本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS 的 受管政策 AWS IoT
若要新增許可給使用者、群組和角色,使用 AWS 受管政策比自行撰寫政策更容易。建立 [IAM 客戶受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例,並可在您的 AWS 帳戶中使用。如需 AWS 受管政策的詳細資訊,請參閱《*IAM 使用者指南*》中的 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會在 AWS 受管政策中新增其他許可以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時,服務很可能會更新 AWS 受管政策。服務不會從 AWS 受管政策移除許可,因此政策更新不會破壞您現有的許可。
此外, AWS 支援跨多個 服務之任務函數的受管政策。例如,**ReadOnlyAccess** AWS 受管政策提供所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, AWS 會為新的操作和資源新增唯讀許可。如需任務職能政策的清單和說明,請參閱 *IAM 使用者指南*中[有關任務職能的AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
**注意**
AWS IoT 適用於 AWS IoT 和 IAM 政策。此主題僅討論 IAM 政策,此政策定義控制平面和資料平面 API 操作的政策動作。另請參閱[AWS IoT Core 政策](iot-policies.md)。
## AWS 受管政策:AWSIoTConfigAccess
您可將 `AWSIoTConfigAccess` 政策連接到 IAM 身分。
此政策授予相關的身分許可,允許存取所有 AWS IoT 組態操作。此政策會影響資料處理和儲存。若要在 中檢視此政策 AWS 管理主控台,請參閱 [AWSIoTConfigAccess](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTConfigAccess$jsonEditor?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `iot` – 擷取 AWS IoT 資料並執行 IoT 組態動作。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:AcceptCertificateTransfer",
"iot:AddThingToThingGroup",
"iot:AssociateTargetsWithJob",
"iot:AttachPolicy",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CancelCertificateTransfer",
"iot:CancelJob",
"iot:CancelJobExecution",
"iot:ClearDefaultAuthorizer",
"iot:CreateAuthorizer",
"iot:CreateCertificateFromCsr",
"iot:CreateJob",
"iot:CreateKeysAndCertificate",
"iot:CreateOTAUpdate",
"iot:CreatePolicy",
"iot:CreatePolicyVersion",
"iot:CreateRoleAlias",
"iot:CreateStream",
"iot:CreateThing",
"iot:CreateThingGroup",
"iot:CreateThingType",
"iot:CreateTopicRule",
"iot:DeleteAuthorizer",
"iot:DeleteCACertificate",
"iot:DeleteCertificate",
"iot:DeleteJob",
"iot:DeleteJobExecution",
"iot:DeleteOTAUpdate",
"iot:DeletePolicy",
"iot:DeletePolicyVersion",
"iot:DeleteRegistrationCode",
"iot:DeleteRoleAlias",
"iot:DeleteStream",
"iot:DeleteThing",
"iot:DeleteThingGroup",
"iot:DeleteThingType",
"iot:DeleteTopicRule",
"iot:DeleteV2LoggingLevel",
"iot:DeprecateThingType",
"iot:DescribeAuthorizer",
"iot:DescribeCACertificate",
"iot:DescribeCertificate",
"iot:DescribeDefaultAuthorizer",
"iot:DescribeEndpoint",
"iot:DescribeEventConfigurations",
"iot:DescribeIndex",
"iot:DescribeJob",
"iot:DescribeJobExecution",
"iot:DescribeRoleAlias",
"iot:DescribeStream",
"iot:DescribeThing",
"iot:DescribeThingGroup",
"iot:DescribeThingRegistrationTask",
"iot:DescribeThingType",
"iot:DetachPolicy",
"iot:DetachPrincipalPolicy",
"iot:DetachThingPrincipal",
"iot:DisableTopicRule",
"iot:EnableTopicRule",
"iot:GetEffectivePolicies",
"iot:GetIndexingConfiguration",
"iot:GetJobDocument",
"iot:GetLoggingOptions",
"iot:GetOTAUpdate",
"iot:GetPolicy",
"iot:GetPolicyVersion",
"iot:GetRegistrationCode",
"iot:GetTopicRule",
"iot:GetV2LoggingOptions",
"iot:ListAttachedPolicies",
"iot:ListAuthorizers",
"iot:ListCACertificates",
"iot:ListCertificates",
"iot:ListCertificatesByCA",
"iot:ListIndices",
"iot:ListJobExecutionsForJob",
"iot:ListJobExecutionsForThing",
"iot:ListJobs",
"iot:ListOTAUpdates",
