Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
Rules for AWS IoT
Granting an AWS IoT Rule the Access it Requires
Pass Role Permissions
Creating an AWS IoT Rule
To create a rule (AWS CLI)
Viewing the Rules
Deleting an AWS IoT Rule
Frequently Asked Questions
Define AWS IoT or AWS IoT core?
Can devices that are NOT directly having Internet Connection can access AWS IoT Core?
What is the Device Gateway?
What is MQTT?
Last Updated: Mar 27, 2024

Rules for AWS IoT

Author Ankit Mishra
0 upvote
Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @


AWS IoT connects your IoT devices to other devices and AWS cloud services. Device software from AWS IoT can help you link your IoT devices with AWS IoT-based solutions. If your devices can connect with AWS IoT, AWS IoT can connect them to AWS's cloud services. Now we will discuss the rules of AWS IoT to interact with devices.

Rules for AWS IoT

Your devices can communicate with AWS services. This communication is secured and encrypted to communicating devices only. The MQTT topic stream is used to examine rules and take action. Rules can be used to help with activities like these:

  • Data from a device can be enhanced or filtered.
  • Data from a device is written to an Amazon DynamoDB database.
  • A file is saved to Amazon S3.
  • Using Amazon SNS, send a push notification to all users.
  • Data should be published to an Amazon SQS queue.
  • To extract data, use a Lambda function.
  • Amazon Kinesis allows you to process communications from a wide number of devices.
  • Send information to Amazon OpenSearch.
  • Take note of a CloudWatch metric.
  • A CloudWatch alarm can be changed.
  • Send MQTT message data to Amazon Machine Learning to produce predictions using an Amazon ML model.
  • Send a message to an IoT Input Stream in Salesforce.
  • Send data from the message to an AWS IoT Analytics channel.

You can utilize MQTT messages that transit through the device communication protocols' publish/subscribe protocol or use the Basic Ingest functionality to securely communicate device data to the AWS services indicated above without incurring messaging fees. (The Basic Ingest feature improves data flow by removing the publish/subscribe message broker from the ingestion pipeline, making it more cost-effective while maintaining AWS IoT's security and data processing capabilities.)

You must provide AWS IoT authorization to use your AWS resources on your behalf before it can undertake these operations. You will be charged for the AWS services you used when you complete the steps.

Let’s have a look at how access to rules was provided.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Granting an AWS IoT Rule the Access it Requires

IAM roles are used to manage which AWS resources each rule has access to. You must first create an IAM role with a policy that grants access to the appropriate AWS resources before you can write a rule. When a rule is executed, AWS IoT assumes this responsibility.

To establish the AWS IoT policy and IAM role that will offer an AWS IoT rule the access, it requires (AWS CLI)

Save the following trust policy document to a file called iot-role-trust.json, which gives AWS IoT authorization to take the role.

To avoid the problem of the confused deputy, this example provides a global condition context key. Your aws:SourceArn must be in the format arn:aws:iot:region:account-id:* for AWS IoT rules. Ensure that region and account-id match your AWS IoT Region and customer account ID, respectively.

     "Effect": "Allow",
     "Principal": {
       "Service": ""
     "Action": "sts:AssumeRole",
     "Condition": {
       "StringEquals": {
         "aws:SourceAccount": "123456789012"
       "ArnLike": {
         "aws:SourceArn": "arn:aws:iot:us-east-1:123456789012:*"

Create an IAM role with the create-role command and using the iot-role-trust.json file in AWS:

aws iam create-role --role-name my-iot-role --assume-role-policy-document file://iot-role-trust.json

This will be the output for the above operations:

 "Role": {
   "AssumeRolePolicyDocument": "url-encoded-json",
   "CreateDate": "2015-09-30T18:43:32.821Z",
   "RoleName": "my-iot-role",
   "Path": "/",
   "Arn": "arn:aws:iam::123456789012:role/my-iot-role"

Now, save the following JSON into the file named my-iot-policy.json.

 "Version": "2012-10-17",
 "Statement": [{
   "Effect": "Allow",
   "Action": "dynamodb:*",
   "Resource": "*"

This JSON file is an example policy document that gives DynamoDB access to AWS IoT administrators.

Upon adopting the role, use the create-policy command to allow AWS IoT access to your AWS resources, passing in the  file my-iot-policy.json :

aws iam create-policy --policy-name my-iot-policy --policy-document file://my-iot-policy.json

The Output of the create-policy command will contain the ARN of the policy. You need to attach a policy to a role.

 "Policy": {
   "PolicyName": "my-iot-policy",
   "CreateDate": "2015-09-30T19:31:18.620Z",
   "AttachmentCount": 0,
   "IsAttachable": true,
   "PolicyId": "ZXR6A36LTYANPAI7NJ5UV",
   "DefaultVersionId": "v1",
   "Path": "/",
   "Arn": "arn:aws:iam::123456789012:policy/my-iot-policy",
   "UpdateDate": "2015-09-30T19:31:18.620Z"

And then, Use the attach-role-policy command to attach your policy to your role:

aws iam attach-role-policy --role-name my-iot-role --policy-arn "arn:aws:iam::123456789012:policy/my-iot-policy"

Pass Role Permissions

An IAM role is a component of a rule definition that gives access to resources described in the rule's action. The rules engine assumes that role when the rule's action is triggered. The role and the rule must both be defined in the same AWS account.

When you create or replace a rule, you are effectively giving the rules engine a role. The iam:PassRole permission is required by the user executing this activity. Create a policy that grants the iam:PassRole permission and connect it to your IAM user to guarantee you have it. The following policy demonstrates how to grant a role the iam:PassRole permission.

 "Version": "2012-10-17",
 "Statement": [
     "Sid": "Stmt1",
     "Effect": "Allow",
     "Action": [
     "Resource": [

The iam: PassRole permission is allowed for the role myRole in this policy example. The ARN of the role is used to specify it. This policy must be attached to the IAM user or role to whom your user belongs. Now we will see how to create an AWS IoT rule.

Creating an AWS IoT Rule

Rules are set up to redirect data from your linked devices. The following are the rules:

Rule name- The name of the rule.

Optional description-  A textual description of the rule.

SQL statement- A simpler SQL syntax for filtering MQTT topic messages and pushing the data elsewhere. 

SQL version- The SQL rules engine version to use while evaluating the rule. Although this field is optional, we strongly advise you to specify the SQL version. The default value for this attribute in the AWS IoT Core console is 2016-03-23. 2015-10-08 is utilized if this attribute is not set, such as in an AWS CLI command or an AWS CloudFormation template. See SQL versions for further details.

One or more actions- The actions taken by AWS IoT when the rule is executed. Insert data into a DynamoDB table, write data to an Amazon S3 bucket, publish to an Amazon SNS topic, or call a Lambda function.

An error action- The action AWS IoT performs when it cannot perform a rule's action.

Consider how much data you're posting on topics while creating a rule. If you employ a wildcard subject pattern in your rules, they may match a significant percentage of your messages, and you may need to scale up the AWS resources utilized by the target actions. Also, if you employ a wildcard topic pattern in a republish rule, you may wind up with a circular rule that generates an unending loop.

To create a rule (AWS CLI)

To make a rule, use the create-topic-rule command:

aws iot create-topic-rule --rule-name myrule --topic-rule-payload file://myrule.json

Viewing the Rules

Use the command list-topic-rules to list all your rules:

aws iot list-topic-rules

Use the command get-topic-rule to get information about a rule:

aws iot get-topic-rule --rule-name myrule

Deleting an AWS IoT Rule

When you finish using a rule, you can delete it.

To delete a rule (AWS CLI)

Use the delete-topic-rule command to delete a rule:

aws iot delete-topic-rule --rule-name myrule

Now we have completed our discussion as we have seen creating, viewing, and deleting the rule in AWS IoT.

Check out this article - Components Of IOT

Frequently Asked Questions

Define AWS IoT or AWS IoT core?

AWS IoT Core is a managed cloud platform that enables connected devices to interact with cloud applications and other devices in a simple and safe manner. AWS IoT Core can handle billions of devices and trillions of messages, and it can reliably and securely process and route those communications to AWS endpoints and other devices.

Can devices that are NOT directly having Internet Connection can access AWS IoT Core?

Yes, a physical hub is required. AWS IoT Core can be accessed by devices connected to a private IP network and devices using non-IP radio protocols like ZigBee or Bluetooth LE as long as they have a physical hub acting as a communication and security intermediary between them and AWS IoT Core.

What is the Device Gateway?

The Device Gateway is the communication hub between connected devices and cloud services like the Rules Engine, Device Shadow, and other AWS and third-party offerings.

The pub/sub messaging pattern is supported by the Device Gateway, allowing for scalable, low-latency, and low-overhead communication. It's especially effective in IoT settings, where billions of devices must often connect with a slight delay.

What is MQTT?

MQTT is a lightweight pub/sub protocol optimized for network bandwidth and device resources. MQTT also supports TLS-encrypted communication. MQTT is frequently utilized in IoT scenarios. The Device Gateway supports most of the MQTT specifications and an OASIS standard.


In this article, we have extensively discussed Creating Rules for AWS IoT, Viewing AWS IoT rules, and deleting them. I hope you have understood the Creation to Deletion of Rules of AWS IoT.

To read more about AWS and its sub topic you can refer here, STS Download, Important AWS Interview QuestionsSQS in AWS, and AWS Archives.

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enrol in our courses, refer to the mock test and problems; look at the interview experiences and interview bundle for placement preparations.

Do upvote our blog to help other ninjas grow.

Happy Learning!

Previous article
AWS IoT Things Graph
Next article
Live masterclass