亚马逊网络服务IoT政策过于宽松
亚马逊网络服务IoT政策过于宽松
提问于 2020-07-17 13:22:02
我正在尝试制定一项亚马逊网络服务的IoT策略,使其能够与亚马逊网络服务的IoT事物进行通信。然而,根据亚马逊网络服务IoT审计检查,该策略过于宽松:“策略允许广泛访问IoT数据平面操作:物联网:订阅、物联网:连接、物联网:发布。”我该如何解决这个问题呢?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-east-1:<aws account id>:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*/shadow/get"
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/connected/*",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/events/presence/disconnected/*",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/update/accepted",
"arn:aws:iot:us-east-1:<aws account id>:topicfilter/$aws/things/*/shadow/get/accepted"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": "arn:aws:iot:us-east-1:<aws account id>:topic/$aws/things/*"
}
]
}回答 1
Stack Overflow用户
发布于 2020-08-12 04:31:44
这意味着您正在尝试一个过度暴露的策略,因为您没有提到确切的用法我认为此策略是最低权限的策略,即用例不允许您的策略具有更多限制如果不是这样,请将您的策略限制为以下内容:
arn:aws:iot:region:account-id:client/*到arn:aws:iot:region:account-id:client/${iot:ClientId}
其中,iot:ClientId是一个策略变量,指的是mqtt连接的clientId,也请参阅
https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-iot-policy-permissive.html
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/62947566
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号