"iot:ListOutgoingCertificates",
"iot:ListPolicies",
"iot:ListPolicyPrincipals",
"iot:ListPolicyVersions",
"iot:ListPrincipalPolicies",
"iot:ListPrincipalThings",
"iot:ListRoleAliases",
"iot:ListStreams",
"iot:ListTargetsForPolicy",
"iot:ListThingGroups",
"iot:ListThingGroupsForThing",
"iot:ListThingPrincipals",
"iot:ListThingRegistrationTaskReports",
"iot:ListThingRegistrationTasks",
"iot:ListThings",
"iot:ListThingsInThingGroup",
"iot:ListThingTypes",
"iot:ListTopicRules",
"iot:ListV2LoggingLevels",
"iot:RegisterCACertificate",
"iot:RegisterCertificate",
"iot:RegisterThing",
"iot:RejectCertificateTransfer",
"iot:RemoveThingFromThingGroup",
"iot:ReplaceTopicRule",
"iot:SearchIndex",
"iot:SetDefaultAuthorizer",
"iot:SetDefaultPolicyVersion",
"iot:SetLoggingOptions",
"iot:SetV2LoggingLevel",
"iot:SetV2LoggingOptions",
"iot:StartThingRegistrationTask",
"iot:StopThingRegistrationTask",
"iot:TestAuthorization",
"iot:TestInvokeAuthorizer",
"iot:TransferCertificate",
"iot:UpdateAuthorizer",
"iot:UpdateCACertificate",
"iot:UpdateCertificate",
"iot:UpdateEventConfigurations",
"iot:UpdateIndexingConfiguration",
"iot:UpdateRoleAlias",
"iot:UpdateStream",
"iot:UpdateThing",
"iot:UpdateThingGroup",
"iot:UpdateThingGroupsForThing",
"iot:UpdateAccountAuditConfiguration",
"iot:DescribeAccountAuditConfiguration",
"iot:DeleteAccountAuditConfiguration",
"iot:StartOnDemandAuditTask",
"iot:CancelAuditTask",
"iot:DescribeAuditTask",
"iot:ListAuditTasks",
"iot:CreateScheduledAudit",
"iot:UpdateScheduledAudit",
"iot:DeleteScheduledAudit",
"iot:DescribeScheduledAudit",
"iot:ListScheduledAudits",
"iot:ListAuditFindings",
"iot:CreateSecurityProfile",
"iot:DescribeSecurityProfile",
"iot:UpdateSecurityProfile",
"iot:DeleteSecurityProfile",
"iot:AttachSecurityProfile",
"iot:DetachSecurityProfile",
"iot:ListSecurityProfiles",
"iot:ListSecurityProfilesForTarget",
"iot:ListTargetsForSecurityProfile",
"iot:ListActiveViolations",
"iot:ListViolationEvents",
"iot:ValidateSecurityProfileBehaviors"
],
"Resource": "*"
}
]
}
```
## AWS 受管政策:AWSIoTConfigReadOnlyAccess
您可將 `AWSIoTConfigReadOnlyAccess` 政策連接到 IAM 身分。
此政策授予相關的身分許可,允許以唯讀方式存取所有 AWS IoT 組態操作。若要在 中檢視此政策 AWS 管理主控台,請參閱 [AWSIoTConfigReadOnlyAccess](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTConfigReadOnlyAccess$jsonEditor?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `iot` – 執行 IoT 組態操作的唯獨操作。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:DescribeAuthorizer",
"iot:DescribeCACertificate",
"iot:DescribeCertificate",
"iot:DescribeDefaultAuthorizer",
"iot:DescribeEndpoint",
"iot:DescribeEventConfigurations",
"iot:DescribeIndex",
"iot:DescribeJob",
"iot:DescribeJobExecution",
"iot:DescribeRoleAlias",
"iot:DescribeStream",
"iot:DescribeThing",
"iot:DescribeThingGroup",
"iot:DescribeThingRegistrationTask",
"iot:DescribeThingType",
"iot:GetEffectivePolicies",
"iot:GetIndexingConfiguration",
"iot:GetJobDocument",
"iot:GetLoggingOptions",
"iot:GetOTAUpdate",
"iot:GetPolicy",
"iot:GetPolicyVersion",
"iot:GetRegistrationCode",
"iot:GetTopicRule",
"iot:GetV2LoggingOptions",
"iot:ListAttachedPolicies",
"iot:ListAuthorizers",
