AWS IoT Core policy actions

The following policy actions are defined by AWS IoT Core:

MQTT Policy Actions

iot:Connect: Represents the permission to connect to the AWS IoT Core message broker. The iot:Connect permission is checked every time a CONNECT request is sent to the broker. The message broker doesn't allow two clients with the same client ID to stay connected at the same time. After the second client connects, the broker closes the existing connection. Use the iot:Connect permission to ensure only authorized clients using a specific client ID can connect.
iot:DeleteConnection: Represents the permission to disconnect a connected MQTT client from AWS IoT Core. The iot:DeleteConnection permission is checked every time a request is made to forcibly disconnect a client. When you disconnect a client, AWS IoT Core closes the client's network connection and optionally cleans the session state.
iot:GetRetainedMessage: Represents the permission to get the contents of a single retained message. Retained messages are the messages that were published with the RETAIN flag set and stored by AWS IoT Core. For permission to get a list of all the account's retained messages, see iot:ListRetainedMessages.
iot:ListRetainedMessages: Represents the permission to retrieve summary information about the account's retained messages, but not the contents of the messages. Retained messages are the messages that were published with the RETAIN flag set and stored by AWS IoT Core. The resource ARN specified for this action must be *. For permission to get the contents of a single retained message, see iot:GetRetainedMessage.
iot:Publish: Represents the permission to publish an MQTT topic. This permission is checked every time a PUBLISH request is sent to the broker. You can use this to allow clients to publish to specific topic patterns.

Note
To grant iot:Publish permission, you must also grant iot:Connect permission.
iot:Receive: Represents the permission to receive a message from AWS IoT Core. The iot:Receive permission is confirmed every time a message is delivered to a client. Because this permission is checked on every delivery, you can use it to revoke permissions to clients that are currently subscribed to a topic.
iot:RetainPublish: Represents the permission to publish an MQTT message with the RETAIN flag set.

Note
To grant iot:RetainPublish permission, you must also grant iot:Publish permission.
iot:Subscribe: Represents the permission to subscribe to a topic filter. This permission is checked every time a SUBSCRIBE request is sent to the broker. Use it to allow clients to subscribe to topics that match specific topic patterns.

Note
To grant iot:Subscribe permission, you must also grant iot:Connect permission.

Device Shadow Policy Actions

iot:DeleteThingShadow: Represents the permission to delete a thing's Device Shadow. The iot:DeleteThingShadow permission is checked every time a request is made to delete a thing's Device Shadow contents.
iot:GetThingShadow: Represents the permission to retrieve a thing's Device Shadow. The iot:GetThingShadow permission is checked every time a request is made to retrieve a thing's Device Shadow contents.
iot:ListNamedShadowsForThing: Represents the permission to list a thing's named Shadows. The iot:ListNamedShadowsForThing permission is checked every time a request is made to list a thing's named Shadows.
iot:UpdateThingShadow: Represents the permission to update a device's shadow. The iot:UpdateThingShadow permission is checked every time a request is made to update a thing's Device Shadow contents.

Note

The job execution policy actions apply only for the HTTP TLS endpoint. If you use the MQTT endpoint, you must use MQTT policy actions defined in this topic.

For an example of a job execution policy that demonstrates this, see Basic job policy example that works with the MQTT protocol.

Job Executions AWS IoT Core Policy Actions

iotjobsdata:DescribeJobExecution: Represents the permission to retrieve a job execution for a given thing. The iotjobsdata:DescribeJobExecution permission is checked every time a request is made to get a job execution.
iotjobsdata:GetPendingJobExecutions: Represents the permission to retrieve the list of jobs that are not in a terminal status for a thing. The iotjobsdata:GetPendingJobExecutions permission is checked every time a request is made to retrieve the list.
iotjobsdata:UpdateJobExecution: Represents the permission to update a job execution. The iotjobsdata:UpdateJobExecution permission is checked every time a request is made to update the state of a job execution.
iotjobsdata:StartNextPendingJobExecution: Represents the permission to get and start the next pending job execution for a thing. (That is, to update a job execution with status QUEUED to IN_PROGRESS.) The iotjobsdata:StartNextPendingJobExecution permission is checked every time a request is made to start the next pending job execution.

AWS IoT Core Credential Provider Policy Action

iot:AssumeRoleWithCertificate: Represents the permission to call AWS IoT Core credential provider to assume an IAM role with certificate-based authentication. The iot:AssumeRoleWithCertificate permission is checked every time a request is made to AWS IoT Core credential provider to assume a role.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS IoT Core policies

AWS IoT Core action resources