Granting an AWS IoT Rule the Access it Requires
IAM roles are used to manage which AWS resources each rule has access to. You must first create an IAM role with a policy that grants access to the appropriate AWS resources before you can write a rule. When a rule is executed, AWS IoT assumes this responsibility.
To establish the AWS IoT policy and IAM role that will offer an AWS IoT rule the access, it requires (AWS CLI)
Save the following trust policy document to a file called iot-role-trust.json, which gives AWS IoT authorization to take the role.
To avoid the problem of the confused deputy, this example provides a global condition context key. Your aws:SourceArn must be in the format arn:aws:iot:region:account-id:* for AWS IoT rules. Ensure that region and account-id match your AWS IoT Region and customer account ID, respectively.
{
"Version":"2012-10-17",
"Statement":[{
"Effect": "Allow",
"Principal": {
"Service": "iot.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:iot:us-east-1:123456789012:*"
}
}
}]
}
Create an IAM role with the create-role command and using the iot-role-trust.json file in AWS:
aws iam create-role --role-name my-iot-role --assume-role-policy-document file://iot-role-trust.json
This will be the output for the above operations:
{
"Role": {
"AssumeRolePolicyDocument": "url-encoded-json",
"RoleId": "AKIAIOSFODNN7EXAMPLE",
"CreateDate": "2015-09-30T18:43:32.821Z",
"RoleName": "my-iot-role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/my-iot-role"
}
}
Now, save the following JSON into the file named my-iot-policy.json.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "*"
}]
}
This JSON file is an example policy document that gives DynamoDB access to AWS IoT administrators.
Upon adopting the role, use the create-policy command to allow AWS IoT access to your AWS resources, passing in the file my-iot-policy.json :
aws iam create-policy --policy-name my-iot-policy --policy-document file://my-iot-policy.json
The Output of the create-policy command will contain the ARN of the policy. You need to attach a policy to a role.
{
"Policy": {
"PolicyName": "my-iot-policy",
"CreateDate": "2015-09-30T19:31:18.620Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ZXR6A36LTYANPAI7NJ5UV",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:policy/my-iot-policy",
"UpdateDate": "2015-09-30T19:31:18.620Z"
}
}
And then, Use the attach-role-policy command to attach your policy to your role:
aws iam attach-role-policy --role-name my-iot-role --policy-arn "arn:aws:iam::123456789012:policy/my-iot-policy"
Pass Role Permissions
An IAM role is a component of a rule definition that gives access to resources described in the rule's action. The rules engine assumes that role when the rule's action is triggered. The role and the rule must both be defined in the same AWS account.
When you create or replace a rule, you are effectively giving the rules engine a role. The iam:PassRole permission is required by the user executing this activity. Create a policy that grants the iam:PassRole permission and connect it to your IAM user to guarantee you have it. The following policy demonstrates how to grant a role the iam:PassRole permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/myRole"
]
}
]
}
The iam: PassRole permission is allowed for the role myRole in this policy example. The ARN of the role is used to specify it. This policy must be attached to the IAM user or role to whom your user belongs. Now we will see how to create an AWS IoT rule.
Creating an AWS IoT Rule
Rules are set up to redirect data from your linked devices. The following are the rules:
Rule name- The name of the rule.
Optional description- A textual description of the rule.
SQL statement- A simpler SQL syntax for filtering MQTT topic messages and pushing the data elsewhere.
SQL version- The SQL rules engine version to use while evaluating the rule. Although this field is optional, we strongly advise you to specify the SQL version. The default value for this attribute in the AWS IoT Core console is 2016-03-23. 2015-10-08 is utilized if this attribute is not set, such as in an AWS CLI command or an AWS CloudFormation template. See SQL versions for further details.
One or more actions- The actions taken by AWS IoT when the rule is executed. Insert data into a DynamoDB table, write data to an Amazon S3 bucket, publish to an Amazon SNS topic, or call a Lambda function.
An error action- The action AWS IoT performs when it cannot perform a rule's action.
Consider how much data you're posting on topics while creating a rule. If you employ a wildcard subject pattern in your rules, they may match a significant percentage of your messages, and you may need to scale up the AWS resources utilized by the target actions. Also, if you employ a wildcard topic pattern in a republish rule, you may wind up with a circular rule that generates an unending loop.
To create a rule (AWS CLI)
To make a rule, use the create-topic-rule command:
aws iot create-topic-rule --rule-name myrule --topic-rule-payload file://myrule.json
Viewing the Rules
Use the command list-topic-rules to list all your rules:
aws iot list-topic-rules
Use the command get-topic-rule to get information about a rule:
aws iot get-topic-rule --rule-name myrule
Deleting an AWS IoT Rule
When you finish using a rule, you can delete it.
To delete a rule (AWS CLI)
Use the delete-topic-rule command to delete a rule:
aws iot delete-topic-rule --rule-name myrule
Now we have completed our discussion as we have seen creating, viewing, and deleting the rule in AWS IoT.
Check out this article - Components Of IOT
Frequently Asked Questions
Define AWS IoT or AWS IoT core?
AWS IoT Core is a managed cloud platform that enables connected devices to interact with cloud applications and other devices in a simple and safe manner. AWS IoT Core can handle billions of devices and trillions of messages, and it can reliably and securely process and route those communications to AWS endpoints and other devices.
Can devices that are NOT directly having Internet Connection can access AWS IoT Core?
Yes, a physical hub is required. AWS IoT Core can be accessed by devices connected to a private IP network and devices using non-IP radio protocols like ZigBee or Bluetooth LE as long as they have a physical hub acting as a communication and security intermediary between them and AWS IoT Core.
What is the Device Gateway?
The Device Gateway is the communication hub between connected devices and cloud services like the Rules Engine, Device Shadow, and other AWS and third-party offerings.
The pub/sub messaging pattern is supported by the Device Gateway, allowing for scalable, low-latency, and low-overhead communication. It's especially effective in IoT settings, where billions of devices must often connect with a slight delay.
What is MQTT?
MQTT is a lightweight pub/sub protocol optimized for network bandwidth and device resources. MQTT also supports TLS-encrypted communication. MQTT is frequently utilized in IoT scenarios. The Device Gateway supports most of the MQTT specifications and an OASIS standard.
Conclusion
In this article, we have extensively discussed Creating Rules for AWS IoT, Viewing AWS IoT rules, and deleting them. I hope you have understood the Creation to Deletion of Rules of AWS IoT.
To read more about AWS and its sub topic you can refer here, STS Download, Important AWS Interview Questions, SQS in AWS, and AWS Archives.
Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enrol in our courses, refer to the mock test and problems; look at the interview experiences and interview bundle for placement preparations.
Do upvote our blog to help other ninjas grow.
Happy Learning!
130+ registered 
