPackageVersion Grants permission to associate SBOM files to a package version Write

packageversion*

iot:GetIndexingConfiguration

AssociateTargetsWithJob Grants permission to associate a group with a continuous job Write

job*

thing*

thinggroup*

AttachPolicy Grants permission to attach a policy to the specified target Permissions management

cert

thinggroup

AttachPrincipalPolicy Grants permission to attach the specified policy to the specified principal (certificate or other credential) Permissions management

cert

AttachSecurityProfile Grants permission to associate a Device Defender security profile with a thing group or with this account Write

securityprofile*

custommetric

dimension

thinggroup

AttachThingPrincipal Grants permission to attach the specified principal to the specified thing Write
CancelAuditMitigationActionsTask Grants permission to cancel a mitigation action task that is in progress Write
CancelAuditTask Grants permission to cancel an audit that is in progress. The audit can be either scheduled or on-demand Write
CancelCertificateTransfer Grants permission to cancel a pending transfer for the specified certificate Write

cert*

CancelDetectMitigationActionsTask Grants permission to cancel a Device Defender ML Detect mitigation action Write
CancelJob Grants permission to cancel a job Write

job*

CancelJobExecution Grants permission to cancel a job execution on a particular device Write

job*

thing*

ClearDefaultAuthorizer Grants permission to clear the default authorizer Write
CloseTunnel Grants permission to close a tunnel Write

tunnel*

iot:Delete

ConfirmTopicRuleDestination Grants permission to confirm a http url TopicRuleDestinationDestination Write

destination*

Connect Grants permission to connect as the specified client Write

client*

CreateAuditSuppression Grants permission to create a Device Defender audit suppression Write
CreateAuthorizer Grants permission to create an authorizer Write

authorizer*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBillingGroup Grants permission to create a billing group Write

billinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCertificateFromCsr Grants permission to create an X.509 certificate using the specified certificate signing request Write
CreateCertificateProvider Grants permission to create a certificate provider Write

certificateprovider*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCommand Grants permission to create a command that can be used to start new executions against a device Write

command*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCustomMetric Grants permission to create a custom metric for device side metric reporting and monitoring Write

custommetric*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDimension Grants permission to define a dimension that can be used to to limit the scope of a metric used in a security profile Write

dimension*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomainConfiguration Grants permission to create a domain configuration Write

domainconfiguration*

aws:RequestTag/${TagKey}

aws:TagKeys

iot:DomainName

CreateDynamicThingGroup Grants permission to create a Dynamic Thing Group Write

dynamicthinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFleetMetric Grants permission to create a fleet metric Write

fleetmetric*

index*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJob Grants permission to create a job Write

job*

thing*

thinggroup*

jobtemplate

package

packageversion

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJobTemplate Grants permission to create a job template Write

jobtemplate*

job

package

packageversion

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKeysAndCertificate Grants permission to create a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key Write
CreateMitigationAction Grants permission to define an action that can be applied to audit findings by using StartAuditMitigationActionsTask Write

mitigationaction*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOTAUpdate Grants permission to create an OTA update job Write

otaupdate*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePackage Grants permission to create a software package that you can deploy to your devices Write

package*

iot:GetIndexingConfiguration

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePackageVersion Grants permission to create a version under the specified package Write

package*

iot:GetIndexingConfiguration

s3:GetObjectVersion

packageversion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePolicy Grants permission to create an AWS IoT policy Write

policy*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePolicyVersion Grants permission to create a new version of the specified AWS IoT policy Write

policy*

CreateProvisioningClaim Grants permission to create a provisioning claim Write

provisioningtemplate*

CreateProvisioningTemplate Grants permission to create a fleet provisioning template Write

provisioningtemplate*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateProvisioningTemplateVersion Grants permission to create a new version of a fleet provisioning template Write

provisioningtemplate*

CreateRoleAlias Grants permission to create a role alias Write

rolealias*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateScheduledAudit Grants permission to create a scheduled audit that is run at a specified time interval Write

scheduledaudit*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSecurityProfile Grants permission to create a Device Defender security profile Write

securityprofile*

custommetric

dimension

aws:RequestTag/${TagKey}

aws:TagKeys

CreateStream Grants permission to create a new AWS IoT stream Write

stream*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThing Grants permission to create a thing in the thing registry Write

