Question

Just wondering if there actually exist any best practices on AWS IoT regarding the handling of policies.

We could take 2 cases to study this.

Case 1: If we call a lambda(identity-id as param) which creates a policy on the fly and then attach the policy to the identity id. The policy has hardcoded the things name as the following.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-west-2:XXXX:client/hardcodedClient1"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:XXXX:topic/$aws/things/THINGNAME1/*",
        "arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/THINGNAME1/*"
      ]
    }
  ]
}

Case 2: If we use policy variables like ${iot:ClientId}, ${iot:ThingName}, we can attach one single policy to all the cognito-identity-users;

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-west-2:XXXX:client/${iot:ClientId}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:XXXX:topic/$aws/things/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-west-2:XXXX:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

So, can we infer which is the best practice amongst these?

Answer 1

I would recommend you use Case 2 using the policy variables. It reduces the number of policies to deal with and keep them meaningful and re-usable.

Also, it will save you a lot of time and money as you aren't using Lambda. It also prevents you from having to create a policy every time.

And if we're talking about security, rest assured because it has nothing to do with the policy variables.