本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
憑證政策範例
對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用符合物件名稱的用戶端 ID 連線至 ,並發佈至其名稱等於裝置用來驗證其本身之憑證certificateId的 主題:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
}
]
}
對於未在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用用戶端 IDs、client2、 client1client3和 連線至 ,以發佈至其名稱等於裝置用來驗證其本身之憑證certificateId的 主題:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
}
]
}
對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用符合物件名稱的用戶端 ID 連線至 ,並發佈至其名稱等於裝置用來驗證其身分之憑證主體CommonName欄位的主題:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
}
]
}
在這個範例中,憑證的主體通用名稱欄位會用作為主題識別符,並假設主體通用名稱對每個登錄憑證是唯一的。如果憑證在多個裝置間共用,所有共用此憑證之裝置的主體通用名稱都是相同的,因此允許從多個裝置對相同主題的發佈權限 (不建議)。
對於未在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用用戶端 IDs、client2、 client1client3和 連線至 ,並發佈至其名稱等於裝置用來驗證其身分之憑證主體CommonName欄位的主題:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
}
]
}
在這個範例中,憑證的主體通用名稱欄位會用作為主題識別符,並假設主體通用名稱對每個登錄憑證是唯一的。如果憑證在多個裝置間共用,所有共用此憑證之裝置的主體通用名稱都是相同的,因此允許從多個裝置對相同主題的發佈權限 (不建議)。
對於在 AWS IoT Core 登錄檔中註冊的裝置,下列政策會授予許可,以 AWS IoT Core 使用與物件名稱相符的用戶端 ID 連線至 ,並在用來驗證裝置的憑證將 Subject.CommonName.2 欄位設定為 admin/時,發佈至其名稱字首為 的主題Administrator:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"],
"Condition": {
"StringEquals": {
"iot:Certificate.Subject.CommonName.2": "Administrator"
}
}
}
]
}
對於未在 AWS IoT Core 登錄檔中註冊的裝置,當用於驗證裝置的憑證將 Subject.CommonName.2 欄位設定為 admin/時client2,下列政策會授予許可,以使用 AWS IoT Core 用戶端 IDs client1、 和 連線至 ,client3並發佈至其名稱字首為 的主題Administrator:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"],
"Condition": {
"StringEquals": {
"iot:Certificate.Subject.CommonName.2": "Administrator"
}
}
}
]
}
對於在 AWS IoT Core 登錄檔中註冊的裝置,以下政策允許裝置使用其實物名稱發佈到特定主題,該主題包含 admin/,當用於驗證裝置的憑證將其任何一個Subject.CommonName欄位設定為 ThingName時,後面接著 Administrator:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"],
"Condition": {
"ForAnyValue:StringEquals": {
"iot:Certificate.Subject.CommonName.List": "Administrator"
}
}
}
]
}
對於未在 AWS IoT Core 登錄檔中註冊的裝置,當用於驗證裝置的憑證將其任何Subject.CommonName一個欄位設定為 admin時client1,下列政策會授予許可,以 AWS IoT Core 使用用戶端 IDs client2、 和 連線至 ,client3並發佈至 主題Administrator:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1",
"arn:aws:iot:us-east-1:123456789012:client/client2",
"arn:aws:iot:us-east-1:123456789012:client/client3"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"],
"Condition": {
"ForAnyValue:StringEquals": {
"iot:Certificate.Subject.CommonName.List": "Administrator"
}
}
}
]
}