thing*

billinggroup

CreateThingGroup Grants permission to create a thing group Write

thinggroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThingType Grants permission to create a new thing type Write

thingtype*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTopicRule Grants permission to create a rule Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTopicRuleDestination Grants permission to create a TopicRuleDestination Write

destination*

DeleteAccountAuditConfiguration Grants permission to delete the audit configuration associated with the account Write
DeleteAuditSuppression Grants permission to delete a Device Defender audit suppression Write
DeleteAuthorizer Grants permission to delete the specified authorizer Write

authorizer*

DeleteBillingGroup Grants permission to delete the specified billing group Write

billinggroup*

DeleteCACertificate Grants permission to delete a registered CA certificate Write

cacert*

DeleteCertificate Grants permission to delete the specified certificate Write

cert*

DeleteCertificateProvider Grants permission to delete a certificate provider Write

certificateprovider*

DeleteCommand Grants permission to delete a command Write

command*

DeleteCommandExecution Grants permission to delete a command execution Write

client

thing

DeleteCustomMetric Grants permission to deletes the specified custom metric from your AWS account Write

custommetric*

DeleteDimension Grants permission to remove the specified dimension from your AWS account Write

dimension*

DeleteDomainConfiguration Grants permission to delete a domain configuration Write

domainconfiguration*

DeleteDynamicThingGroup Grants permission to delete the specified Dynamic Thing Group Write

dynamicthinggroup*

DeleteFleetMetric Grants permission to delete the specified fleet metric Write

fleetmetric*

DeleteJob Grants permission to delete a job and its related job executions Write

job*

DeleteJobExecution Grants permission to delete a job execution Write

job*

thing*

DeleteJobTemplate Grants permission to delete a job template Write

jobtemplate*

DeleteMitigationAction Grants permission to delete a defined mitigation action from your AWS account Write

mitigationaction*

DeleteOTAUpdate Grants permission to delete an OTA update job Write

otaupdate*

DeletePackage Grants permission to delete a package Write

package*

DeletePackageVersion Grants permission to delete a version of the specified package Write

package*

packageversion*

DeletePolicy Grants permission to delete the specified policy Write

policy*

DeletePolicyVersion Grants permission to Delete the specified version of the specified policy Write

policy*

DeleteProvisioningTemplate Grants permission to delete a fleet provisioning template Write

provisioningtemplate*

DeleteProvisioningTemplateVersion Grants permission to delete a fleet provisioning template version Write

provisioningtemplate*

DeleteRegistrationCode Grants permission to delete a CA certificate registration code Write
DeleteRoleAlias Grants permission to delete the specified role alias Write

rolealias*

DeleteScheduledAudit Grants permission to delete a scheduled audit Write

scheduledaudit*

DeleteSecurityProfile Grants permission to delete a Device Defender security profile Write

securityprofile*

custommetric

dimension

DeleteStream Grants permission to delete a specified stream Write

stream*

DeleteThing Grants permission to delete the specified thing Write

thing*

DeleteThingGroup Grants permission to delete the specified thing group Write

thinggroup*

DeleteThingShadow Grants permission to delete the specified thing shadow Write

thing*

DeleteThingType Grants permission to delete the specified thing type Write

thingtype*

DeleteTopicRule Grants permission to delete the specified rule Write

rule*

DeleteTopicRuleDestination Grants permission to delete a TopicRuleDestination Write

destination*

DeleteV2LoggingLevel Grants permission to delete the specified v2 logging level Write
DeprecateThingType Grants permission to deprecate the specified thing type Write

thingtype*

DescribeAccountAuditConfiguration Grants permission to get information about audit configurations for the account Read
DescribeAuditFinding Grants permission to get information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and when the audit that returned the finding was started Read
DescribeAuditMitigationActionsTask Grants permission to get information about an audit mitigation task that is used to apply mitigation actions to a set of audit findings Read
DescribeAuditSuppression Grants permission to get information about a Device Defender audit suppression Read
DescribeAuditTask Grants permission to get information about a Device Defender audit Read
DescribeAuthorizer Grants permission to describe an authorizer Read

authorizer*

DescribeBillingGroup Grants permission to get information about the specified billing group Read

billinggroup*

DescribeCACertificate Grants permission to describe a registered CA certificate Read