"iot:ListCACertificates",
"iot:ListCertificates",
"iot:ListCertificatesByCA",
"iot:ListIndices",
"iot:ListJobExecutionsForJob",
"iot:ListJobExecutionsForThing",
"iot:ListJobs",
"iot:ListOTAUpdates",
"iot:ListOutgoingCertificates",
"iot:ListPolicies",
"iot:ListPolicyPrincipals",
"iot:ListPolicyVersions",
"iot:ListPrincipalPolicies",
"iot:ListPrincipalThings",
"iot:ListRoleAliases",
"iot:ListStreams",
"iot:ListTargetsForPolicy",
"iot:ListThingGroups",
"iot:ListThingGroupsForThing",
"iot:ListThingPrincipals",
"iot:ListThingRegistrationTaskReports",
"iot:ListThingRegistrationTasks",
"iot:ListThings",
"iot:ListThingsInThingGroup",
"iot:ListThingTypes",
"iot:ListTopicRules",
"iot:ListV2LoggingLevels",
"iot:SearchIndex",
"iot:TestAuthorization",
"iot:TestInvokeAuthorizer",
"iot:DescribeAccountAuditConfiguration",
"iot:DescribeAuditTask",
"iot:ListAuditTasks",
"iot:DescribeScheduledAudit",
"iot:ListScheduledAudits",
"iot:ListAuditFindings",
"iot:DescribeSecurityProfile",
"iot:ListSecurityProfiles",
"iot:ListSecurityProfilesForTarget",
"iot:ListTargetsForSecurityProfile",
"iot:ListActiveViolations",
"iot:ListViolationEvents",
"iot:ValidateSecurityProfileBehaviors"
],
"Resource": "*"
}
]
}
```
## AWS 受管政策:AWSIoTDataAccess
您可將 `AWSIoTDataAccess` 政策連接到 IAM 身分。
此政策會授予相關的身分許可,以允許存取 AWS IoT 所有資料操作。資料操作則可透過 MQTT 或 HTTP 通訊協定傳送資料。若要在 AWS 管理主控台中檢視此政策,請參閱 [https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTDataAccess?section=permissions](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTDataAccess?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `iot` – 擷取 AWS IoT 資料並允許完整存取 AWS IoT 簡訊動作。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect",
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:DeleteThingShadow",
"iot:ListNamedShadowsForThing"
],
"Resource": "*"
}
]
}
```
## AWS 受管政策:AWSIoTFullAccess
您可將 `AWSIoTFullAccess` 政策連接到 IAM 身分。
此政策授予相關的身分許可,允許完整存取所有 AWS IoT 組態和簡訊操作。若要在 中檢視此政策 AWS 管理主控台,請參閱 [https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTFullAccess?section=permissions](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTFullAccess?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `iot` – 擷取 AWS IoT 資料並允許完整存取 AWS IoT 組態和簡訊動作。
+ `iotjobsdata` – 擷取 AWS IoT 任務資料,並允許完整存取 AWS IoT 任務資料平面 API 操作。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*",
"iotjobsdata:*"
],
"Resource": "*"
}
]
}
```
## AWS 受管政策:AWSIoTLogging
您可將 `AWSIoTLogging` 政策連接到 IAM 身分。
此政策授予相關的身分許可,允許建立 Amazon CloudWatch Logs 日誌群組,以及將日誌串流至群組。此政策會連接至您的 CloudWatch 記錄角色。若要在 中檢視此政策 AWS 管理主控台,請參閱 [https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTLogging?section=permissions](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTLogging?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `logs` – 擷取 CloudWatch 日誌。此外,也允許建立 CloudWatch 日誌群組,以及將日誌串流至群組。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:GetLogEvents",
"logs:DeleteLogStream"
],
"Resource": [
"*"
]
}
]
}
```
## AWS 受管政策:AWSIoTOTAUpdate
您可將 `AWSIoTOTAUpdate` 政策連接到 IAM 身分。
此政策會授予相關聯的身分許可,允許建立 AWS IoT 任務、 AWS IoT 程式碼簽署任務,以及描述 AWS 程式碼簽署者任務的存取權。若要在 中檢視此政策 AWS 管理主控台,請參閱 [`AWSIoTOTAUpdate`。](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTOTAUpdate?section=permissions)
