AWS Severless IoT 16 – Iot Policy

AWS Severless IoT에 대해 알아봅니다.

작성자

홍세민

홍세민

MarcusHong

IOT Policy

IOT는 계정별로 Endpoint가 동일하다. 그래서인지 AWS IAM과는 별도로 IOT 용 Policy를 생성하고 할당해야 한다.

주요설정

  • 보안을 위해 접속을 userId로 접속하게 하고, 유저는 자신의 userId 채널만 구독할 수 있게 한다.
  • 채팅방 입장은 프론트엔드에서 처리하고, 채팅 방 구독은 허용한다.
  • topicfilter는 Subscribe 에서만 설정 가능하다.

Cloudformation

Resources:
  IotAccessPolicy:
    Type: 'AWS::IoT::Policy'
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iot:Connect'
            Resource:
              - 'Fn::Join':
                  - ''
                  - - 'Fn::Sub': 'arn:aws:iot:${AWS::Region}:${AWS::AccountId}:'
                    - client/
                    - '${iot:ClientId}'
          - Effect: Allow
            Action:
              - 'iot:Publish'
              - 'iot:Receive'
            Resource:
              - 'Fn::Join':
                  - ''
                  - - 'Fn::Sub': 'arn:aws:iot:${AWS::Region}:${AWS::AccountId}:'
                    - topic/sample/dev/user/
                    - '${iot:ClientId}'
              - 'Fn::Join':
                  - ''
                  - - 'Fn::Sub': 'arn:aws:iot:${AWS::Region}:${AWS::AccountId}:'
                    - topic/sample/dev/chat/*
          - Effect: Allow
            Action:
              - 'iot:Subscribe'
            Resource:
              - 'Fn::Join':
                  - ''
                  - - 'Fn::Sub': 'arn:aws:iot:${AWS::Region}:${AWS::AccountId}:'
                    - topicfilter/sample/dev/user/
                    - '${iot:ClientId}'
              - 'Fn::Join':
                  - ''
                  - - 'Fn::Sub': 'arn:aws:iot:${AWS::Region}:${AWS::AccountId}:'
                    - topicfilter/sample/dev/chat/*

Tags : aws 

comments powered by Disqus