Limiting The Aws Iot Core Policy - Quectel BG96 Developer's Manual

Provisioning the Quectel BG96 module

Limiting the AWS IoT Core policy

AWS IoT Core policies allow you to control access to the AWS IoT Core data plane. The data plane
consists of operations that allow you to connect to the AWS IoT Core message broker, send and receive
MQTT messages, and get or update the device shadow.
By default, the AnyNet Secure provisioning service creates things with an open policy. This occurs
because the provisioning has no knowledge of your application, or the publish and subscribe topics and
processing you are using with your AWS account.
It is best practice to limit the policy to allow access to only the required resource and to limit that
access to only authenticated devices.
We recommend that you edit or replace the installed default policy. Only
actions or
Deny
restrict resource access.
For example, if the thing only publishes and never subscribes, remove the subscribe action from the
policy statement. Alternatively, specifically
Allow
such as , which restricts the connection to a thing using a thing name registered in the AWS
Resource
IoT registry and authenticated against the ARN. For example:
["arn:aws:iot:
Region:123456789012:client/${iot:Connection.Thing.AWSThingName}"]
For more detailed examples of how to adjust policies to manage resource access, see:
policies.
Eseye-enabled Quectel BG96 module Developer Guide v1.8
actions that the thing never performs. Use a resource control for each action to
the subscribe action. Use a resource control
Deny
required
Allow
AWS IoT Core
24