4
我想知道如果任何人有关于政策的处理上AWS物联网的最佳实践的理念,例如,我们可以有两种不同的情况:AWS物联网通用政策与由Cognito用户策略
案例1: 调用即时创建策略的lambda(身份标识为参数),然后将策略附加到身份标识。该政策将包含硬编码的东西名称,如例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
]
}
]
}
案例2:通过政策变量,如${iot:ClientId}
,${iot:ThingName}
,我们可以将一个单一的政策,所有的congito身份用户;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
所以,问题是。那么哪一个是最佳实践,但是对于Cognito用户而言,他们两个都是安全的,只能与他自己的设备进行交互?
你也许回答一些你自己的问题? – Birowsky