本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 憑證政策範例 對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用符合物件名稱的用戶端 ID 連線至 ,並發佈至其名稱等於裝置用來驗證其身分之憑證`certificateId`的 主題: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] } ``` 對於未在 AWS IoT Core 登錄檔中註冊的裝置,以下政策會授予許可,以 AWS IoT Core 使用用戶端 IDs、`client2`、 `client1``client3`和 連線至 ,以發佈至其名稱等於用於驗證裝置本身之憑證`certificateId`的 主題: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] } ``` 對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用與物件名稱相符的用戶端 ID 連線至 ,並發佈至其名稱等於裝置用來驗證其身分之憑證主體`CommonName`欄位的主題: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] } ``` **注意** 在這個範例中,憑證的主體通用名稱欄位會用作為主題識別符,並假設主體通用名稱對每個登錄憑證是唯一的。如果憑證在多個裝置間共用,所有共用此憑證之裝置的主體通用名稱都是相同的,因此允許從多個裝置對相同主題的發佈權限 (不建議)。 對於未在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用用戶端 IDs、`client2`、 `client1``client3`和 連線至 ,並發佈至其名稱等於裝置用來驗證其身分之憑證主體`CommonName`欄位的主題: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] } ``` **注意** 在這個範例中,憑證的主體通用名稱欄位會用作為主題識別符,並假設主體通用名稱對每個登錄憑證是唯一的。如果憑證在多個裝置間共用,所有共用此憑證之裝置的主體通用名稱都是相同的,因此允許從多個裝置對相同主題的發佈權限 (不建議)。 對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用與物件名稱相符的用戶端 ID 連線至 ,並在用於驗證裝置的憑證將 `Subject.CommonName.2` 欄位設定為 `admin/`時,發佈至其名稱字首為 的主題`Administrator`: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] } ``` 對於未在 AWS IoT Core 登錄檔中註冊的裝置,當用於驗證裝置的憑證將 `Subject.CommonName.2` 欄位設定為 `admin/`時,下列政策會授予許可,以使用 AWS IoT Core 用戶端 IDs `client1`、 和 連線至 `client2`,`client3`並發佈至其名稱字首為 的主題`Administrator`: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] } ``` 對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策允許裝置使用其實物名稱發佈到特定主題,該主題包含 `admin/`,當用來驗證裝置的憑證將其任何一個`Subject.CommonName`欄位設定為 `ThingName`時,後面接著 `Administrator`: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] } ``` 對於未在 AWS IoT Core 登錄檔中註冊的裝置,當用於驗證裝置的憑證將其任何一個`Subject.CommonName`欄位設定為 `admin`時`client1`,下列政策會授予許可,以 AWS IoT Core 使用用戶端 IDs `client2`、 和 連線至 ,`client3`並發佈至 主題`Administrator`: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] } ```