我想知道有没有人对AWS IoT中的策略处理有最佳实践的想法,例如,我们可能会有两种不同的情况:
情况1: 调用一个lambda函数(将身份ID作为参数),动态创建一个策略并将其附加到身份ID上。策略将包含硬编码的物品名称,例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
]
}
]
}
方案2:通过使用策略变量,如${iot:ClientId}
,${iot:ThingName}
,我们可以将一个单一的策略附加到所有的cognito-identity用户上。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
因此,问题是:哪种方法是最佳实践,同时又保证Cognito用户只能与自己的设备交互?