I was wondering if anyone had an idea of ββthe best AWS IoT practices regarding policy processing, for example, we could have two different cases:
Case 1: Call the lambda (identifier-identifier as parameter), which creates the policy on the fly, and then bind the policy to the identifier identifier. The policy will contain hard-coded names of things, for example, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
]
}
]
}
Case 2: using policy variables, such as ${iot:ClientId}, ${iot:ThingName}we can attach a single policy for all users using kongitologiyu;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
, . , Cognito, ?