End of support notice: On May 20, 2026, AWS will end support for AWS IoT Events. After May 20, 2026, you will no longer be able to access the AWS IoT Events console or AWS IoT Events resources. For more information, see [AWS IoT Events end of support](https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-end-of-support.html).
# Setting up permissions for AWS IoT Events
Implementing proper permissions is important for secure and effective use of AWS IoT Events. This section describes the permissions that are required to use some features of AWS IoT Events. You can use AWS CLI commands or the AWS Identity and Access Management (IAM) console to create roles and associated permission policies to access resources or perform certain functions in AWS IoT Events.
The [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/) has more detailed information about securely controlling permissions to access AWS resources. For information specific to AWS IoT Events, see [Actions, resources, and condition keys for AWS IoT Events](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsiotevents.html).
To use the IAM console to create and manage roles and permissions, see [IAM tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html).
**Note**
Keys can be 1-128 characters and can include:
uppercase or lowercase letters a-z
numbers 0-9
special characters **-**, **\$1**, or **:**.
# Action permissions for AWS IoT Events
AWS IoT Events enables you to trigger actions which use other AWS services. To do so, you must grant AWS IoT Events permission to perform these actions on your behalf. This section contains a list of the actions and an example policy which grants permission to perform all these actions on your resources. Change the *region* and *account-id* references as required. When possible, you should also change the wildcards (\$1) to refer to specific resources that will be accessed. You can use the IAM console to grant permission to AWS IoT Events to send an Amazon SNS alert that you have defined. .
AWS IoT Events supports the following actions that let you use a timer or set a variable:
+ [`setTimer`](built-in-actions.md#iotevents-set-timer) to create a timer.
+ [`resetTimer`](built-in-actions.md#iotevents-reset-timer) to reset the timer.
+ [`clearTimer`](built-in-actions.md#iotevents-clear-timer) to delete the timer.
+ [`setVariable`](built-in-actions.md#iotevents-set-variable) to create a variable.
AWS IoT Events supports the following actions that let you work with AWS services:
+ [`iotTopicPublish`](iotevents-other-aws-services.md#iotevents-iotcore) to publish a message on an MQTT topic.
+ [`iotEvents`](iotevents-other-aws-services.md#iotevents-iteinput) to send data to AWS IoT Events as an input value.
+ [`iotSiteWise`](iotevents-other-aws-services.md#iotevents-iotsitewise) to send data to an asset property in AWS IoT SiteWise.
+ [`dynamoDB`](iotevents-other-aws-services.md#iotevents-dynamodb) to send data to an Amazon DynamoDB table.
+ [`dynamoDBv2`](iotevents-other-aws-services.md#iotevents-dynamodbv2) to send data to an Amazon DynamoDB table.
+ [`firehose`](iotevents-other-aws-services.md#iotevents-firehose) to send data to an Amazon Data Firehose stream.
+ [`lambda`](iotevents-other-aws-services.md#iotevents-lambda) to invoke an AWS Lambda function.
+ [`sns`](iotevents-other-aws-services.md#iotevents-sns) to send data as a push notification.
+ [`sqs`](iotevents-other-aws-services.md#iotevents-sqs) to send data to an Amazon SQS queue.
**Example Policy**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:123456789012:topic/*"
},
{
"Effect": "Allow",
"Action": "iotevents:BatchPutMessage",
"Resource": "arn:aws:iotevents:us-east-1:123456789012:input/*"
},
{
"Effect": "Allow",
"Action": "iotsitewise:BatchPutAssetPropertyValue",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "dynamodb:PutItem",
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/*"
},
{
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:us-east-1:123456789012:deliverystream/*"
},
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:*"
},
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789012:*"
},
{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:123456789012:*"
}
]
}
```
# Securing input data in AWS IoT Events
It's important to consider who can grant access to input data for use in a detector model. If you have a user or entity whose overall permissions you want to restrict, but that is permitted to create or update a detector model, you must also grant permission for that user or entity to update input routing. This means that in addition to granting permission for `iotevents:CreateDetectorModel` and `iotevents:UpdateDetectorModel`, you must also grant permission for `iotevents:UpdateInputRouting`.
**Example**
The following policy adds permission for `iotevents:UpdateInputRouting`.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "updateRoutingPolicy",
"Effect": "Allow",
"Action": [
"iotevents:UpdateInputRouting"
],
"Resource": "*"
}
]
}
```
You can specify a list of input Amazon Resource Names (ARNs) instead of the wildcard "`*`" for the "`Resource`" to limit this permission to specific inputs. This enables you to restrict access to the input data that is consumed by detector models created or updated by the user or entity.
# Amazon CloudWatch logging role policy for AWS IoT Events
The following policy documents provide the role policy and trust policy that allow AWS IoT Events to submit logs to CloudWatch on your behalf.
Role policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:GetLogEvents",
"logs:DeleteLogStream"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
```
------
Trust policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"iotevents.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
You also need an IAM permissions policy attached to the user that allows the user to pass roles, as follows. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::123456789012:role/Role_To_Pass"
}
]
}
```
------
You can use the following command to put the resource policy for CloudWatch logs. This allows AWS IoT Events to put log events into CloudWatch streams.
```
aws logs put-resource-policy --policy-name ioteventsLoggingPolicy --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"IoTEventsToCloudWatchLogs\", \"Effect\": \"Allow\", \"Principal\": { \"Service\": [ \"iotevents.amazonaws.com\" ] }, \"Action\":\"logs:PutLogEvents\", \"Resource\": \"*\" } ] }"
```
Use the following command to put logging options. Replace the `roleArn` with the logging role that you created.
```
aws iotevents put-logging-options --cli-input-json "{ \"loggingOptions\": {\"roleArn\": \"arn:aws:iam::123456789012:role/testLoggingRole\", \"level\": \"INFO\", \"enabled\": true } }"
```
# Amazon SNS messaging role policy for AWS IoT Events
Integrating AWS IoT Events with Amazon SNS requires careful permission management for secure and efficient notification delivery. This guide walks you through the process of configuring IAM roles and policies to allow AWS IoT Events to publish messages to Amazon SNS topics.
The following policy documents provide the role policy and trust policy that allow AWS IoT Events to send SNS messages.
Role policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sns:*"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:us-east-1:123456789012:testAction"
}
]
}
```
------
Trust policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"iotevents.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------