本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
憑證政策範例
對於在登 AWS IoT Core 錄中註冊的裝置,下列原則會授 AWS IoT Core 與使用符合物名稱的用戶端 ID 連線至,以及發佈至名稱等於用於驗證本身certificateId
之裝置之憑證的主題的權限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
對於未在登 AWS IoT Core 錄中註冊的裝置,下列原則會授 AWS IoT Core 與與用戶端IDs、client1
client2
、client3
和發佈至主題的權限,其名稱與用於驗證本身certificateId
之裝置的憑證名稱相同的主題:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
對於在登 AWS IoT Core 錄中註冊的裝置,下列原則會授 AWS IoT Core 與使用符合物名稱的用戶端 ID 連線到的權限,以及發佈至名稱等於用於驗證本身之裝置之憑證的主旨CommonName
欄位的主題:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
注意
在這個範例中,憑證的主體通用名稱欄位會用作為主題識別符,並假設主體通用名稱對每個登錄憑證是唯一的。如果憑證在多個裝置間共用,所有共用此憑證之裝置的主體通用名稱都是相同的,因此允許從多個裝置對相同主題的發佈權限 (不建議)。
對於未在登 AWS IoT Core 錄中註冊的裝置,下列原則會授予連線至 AWS IoT Core 用戶端IDsclient1
client2
、、client3
和的權限,以及發佈至名稱等於用於驗證本身之裝置之憑證的主旨CommonName
欄位的主題:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
注意
在這個範例中,憑證的主體通用名稱欄位會用作為主題識別符,並假設主體通用名稱對每個登錄憑證是唯一的。如果憑證在多個裝置間共用,所有共用此憑證之裝置的主體通用名稱都是相同的,因此允許從多個裝置對相同主題的發佈權限 (不建議)。
對於在登 AWS IoT Core 錄中註冊的裝置,下列原則會授 AWS IoT Core 與使用符合物名稱的用戶端 ID 連線到的權限,並在用於驗證裝置的憑證的Subject.CommonName.2
欄位設定為admin/
時,發佈至名稱前綴為主題的主題:Administrator
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
對於未在登 AWS IoT Core 錄中註冊的裝置,當用於驗證裝置的憑證的Subject.CommonName.2
欄位設定為admin/
時 IDs client1
client2
,下列策略會授與連線到用戶端、以client3
及和發佈至名稱前綴為主題的權限: AWS IoT Core Administrator
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
對於在登 AWS IoT Core 錄中註冊的裝置,下列原則允許設備使用其物件名稱在特定主題上發佈,該主題包括用於驗證裝置的憑證的任何一個Subject.CommonName
欄位設定為ThingName
時Administrator
:admin/
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }
對於未在登 AWS IoT Core 錄中註冊的裝置,當用於驗證裝置的憑證的任何一個Subject.CommonName
欄位設定為admin
時client2
,下列策略會授 AWS IoT Core 與與用戶端IDsclient1
連線、client3
和發佈至主題的權限Administrator
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }