Best Practices on AWS IoT

0 votes

Just wondering if there actually exist any best practices on AWS IoT regarding the handling of policies.

We could take 2 cases to study this.

Case 1: If we call a lambda(identity-id as param) which creates a policy on the fly and then attach the policy to the identity id. The policy has hardcoded the things name as the following.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
        "arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
      ]
    }
  ]
}

Case 2: If we use policy variables like ${iot:ClientId}, ${iot:ThingName}, we can attach one single policy to all the cognito-identity-users;

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

So, can we infer which is the best practice amongst these?

Dec 26, 2018 in IoT (Internet of Things) by Upasana
• 8,530 points
293 views

1 answer to this question.

0 votes
I would recommend you use Case 2 using the policy variables. It reduces the number of policies to deal with and keep them meaningful and re-usable.

Also, it will save you a lot of time and money as you aren't using Lambda. It also prevents you from having to create a policy every time.

And if we're talking about security, rest assured because it has nothing to do with the policy variables.
answered Dec 26, 2018 by Shubham
• 13,300 points

Related Questions In IoT (Internet of Things)

0 votes
1 answer
0 votes
1 answer

USB Mobile Broadband Modem on Windows 10 IoT

I was looking for a solution too, ...READ MORE

answered Jul 9, 2018 in IoT (Internet of Things) by anonymous2
• 4,260 points
444 views
0 votes
1 answer

aws iot describe-endpoint::You must specify a region

This fixed the problem: Browse to https://console.aws.amazon.com/iam/home?region=us-west-2#security_credentialand then if ...READ MORE

answered Jul 11, 2018 in IoT (Internet of Things) by anonymous2
• 4,260 points
220 views
0 votes
1 answer
0 votes
1 answer

AWS IOT Button Wifi network name

You can read about the complete setup ...READ MORE

answered Oct 12, 2018 in IoT (Internet of Things) by Annie97
• 2,190 points
49 views
0 votes
1 answer

Issue with connection on Watson IoT Out node on Raspberry Pi

The frequent disconnects could be due to ...READ MORE

answered Dec 20, 2018 in IoT (Internet of Things) by Shubham
• 13,300 points
73 views
0 votes
1 answer

Windows IoT on Raspberry Pi Unique Identifier

Try getting the MAC address of your network. var ...READ MORE

answered Mar 8 in IoT (Internet of Things) by Shubham
• 13,300 points
89 views