AWS 物联网策略仍然允许其他主题通过 mqtt 访问
AWS iot policy still allow other topics to access via mqtt
我试图只允许在 aws iot 核心中通过 mqtt 订阅和发布期间使用那些在 aws inline iot 策略中指定的主题。但看起来它也允许其他主题。
例如,这应该行不通
mytopic/test/test-123/publish123(但它的工作原理)因为未指定 publish123
下面是一个内联策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": "arn:aws:iot:eu-central-1:123456789:client/${iot:Certificate.Subject.CommonName}"
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:eu-central-1:123456789:topicfilter/mytopic/test/${iot:Certificate.Subject.CommonName}/subsricption",
"arn:aws:iot:eu-central-1:123456789:topicfilter/mytopic/test/+/+/+/subsricption"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": "arn:aws:iot:eu-central-1:123456789:topic/io/ksb/m2c/${iot:Certificate.Subject.CommonName}/*"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/publish1",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/publish2",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/+/+/+/publish2",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/subsricption",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/+/+/+/subsricption"
]
}
]
}
MQTT 通配符仅在主题过滤器中受支持(topicFilter 而不是 topic)。主题过滤器仅用于政策的 subscribe 部分。
这意味着政策的发布部分需要在列出主题时更加规范,不能使用 + 或 #。主题资源允许您根据 IAM 用法使用 * 通配符。这在匹配时就像一个贪婪的 .* 正则表达式。
我试图只允许在 aws iot 核心中通过 mqtt 订阅和发布期间使用那些在 aws inline iot 策略中指定的主题。但看起来它也允许其他主题。
例如,这应该行不通 mytopic/test/test-123/publish123(但它的工作原理)因为未指定 publish123
下面是一个内联策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": "arn:aws:iot:eu-central-1:123456789:client/${iot:Certificate.Subject.CommonName}"
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:eu-central-1:123456789:topicfilter/mytopic/test/${iot:Certificate.Subject.CommonName}/subsricption",
"arn:aws:iot:eu-central-1:123456789:topicfilter/mytopic/test/+/+/+/subsricption"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": "arn:aws:iot:eu-central-1:123456789:topic/io/ksb/m2c/${iot:Certificate.Subject.CommonName}/*"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/publish1",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/publish2",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/+/+/+/publish2",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/${iot:Certificate.Subject.CommonName}/subsricption",
"arn:aws:iot:eu-central-1:123456789:topic/mytopic/test/+/+/+/subsricption"
]
}
]
}
MQTT 通配符仅在主题过滤器中受支持(topicFilter 而不是 topic)。主题过滤器仅用于政策的 subscribe 部分。
这意味着政策的发布部分需要在列出主题时更加规范,不能使用 + 或 #。主题资源允许您根据 IAM 用法使用 * 通配符。这在匹配时就像一个贪婪的 .* 正则表达式。