**許可詳細資訊**
此政策包含以下許可。
+ `iot` – 建立 AWS IoT 任務和程式碼簽署任務。
+ `signer` – 執行 AWS 程式碼簽署者任務的建立。
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iot:CreateJob",
"signer:DescribeSigningJob"
],
"Resource": "*"
}
}
```
## AWS 受管政策:AWSIoTRuleActions
您可將 `AWSIoTRuleActions` 政策連接到 IAM 身分。
此政策會授予相關聯的身分許可,允許存取 AWS IoT 規則動作中 AWS 服務支援的所有 。若要在 中檢視此政策 AWS 管理主控台,請參閱 [https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTRuleActions?section=permissions](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTRuleActions?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `iot` - 執行發佈規則動作訊息的動作。
+ `dynamodb` - 將訊息插入 DynamoDB 表格,或將訊息拆分至 DynamoDB 表格中多個欄。
+ `s3` - 將物件存放在 Amazon S3 儲存貯體中。
+ `kinesis` - 向 Amazon Kinesis 串流物件發送訊息。
+ `firehose` - 在 Firehose 串流物件中插入記錄。
+ `cloudwatch` - 變更 CloudWatch 警示狀態,或將訊息資料發送到 CloudWatch 指標。
+ `sns` - 執行使用 Amazon SNS 發佈通知的操作。此操作的範圍為 AWS IoT SNS 主題。
+ `sqs` - 插入要新增至 SQS 佇列的訊息。
+ `es` - 向 OpenSearch Service 服務發送訊息。
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"kinesis:PutRecord",
"iot:Publish",
"s3:PutObject",
"sns:Publish",
"sqs:SendMessage*",
"cloudwatch:SetAlarmState",
"cloudwatch:PutMetricData",
"es:ESHttpPut",
"firehose:PutRecord"
],
"Resource": "*"
}
}
```
## AWS 受管政策:AWSIoTThingsRegistration
您可將 `AWSIoTThingsRegistration` 政策連接到 IAM 身分。
此政策授予相關的身分許可,允許使用 `StartThingRegistrationTask` API 大量註冊物件。此政策會影響資料處理和儲存。若要在 中檢視此政策 AWS 管理主控台,請參閱 [https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTThingsRegistration?section=permissions](https://console.aws.amazon.com//iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTThingsRegistration?section=permissions)。
**許可詳細資訊**
此政策包含以下許可。
+ `iot` - 進行大量註冊時,執行建立物件並附加政策和憑證的動作。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:AddThingToThingGroup",
"iot:AttachPolicy",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateCertificateFromCsr",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeCertificate",
"iot:DescribeThing",
"iot:DescribeThingGroup",
"iot:DescribeThingType",
"iot:DetachPolicy",
"iot:DetachThingPrincipal",
"iot:GetPolicy",
"iot:ListAttachedPolicies",
"iot:ListPolicyPrincipals",
"iot:ListPrincipalPolicies",
"iot:ListPrincipalThings",
"iot:ListTargetsForPolicy",
"iot:ListThingGroupsForThing",
"iot:ListThingPrincipals",
"iot:RegisterCertificate",
"iot:RegisterThing",
"iot:RemoveThingFromThingGroup",
"iot:UpdateCertificate",
"iot:UpdateThing",
"iot:UpdateThingGroupsForThing",
"iot:AddThingToBillingGroup",
"iot:DescribeBillingGroup",
"iot:RemoveThingFromBillingGroup"
],
"Resource": [
"*"
]
}
]
}
```
## AWS IoT AWS 受管政策的更新
檢視自此服務開始追蹤這些變更 AWS IoT 以來, AWS 受管政策更新的詳細資訊。如需此頁面變更的自動提醒,請訂閱 AWS IoT 文件歷史記錄頁面上的 RSS 摘要。
| 變更 | 描述 | Date |
| --- | --- | --- |
| [AWSIoTFullAccess](#security-iam-awsmanpol-AWSIoTFullAccess) – 更新現有政策 | AWS IoT 新增了許可,允許使用者使用 HTTP 通訊協定存取 AWS IoT 任務資料平面 API 操作。 新的 IAM 政策字首 `iotjobsdata:`為您提供更精細的存取控制,以存取 AWS IoT 任務資料平面端點。對於控制平面 API 操作,請依舊使用 `iot:` 字首。如需詳細資訊,請參閱[AWS IoT Core HTTPS 通訊協定的 政策](iot-data-plane-jobs.md#iot-jobs-data-http)。 | 2022 年 5 月 11 日 |
| AWS IoT 已開始追蹤變更 | AWS IoT 已開始追蹤其 AWS 受管政策的變更。 | 2022 年 5 月 11 日 |