cacert*

DescribeCertificate Grants permission to get information about the specified certificate Read

cert*

DescribeCertificateProvider Grants permission to describe a certificate provider Read

certificateprovider*

DescribeCustomMetric Grants permission to describe a custom metric that is defined in your AWS account Read

custommetric*

DescribeDefaultAuthorizer Grants permission to describe the default authorizer Read
DescribeDetectMitigationActionsTask Grants permission to describe a Device Defender ML Detect mitigation action Read
DescribeDimension Grants permission to get details about a dimension that is defined in your AWS account Read

dimension*

DescribeDomainConfiguration Grants permission to get information about the domain configuration Read

domainconfiguration*

DescribeEndpoint Grants permission to get a unique endpoint specific to the AWS account making the call Read
DescribeEventConfigurations Grants permission to get account event configurations Read
DescribeFleetMetric Grants permission to get information about the specified fleet metric Read

fleetmetric*

DescribeIndex Grants permission to get information about the specified index Read

index*

DescribeJob Grants permission to describe a job Read

job*

DescribeJobExecution Grants permission to describe a job execution Read

job

thing

DescribeJobTemplate Grants permission to describe a job template Read

jobtemplate*

DescribeManagedJobTemplate Grants permission to describe a managed job template Read

jobtemplate*

DescribeMitigationAction Grants permission to get information about a mitigation action Read

mitigationaction*

DescribeProvisioningTemplate Grants permission to get information about a fleet provisioning template Read

provisioningtemplate*

DescribeProvisioningTemplateVersion Grants permission to get information about a fleet provisioning template version Read

provisioningtemplate*

DescribeRoleAlias Grants permission to describe a role alias Read

rolealias*

DescribeScheduledAudit Grants permission to get information about a scheduled audit Read

scheduledaudit*

DescribeSecurityProfile Grants permission to get information about a Device Defender security profile Read

securityprofile*

DescribeStream Grants permission to get information about the specified stream Read

stream*

DescribeThing Grants permission to get information about the specified thing Read

thing*

DescribeThingGroup Grants permission to get information about the specified thing group Read

thinggroup*

DescribeThingRegistrationTask Grants permission to get information about the bulk thing registration task Read
DescribeThingType Grants permission to get information about the specified thing type Read

thingtype*

DescribeTunnel Grants permission to describe a tunnel Read

tunnel*

DetachPolicy Grants permission to detach a policy from the specified target Permissions management

cert

thinggroup

DetachPrincipalPolicy Grants permission to remove the specified policy from the specified certificate Permissions management

cert

DetachSecurityProfile Grants permission to disassociate a Device Defender security profile from a thing group or from this account Write

securityprofile*

custommetric

dimension

thinggroup

DetachThingPrincipal Grants permission to detach the specified principal from the specified thing Write
DisableTopicRule Grants permission to disable the specified rule Write

rule*

DisassociateSbomFromPackageVersion Grants permission to disassociate SBOM files from a package version Write

packageversion*

EnableTopicRule Grants permission to enable the specified rule Write

rule*

GetBehaviorModelTrainingSummaries Grants permission to fetch a Device Defender's ML Detect Security Profile training model's status List

securityprofile

GetBucketsAggregation Grants permission to get buckets aggregation for IoT fleet index Read

index*

GetCardinality Grants permission to get cardinality for IoT fleet index Read

index*

GetCommand Grants permission to get the information about the command Read

command*

GetCommandExecution Grants permission to get the information of a command execution Read

client

thing

GetEffectivePolicies Grants permission to get effective policies Read

cert

GetIndexingConfiguration Grants permission to get current fleet indexing configuration Read
GetJobDocument Grants permission to get a job document Read

job*

GetLoggingOptions Grants permission to get the logging options Read
GetOTAUpdate Grants permission to get the information about the OTA update job Read

otaupdate*

GetPackage Grants permission to get the information about the package Read

package*

GetPackageConfiguration Grants permission to get the package configuration of the account Read
GetPackageVersion Grants permission to get the version of the package Read

package*

packageversion*

GetPercentiles Grants permission to get percentiles for IoT fleet index Read

index*

GetPolicy Grants permission to get information about the specified policy with the policy document of the default version Read

policy*

GetPolicyVersion Grants permission to get information about the specified policy version Read

