AWS iot策略仍允许通过mqtt访问其他主题

Question

我正在尝试仅允许在订阅和发布期间通过aws iot核心中的mqtt使用aws内联物联网策略中指定的那些主题。但它看起来也允许其他主题。

例如，这不应该工作mytopic/test/test-123/publish123 (但它可以工作)，因为没有指定publish123

下面是一个内联策略

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": "arn:aws:iot:eu-central-1:123456789:client/${iot:Certificate.Subject.CommonName}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:eu-central-1:123456789:topicfilter/mytopic/test/${iot:Certificate.Subject.CommonName}/subsricption",
        "arn:aws:iot:eu-central-1:123456789:topicfilter/mytopic/test/+/+/+/subsricption"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive"
      ],
      "Resource": "arn:aws:iot:eu-central-1:123456789:topic/io/ksb/m2c/${iot:Certificate.Subject.CommonName}/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/publish1",
        "arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/publish2",
        "arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/+/+/+/publish2",
        "arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/subsricption",
        "arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/+/+/+/subsricption"
      ]
    }
  ]
}

Answer 1

仅在主题过滤器中支持MQTT通配符(topicFilter而不是topic)。主题筛选器仅用于策略的subscribe部分。

这意味着策略的发布部分在列出主题时需要更具说明性，不能使用+或#。主题资源允许您根据IAM使用情况使用*通配符。在匹配时，这就像一个贪婪的.*正则表达式。