本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 证书策略示例 对于在注册 AWS IoT Core 表中注册的设备,以下策略授予 AWS IoT Core 使用与事物名称匹配的客户端 ID 进行连接的权限,以及向名称等于该设备用于进行自我身份验证`certificateId`的证书的主题发布的权限: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] } ``` 对于未在注册 AWS IoT Core 表中注册的设备,以下策略授予使用客户端 IDs、`client1``client2`、`client3`和 AWS IoT Core 进行连接的权限,以及发布到名称等于设备用于进行自我身份验证`certificateId`的证书的主题的权限: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] } ``` 对于在注册 AWS IoT Core 表中注册的设备,以下策略授予 AWS IoT Core 使用与事物名称匹配的客户端 ID 进行连接的权限,以及向名称等于该设备进行身份验证的证书主题`CommonName`字段的主题发布权限: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] } ``` **注意** 在此示例中,证书的使用者公用名用作主题标识符,并假设使用者公用名对于每个已注册的证书都是唯一的。如果证书在多个设备之间共享,则共享此证书的所有设备的使用者公用名将相同,因而允许从多个设备向同一主题发布权限(不推荐)。 对于未在注册 AWS IoT Core 表中注册的设备,以下策略授予 AWS IoT Core 与客户端 IDs、`client1``client2`、`client3`和进行连接的权限,以及向名称等于该设备用于进行身份验证的证书主题`CommonName`字段的主题发布的权限: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] } ``` **注意** 在此示例中,证书的使用者公用名用作主题标识符,并假设使用者公用名对于每个已注册的证书都是唯一的。如果证书在多个设备之间共享,则共享此证书的所有设备的使用者公用名将相同,因而允许从多个设备向同一主题发布权限(不推荐)。 对于在注册 AWS IoT Core 表中注册的设备,以下策略授予使用 AWS IoT Core 与事物名称匹配的客户端 ID 进行连接的权限,以及在用于对设备进行身份验证的证书的`Subject.CommonName.2`字段设置为`admin/`时向名称前缀为的主题发布权限:`Administrator` **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] } ``` 对于未在注册 AWS IoT Core 表中注册的设备,当用于对设备进行身份验证的证书的`Subject.CommonName.2`字段设置为`admin/`时 IDs `client1`,以下策略授予 AWS IoT Core 与客户端`client2`、`client3`和发布到名称前缀为的主题的权限:`Administrator` **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] } ``` 对于在注册 AWS IoT Core 表中注册的设备,以下策略允许设备使用其事物名称发布特定主题,该主题包括用于对设备进行身份验证的证书`ThingName`何时将其任何一个`Subject.CommonName`字段设置为`Administrator`:`admin/` **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] } ``` 对于未在注册 AWS IoT Core 表中注册的设备,以下策略授予在用于对 AWS IoT Core 设备进行身份验证的证书的任意一个`Subject.CommonName`字段设置为`admin`时连接到客户端 IDs `client1``client2`、`client3`和向主题发布的权限`Administrator`: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] } ```