policy*

GetRegistrationCode Grants permission to get a registration code used to register a CA certificate with AWS IoT Read
GetRetainedMessage Grants permission to get the retained message on the specified topic Read

topic*

GetStatistics Grants permission to get statistics for IoT fleet index Read

index*

GetThingConnectivityData Grants permission to get the thing's connectivity data Read

thing*

GetThingShadow Grants permission to get the thing shadow Read

thing*

GetTopicRule Grants permission to get information about the specified rule Read

rule*

GetTopicRuleDestination Grants permission to get a TopicRuleDestination Read

destination*

GetV2LoggingOptions Grants permission to get v2 logging options Read
ListActiveViolations Grants permission to list the active violations for a given Device Defender security profile or Thing List

securityprofile

thing

ListAttachedPolicies Grants permission to list the policies attached to the specified thing group List
ListAuditFindings Grants permission to list the findings (results) of a Device Defender audit or of the audits performed during a specified time period List
ListAuditMitigationActionsExecutions Grants permission to get the status of audit mitigation action tasks that were executed List
ListAuditMitigationActionsTasks Grants permission to get a list of audit mitigation action tasks that match the specified filters List
ListAuditSuppressions Grants permission to list your Device Defender audit suppressions List
ListAuditTasks Grants permission to list the Device Defender audits that have been performed during a given time period List
ListAuthorizers Grants permission to list the authorizers registered in your account List
ListBillingGroups Grants permission to list all billing groups List
ListCACertificates Grants permission to list the CA certificates registered for your AWS account List
ListCertificateProviders Grants permission to list certificate providers in the account List
ListCertificates Grants permission to list your certificates List
ListCertificatesByCA Grants permission to list the device certificates signed by the specified CA certificate List
ListCommandExecutions Grants permission to list commands executions in the account List

client

command

thing

ListCommands Grants permission to list commands in the account List
ListCustomMetrics Grants permission to list the custom metrics in your AWS account List
ListDetectMitigationActionsExecutions Grants permission to lists mitigation actions executions for a Device Defender ML Detect Security Profile List

thing

ListDetectMitigationActionsTasks Grants permission to list Device Defender ML Detect mitigation actions tasks List
ListDimensions Grants permission to list the dimensions that are defined for your AWS account List
ListDomainConfigurations Grants permission to list the domain configuration created by your AWS account List
ListFleetMetrics Grants permission to list the fleet metrics in your account List
ListIndices Grants permission to list all indices for fleet index List
ListJobExecutionsForJob Grants permission to list the job executions for a job List

job*

ListJobExecutionsForThing Grants permission to list the job executions for the specified thing List

thing*

ListJobTemplates Grants permission to list job templates List
ListJobs Grants permission to list jobs List
ListManagedJobTemplates Grants permission to list managed job templates List
ListMetricValues Grants permissions to list the metric values for a thing based on the metricName, and dimension if specified List

thing*

ListMitigationActions Grants permission to get a list of all mitigation actions that match the specified filter criteria List
ListNamedShadowsForThing Grants permission to list all named shadows for a given thing List

thing*

ListOTAUpdates Grants permission to list OTA update jobs in the account List
ListOutgoingCertificates Grants permission to list certificates that are being transfered but not yet accepted List
ListPackageVersions Grants permission to list versions for a package in the account List
ListPackages Grants permission to list packages in the account List
ListPolicies Grants permission to list your policies List
ListPolicyPrincipals Grants permission to list the principals associated with the specified policy List
ListPolicyVersions Grants permission to list the versions of the specified policy, and identifies the default version List

policy*

ListPrincipalPolicies Grants permission to list the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format List
ListPrincipalThings Grants permission to list the things associated with the specified principal List
ListProvisioningTemplateVersions Grants permission to get a list of fleet provisioning template versions List

provisioningtemplate*

ListProvisioningTemplates Grants permission to list the fleet provisioning templates in your AWS account List
ListRelatedResourcesForAuditFinding Grants permission to list related resources for a single audit finding List
ListRetainedMessages Grants permission to list the retained messages for your account List
ListRoleAliases Grants permission to list role aliases List
ListSbomValidationResults Grants permission to list SBOM validation results of a package version List

packageversion*

ListScheduledAudits Grants permission to list all of your scheduled audits List
ListSecurityProfiles Grants permission to list the Device Defender security profiles you have created List

