Somehow none of the AWS IoT Rule are working for me.
I published to topic, and sent SNS (as per example).
SELECT * FROM 'acme/temp'
All policy and trust policy are correct , yet it does not fire rule.
Sad part is log level is DEBUG configured yet cloud watch shows only INFO and no info to know why rules not fired.
Trust policy
{
"Version":"2012-10-17",
"Statement":[{
"Effect": "Allow",
"Principal": {
"Service": "iot.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
Role Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:643170122694:snstopic"
}
}
Pl suggest how to troubleshoot.
I am using MQTT client inside AWS console to publish message to topic. If I subscribe then I get messages. I put my rule configuration here forums.aws.amazon.com/thread.jspa?messageID=741034&tstart=0 Can you think of any ways I can troubleshoot .. No matter what rule I write and what action I defined .. it does not fire Iot rule engine. I am using us east 1 region.
Related
I have a "root" account.
I created an "admin" account which has all the right.
I created an account "dev" and I want it to only have acces to certain services:
s3
dynamoDB
cloudWatch
API Gateway
Lambda
Cognito
So I created a policy with the aws console editor and I gave full access to theses ressources and allows everything, it gave me this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*",
"apigateway:*",
"lambda:*",
"dynamodb:*",
"cognito-idp:*"
],
"Resource": "*"
}
]
}
Looks good to me (not specific enough but good for a beginner).
Problem: I created db, lambda, api gateway, etc... but I can't see the services with this, which autorisation should I give for the "dev" role to see the items in the AWS console ?
I found it, I only needed to switch my region in the top right corner of the console. (shame on me)
I'm using flutter/dart (mqtt_client / https://pub.dev/packages/mqtt_client) to send an AWS IOT MQTT messages over websockets and I'd like to restrict an IAM user to only specific topics that a user is allowed to Publish messages only to their specific topic. I've attempted to add some restricted policies, but the application will fail with little information on the client side. Also, in Cloud Watch, I don't see any specific errors.
Here's some example topics:
arn:aws:iot:us-east-2:666121319217:topic/action_request/ASDF1234
arn:aws:iot:us-east-2:666121319217:topic/action_request/ASDF5678
So, I want to add the proper JSON policy attached to the IAM user and they only have access to ASDF1234
All of my publish topics are patterned like the above. For now, I'm focusing on restricting the Publish endpoints and then working others like Subscribe.
I've tried numerous different policies like below. Also with adding some wildcards to no success on the client side. They look right, but I'm not sure if there's indirectly other publish topics that are used internally within MQTT that's causing the failures or maybe just my syntax.
Another thought is if I add a condition that would allow only the above endpoint and no others.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iot:Receive",
"iot:ListNamedShadowsForThing",
"iot:Subscribe",
"iot:Connect",
"iot:GetThingShadow",
"iot:DeleteThingShadow",
"iot:UpdateThingShadow"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:us-east-2:1234567890:topic/*/ASDF1234*"
}
]
}
I need to find a way to disable an API that is on a regional/edge-optimized endpoint.
I know for private APIs you can add a recourse policy that disables it like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/{{stageNameOrWildcard}}/{{httpVerbOrWildcard}}/{{resourcePathOrWildcard}}"
}]
}
However it does not work on regional.
Anyone have any ideas?
Based on the comments.
API gateway resource policies do work for regional APIs. However, after changing the policy, once must re-deploy the stage for the policies to take effect.
Also, it takes few moments for the policies to take an effect. The policies do not apply immediately after deployment.
AWS documentation has examples of different SNS access control configurations.
There are two similar configuration examples:
The first one allows to publish notifications from another account's S3 bucket to SNS topic:
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:111122223333:MyTopic",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "444455556666"
}
}
}
The second one allows to publish notifications from another account's SES email to SNS topic:
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
"Condition": {
"StringEquals": {
"aws:SourceOwner": "111122223333"
}
}
}
The difference is that the first example uses aws:SourceAccount and the second one uses aws:SourceOwner.
The docs has a dedicated paragraph called "aws:SourceAccount versus aws:SourceOwner" but the distinction between these two statements is stil unclear to me.
Could you please clarify the difference between aws:SourceAccount and aws:SourceOwner policy statements?
The difference can be seen only when the owner of a resource is different from the account that the resource belongs to. It's an advanced setup. Here is an excerpt from the official doc that gives an example of this kind of setup.
... it is possible for another account to own a resource in your account. For example, the trusting account might allow the trusted account to create new resources, such as creating new objects in an Amazon S3 bucket.
Source
1. SourceOwner is used for giving access to other AWS Services from a specific account
For example, we want to define a policy that allows only SES from the account 111122223333 to publish messages to the topic 444455556666:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2
:444455556666:MyTopic",
"Condition": {
"StringEquals": {
"aws:SourceOwner": "111122223333"
}
}
}
]
}
2. SourceAccount is used for giving IAM roles access from an account to the topic.
For example, we want to define a policy that allows only the account 444455556666 to publish messages to the topic 111122223333:
{
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2
:111122223333:MyTopic",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "444455556666"
}
}
}]
}
Now for case #1, if you have only 1 account with you, it doesn't make sense because SES will use the same account as the SNS. But if you have more accounts, it brings a benefit in which you only allow SES of a particular account to send messages to your topic.
Hope it helps. If it is not clear, pls put comments, and I will try to explain more.
Putting more information to get things more clear.
Taking an example of S3 send SNS message.
For this case, AWS will use the credentials of an internal S3 account and makes a call on behalf of your account, NOT from resource. Because of that, we need to use the aws:SourceAccount to perform validation in policy.
Taking an example of SES send SNS message.
For this case, AWS will use the credential of an internal S3 account and make a call on behalf of your resource, NOT from account. Because of that, we need to use the aws:SourceOwner in policy.
I would recommend you refer to case by case from documentation to understand which one you need to use. But I do hope you understand the differences between the 2 of them now.
The difference is as others have described. It might be worth noting this from the GitHub issue:
https://github.com/awsdocs/iam-user-guide/issues/111#issuecomment-1252880839
We don't plan to document aws:SourceOwner.
aws:SourceAccount was introduced as the preferred replacement.
So I would suggest using only aws:SourceAccount going forward.
I set up Notification in CodeCommit on all events. The rule target SNS topic has a policy that allows principal *. However when I created a pull request. There is no event went through my SNS topic. I have a email subscription to the topic.
What have I missed and what is the possible causes?
I was having the same problem.
The solution is to give permission in SNS to receive notifications from CodeCommit. To do so you need to edit the SNS "Access policy" and add the following rule:
{
"Sid": "AWSCodeStarNotifications_publish",
"Effect": "Allow",
"Principal": {
"Service": [
"codestar-notifications.amazonaws.com"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789012:codestar-notifications-MyTopicForNotificationRules"
}
Just make sure to edit the Resource property first.
Source, full explanation and example here: https://docs.aws.amazon.com/codestar-notifications/latest/userguide/notification-target-create.html