Why we need to attach iot policies to both (cognito auth role and cognito identity id)

[smnodame]

Hi :D I am working on a project that using aws iot and cognito. I wonder why we need to attach iot policies to both (cognito auth role and cognito identity id)

If

• I give AWSIoTDataAccess to Cognito auth role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect",
                "iot:Publish",
                "iot:Subscribe",
                "iot:Receive",
                "iot:GetThingShadow",
                "iot:UpdateThingShadow",
                "iot:DeleteThingShadow",
                "iot:ListNamedShadowsForThing"
            ],
            "Resource": "*"
        }
    ]
}

• I give attach a policy called policy_owned_by_a which following access to user A (would be wrong but it's only exaple)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Subscribe",
                "iot:Receive",
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:topic/owned_by_A"
            ]
        }
    ]
}

aws iot attach-principal-policy  --principal <cognito identity id of user A> --policy-name policy_owned_by_a

Is there any risk that I attach AWSIoTDataAccess with * as resource to all authorized users but I limit them to use only their own resource on iot policy ??
Do they get the access to other resource because of AWSIoTFullAccess?

[smnodame]

one more question. I tried to create a user group on Cognito called group_A and then created an IAM role with this AWSIoTFullAccess policy instead of attach it to all authorized users and then add user A to this group. Does it suppose to work? I doesn't work on my side

[jmklix]

I'm not sure exactly why you will need multiple policies, but it allows you have better control over what different users can do. I would only recommend using AWSiOTDataAccess with * for testing. They only need access to resources that you intend to use, all of IoT should be covered in that; but you might want to use other resources. And for the last question did you attach a policy to the IoT things?

Hopefully I answered all of your questions, please let me know if you have any more or want more clarification.

[jmklix]

Marking this as answered for now. Please let us know if you have any more questions

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.