custommetric

dimension

ListSecurityProfilesForTarget Grants permission to list the Device Defender security profiles attached to a target List

thinggroup

ListStreams Grants permission to list the streams in your account List
ListTagsForResource Grants permission to list all tags for a given resource Read

authorizer

billinggroup

cacert

certificateprovider

command

custommetric

dimension

domainconfiguration

dynamicthinggroup

fleetmetric

job

jobtemplate

mitigationaction

otaupdate

policy

provisioningtemplate

rolealias

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

ListTargetsForPolicy Grants permission to list targets for the specified policy List

policy*

ListTargetsForSecurityProfile Grants permission to list the targets associated with a given Device Defender security profile List

securityprofile*

ListThingGroups Grants permission to list all thing groups List
ListThingGroupsForThing Grants permission to list thing groups to which the specified thing belongs List

thing*

ListThingPrincipals Grants permission to list the principals associated with the specified thing List
ListThingRegistrationTaskReports Grants permission to list information about bulk thing registration tasks List
ListThingRegistrationTasks Grants permission to list bulk thing registration tasks List
ListThingTypes Grants permission to list all thing types List
ListThings Grants permission to list all things List
ListThingsInBillingGroup Grants permission to list all things in the specified billing group List

billinggroup*

ListThingsInThingGroup Grants permission to list all things in the specified thing group List

thinggroup*

ListTopicRuleDestinations Grants permission to list all TopicRuleDestinations List
ListTopicRules Grants permission to list the rules for the specific topic List
ListTunnels Grants permission to list tunnels List
ListV2LoggingLevels Grants permission to list the v2 logging levels List
ListViolationEvents Grants permission to list the Device Defender security profile violations discovered during the given time period List

securityprofile

thing

OpenTunnel Grants permission to open a tunnel Write

aws:RequestTag/${TagKey}

aws:TagKeys

iot:ThingGroupArn

iot:TunnelDestinationService

Publish Grants permission to publish to the specified topic Write

topic*

PutVerificationStateOnViolation Grants permission to put verification state on a violation Write
Receive Grants permission to receive from the specified topic Write

topic*

RegisterCACertificate Grants permission to register a CA certificate with AWS IoT Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

RegisterCertificate Grants permission to register a device certificate with AWS IoT Write
RegisterCertificateWithoutCA Grants permission to register a device certificate with AWS IoT without a registered CA (certificate authority) Write
RegisterThing Grants permission to register your thing Write
RejectCertificateTransfer Grants permission to reject a pending certificate transfer Write

cert*

RemoveThingFromBillingGroup Grants permission to remove thing from the specified billing group Write

billinggroup*

thing*

RemoveThingFromThingGroup Grants permission to remove thing from the specified thing group Write

thing*

thinggroup*

ReplaceTopicRule Grants permission to replace the specified rule Write

rule*

RetainPublish Grants permission to publish a retained message to the specified topic Write

topic*

RotateTunnelAccessToken Grants permission to rotate the access token of a tunnel Write

tunnel*

iot:ThingGroupArn

iot:TunnelDestinationService

iot:ClientMode

SearchIndex Grants permission to search IoT fleet index Read

index*

SetDefaultAuthorizer Grants permission to set the default authorizer. This will be used if a websocket connection is made without specifying an authorizer Permissions management

authorizer*

SetDefaultPolicyVersion Grants permission to set the specified version of the specified policy as the policy's default (operative) version Permissions management

policy*

SetLoggingOptions Grants permission to set the logging options Write
SetV2LoggingLevel Grants permission to set the v2 logging level Write
SetV2LoggingOptions Grants permission to set the v2 logging options Write
StartAuditMitigationActionsTask Grants permission to start a task that applies a set of mitigation actions to the specified target Write
StartCommandExecution Grants permission to start a new command execution Write

command*

client

thing

iot:CommandExecutionParameterString/${CommandParameterName}

iot:CommandExecutionParameterBoolean/${CommandParameterName}

iot:CommandExecutionParameterNumber/${CommandParameterName}

StartDetectMitigationActionsTask Grants permission to start a Device Defender ML Detect mitigation actions task Write

