How to grant user access to only specific things in AWS IoT?

Question

I would like to set up an IAM policy so that the user can access shadow (iot:UpdateThingShadow, iot:GetThingShadow) only for specific things in AWS IoT.

Things are grouped using a static thing group. And also there is a thing type specified for that things.

As I see here, IoT things cannot be directly tagged. And I cannot find a way to use Resources and Conditions to grant user access only to the specific thing group/type. There are too many devices to list each thing id in the policy.

I'm pretty sure it's a common situation but cannot find any solution. Thanks in advance for your help!

Answer 1

After contact with AWS Support and some research, I see that it's not possible to restrict access to specific group/type for shadow update. The tag based conditions as aws:ResourceTag are available only for things group managment (e.g. iot:UpdateThingGroup). IAM policy supports ThingGroupArn condition key, but it works only with IoT tunnels.

I see here the following options:

1. Create a new one separate AWS account for that group of things
2. Create API endpoints to get and update thing shadow and check the thing group/type using Lambda function
3. Put things to another region
4. Left as it is :)

Related information:

1. https://docs.aws.amazon.com/iot/latest/developerguide/tagging-iot-iam.html
2. https://aws.amazon.com/blogs/iot/improving-the-management-and-security-of-your-aws-iot-resources-with-tagging/
3. AWS IoT Resources Access Based on Tags NOT working