Security
Last updated
Was this helpful?
Last updated
Was this helpful?
Important
(iot:Connection.Thing.*
) aren't supported for in AWS IoT policies for core devices or Greengrass data plane operations. Instead, you can use a wildcard that matches multiple devices that have similar names. For example, you can specify MyGreengrassDevice*
to match MyGreengrassDevice1
, MyGreengrassDevice2
, and so on.
Note AWS IoT Core enables you to attach AWS IoT policies to thing groups to define permissions for groups of devices. Thing group policies don't allow access to AWS IoT Greengrass data plane operations. To allow a thing access to an AWS IoT Greengrass data plane operation, add the permission to an AWS IoT policy that you attach to the thing's certificate.
Note
If you used the , your core device has an AWS IoT policy that allows access to all AWS IoT Greengrass actions (greengrass:*
). You can follow these steps to restrict access to only the actions that a core device uses.
Important
Later versions of the require additional permissions on the minimal AWS IoT policy. You might need to to grant additional permissions.
Core devices that run Greengrass nucleus v2.5.0 and later use the greengrass:ListThingGroupsForCoreDevice
permission to uninstall components when you remove a core device from a thing group. Core devices that run Greengrass nucleus v2.3.0 and later use the greengrass:GetDeploymentConfiguration
permission to support large deployment configuration documents.
Note This topic describes IAM concepts and features. For information about IAM features supported by AWS IoT Greengrass, see .
Note Amazon S3 provides a feature called S3 Object Lock that you can use to protect against changes to component artifacts in S3 buckets your AWS account. You can use S3 Object Lock to prevent component artifacts from being deleted or overwritten. For more information, see in the Amazon Simple Storage Service User Guide.
Note Currently, you can't configure Greengrass core devices to operate completely within your VPC.