securityprofile

StartOnDemandAuditTask Grants permission to start an on-demand Device Defender audit Write
StartThingRegistrationTask Grants permission to start a bulk thing registration task Write
StopThingRegistrationTask Grants permission to stop a bulk thing registration task Write
Subscribe Grants permission to subscribe to the specified TopicFilter Write

topicfilter*

TagResource Grants permission to tag a specified resource Tagging

authorizer

billinggroup

cacert

certificateprovider

command

custommetric

dimension

domainconfiguration

dynamicthinggroup

fleetmetric

job

jobtemplate

mitigationaction

otaupdate

package

packageversion

policy

provisioningtemplate

rolealias

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

aws:RequestTag/${TagKey}

aws:TagKeys

TestAuthorization Grants permission to test the policies evaluation for group policies Read

cert

TestInvokeAuthorizer Grants permission to test invoke the specified custom authorizer for testing purposes Read

authorizer*

TransferCertificate Grants permission to transfer the specified certificate to the specified AWS account Write

cert*

UntagResource Grants permission to untag a specified resource Tagging

authorizer

billinggroup

cacert

certificateprovider

command

custommetric

dimension

domainconfiguration

dynamicthinggroup

fleetmetric

job

jobtemplate

mitigationaction

otaupdate

package

packageversion

policy

provisioningtemplate

rolealias

rule

scheduledaudit

securityprofile

stream

thinggroup

thingtype

aws:TagKeys

UpdateAccountAuditConfiguration Grants permission to configure or reconfigure the Device Defender audit settings for this account Write
UpdateAuditSuppression Grants permission to update a Device Defender audit suppression Write
UpdateAuthorizer Grants permission to update an authorizer Write

authorizer*

UpdateBillingGroup Grants permission to update information associated with the specified billing group Write

billinggroup*

UpdateCACertificate Grants permission to update a registered CA certificate Write

cacert*

iam:PassRole

UpdateCertificate Grants permission to update the status of the specified certificate. This operation is idempotent Write

cert*

UpdateCertificateProvider Grants permission to update a certificate provider Write

certificateprovider*

UpdateCommand Grants permission to update a command Write

command*

UpdateCustomMetric Grants permission to update the specified custom metric Write

custommetric*

UpdateDimension Grants permission to update the definition for a dimension Write

dimension*

UpdateDomainConfiguration Grants permission to update a domain configuration Write

domainconfiguration*

UpdateDynamicThingGroup Grants permission to update a Dynamic Thing Group Write

dynamicthinggroup*

UpdateEventConfigurations Grants permission to update event configurations Write
UpdateFleetMetric Grants permission to update a fleet metric Write

fleetmetric*

index*

UpdateIndexingConfiguration Grants permission to update fleet indexing configuration Write
UpdateJob Grants permission to update a job Write

job*

UpdateMitigationAction Grants permission to update the definition for the specified mitigation action Write

mitigationaction*

UpdatePackage Grants permission to update a package Write

package*

iot:GetIndexingConfiguration

UpdatePackageConfiguration Grants permission to update the package configuration of the account Write

iam:PassRole

UpdatePackageVersion Grants permission to update the version of the specified package Write

package*

iot:GetIndexingConfiguration

s3:GetObjectVersion

packageversion*

UpdateProvisioningTemplate Grants permission to update a fleet provisioning template Write

provisioningtemplate*

iam:PassRole

UpdateRoleAlias Grants permission to update the role alias Write

rolealias*

iam:PassRole

UpdateScheduledAudit Grants permission to update a scheduled audit, including what checks are performed and how often the audit takes place Write

scheduledaudit*

UpdateSecurityProfile Grants permission to update a Device Defender security profile Write

securityprofile*

custommetric

dimension

UpdateStream Grants permission to update the data for a stream Write

stream*

UpdateThing Grants permission to update information associated with the specified thing Write

thing*

UpdateThingGroup Grants permission to update information associated with the specified thing group Write

thinggroup*

UpdateThingGroupsForThing Grants permission to update the thing groups to which the thing belongs Write

thing*

thinggroup

UpdateThingShadow Grants permission to update the thing shadow Write

thing*

UpdateThingType Grants permission to update information associated with the specified thing type Write

thingtype*

UpdateTopicRuleDestination Grants permission to update a TopicRuleDestination Write

destination*

ValidateSecurityProfileBehaviors Grants permission to validate a Device Defender security profile behaviors specification Read

