连接策略示例
以下策略拒绝客户端 ID client1 和 client2 连接到 AWS IoT Core 的权限,同时允许设备使用客户端 ID 进行连接. 客户端 ID 与在 AWS IoT Core 注册表中注册并附加到用于连接的主体的事物的名称相匹配:
注意
对于注册的设备,我们建议您将事物策略变量用于 Connect 操作,并将事物附加到用于连接的主体。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2" ] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": "true" } } } ] }
以下策略授予使用客户端 ID client1 连接到 AWS IoT Core 的权限。此策略示例适用于未注册的设备。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1" ] } ] }
MQTT 持久性会话策略示例
connectAttributes 允许您在 IAM policy 中指定要在连接消息中使用的属性,如 PersistentConnect 和 LastWill。有关更多信息,请参阅 使用 ConnectAttributes。
以下策略允许连接 PersistentConnect 特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
以下策略不允许 PersistentConnect,但允许使用其它特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringNotEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
上述策略也可以使用 StringEquals 表达,但允许使用包括新特征在内的任何其它特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
以下策略允许通过 PersistentConnect 和 LastWill 连接,但不允许使用任何其它新特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } } ] }
以下策略允许客户端进行干净连接,无论是否具有 LastWill,但不允许使用其它特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }
以下策略仅允许使用默认特征进行连接:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [] } } } ] }
以下策略仅允许使用 PersistentConnect 连接,但只要连接使用 PersistentConnect,则允许使用任何新特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
以下策略规定连接必须同时使用 PersistentConnect 和 LastWill,而不允许使用新特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect", "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [] } } } ] }
以下策略不能拥有 PersistentConnect,但可以有 LastWill,不允许使用任何其它新特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ForAllValues:StringEquals": { "iot:ConnectAttributes": [ "LastWill" ] } } } ] }
以下策略仅允许包括带有主题 "my/lastwill/topicName" 的 LastWill 客户端连接,同时允许任何使用 LastWill 主题的特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:region:account-id:topic/my/lastwill/topicName" } } } ] }
以下策略仅允许使用特定 LastWillTopic 的干净连接,同时允许任何使用 LastWillTopic 的特征:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:123456789012:client/client1", "Condition": { "ArnEquals": { "iot:LastWillTopic": "arn:aws:iot:region:account-id:topic/my/lastwill/topicName" } } }, { "Effect": "Deny", "Action": [ "iot:Connect" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "iot:ConnectAttributes": [ "PersistentConnect" ] } } } ] }