Resource types defined by AWS IoT

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
client arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}
index arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}
fleetmetric arn:${Partition}:iot:${Region}:${Account}:fleetmetric/${FleetMetricName}

aws:ResourceTag/${TagKey}

job arn:${Partition}:iot:${Region}:${Account}:job/${JobId}

aws:ResourceTag/${TagKey}

jobtemplate arn:${Partition}:iot:${Region}:${Account}:jobtemplate/${JobTemplateId}

aws:ResourceTag/${TagKey}

tunnel arn:${Partition}:iot:${Region}:${Account}:tunnel/${TunnelId}

aws:ResourceTag/${TagKey}

thing arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
thinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}

aws:ResourceTag/${TagKey}

billinggroup arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}

aws:ResourceTag/${TagKey}

dynamicthinggroup arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}

aws:ResourceTag/${TagKey}

thingtype arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}

aws:ResourceTag/${TagKey}

topic arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}
topicfilter arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}
rolealias arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}

aws:ResourceTag/${TagKey}

authorizer arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}

aws:ResourceTag/${TagKey}

policy arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}

aws:ResourceTag/${TagKey}

cert arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
cacert arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}

aws:ResourceTag/${TagKey}

stream arn:${Partition}:iot:${Region}:${Account}:stream/${StreamId}

aws:ResourceTag/${TagKey}

otaupdate arn:${Partition}:iot:${Region}:${Account}:otaupdate/${OtaUpdateId}

aws:ResourceTag/${TagKey}

scheduledaudit arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}

aws:ResourceTag/${TagKey}

mitigationaction arn:${Partition}:iot:${Region}:${Account}:mitigationaction/${MitigationActionName}

aws:ResourceTag/${TagKey}

securityprofile arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}

aws:ResourceTag/${TagKey}

custommetric arn:${Partition}:iot:${Region}:${Account}:custommetric/${MetricName}

aws:ResourceTag/${TagKey}

dimension arn:${Partition}:iot:${Region}:${Account}:dimension/${DimensionName}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:iot:${Region}:${Account}:rule/${RuleName}

aws:ResourceTag/${TagKey}

destination arn:${Partition}:iot:${Region}:${Account}:destination/${DestinationType}/${Uuid}
provisioningtemplate arn:${Partition}:iot:${Region}:${Account}:provisioningtemplate/${ProvisioningTemplate}

aws:ResourceTag/${TagKey}

domainconfiguration arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName}/${Id}

aws:ResourceTag/${TagKey}

package arn:${Partition}:iot:${Region}:${Account}:package/${PackageName}

aws:ResourceTag/${TagKey}

packageversion arn:${Partition}:iot:${Region}:${Account}:package/${PackageName}/version/${VersionName}

aws:ResourceTag/${TagKey}

certificateprovider arn:${Partition}:iot:${Region}:${Account}:certificateprovider/${CertificateProviderName}

aws:ResourceTag/${TagKey}

command arn:${Partition}:iot:${Region}:${Account}:command/${CommandId}

aws:ResourceTag/${TagKey}

Condition keys for AWS IoT

AWS IoT defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag key that is present in the request String
aws:ResourceTag/${TagKey} Filters access by a tag key component of a tag associated to the IoT resource in the request String
aws:TagKeys Filters access by a list of tag keys associated to the IoT resource in the request ArrayOfString
iot:ClientMode Filters access by the mode of the client for IoT Tunnel String
iot:CommandExecutionParameterBoolean/${CommandParameterName} Filters access by the command parameter name and boolean value Bool
iot:CommandExecutionParameterNumber/${CommandParameterName} Filters access by the command parameter name and numeric value Numeric
iot:CommandExecutionParameterString/${CommandParameterName} Filters access by the command parameter name and string value String
iot:Delete Filters access by a flag indicating whether or not to also delete an IoT Tunnel immediately when making iot:CloseTunnel request Bool
iot:DomainName Filters access by based on the domain name of an IoT DomainConfiguration String
iot:ThingGroupArn Filters access by a list of IoT Thing Group ARNs that the destination IoT Thing belongs to for an IoT Tunnel ArrayOfARN
iot:TunnelDestinationService Filters access by a list of destination services for an IoT Tunnel ArrayOfString