AWS IoT Resources Access Based on Tags NOT working

Question

We would like to setup some policies so that only device "owners" can access the device shadow ("iot:UpdateThingShadow", "iot:GetThingShadow").

According to this doc (https://docs.aws.amazon.com/iot/latest/developerguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-view-thing-tags) it should be possible to define a device TAG and compare it with the IAM username. Something like this:

        {
            "Sid": "ConnectToThings",
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:*:*:thing/*"
        }
        {
            "Sid": "ViewThingsIfOwner",
            "Effect": "Allow",
            "Action": [
                "iot:GetThingShadow",
                "iot:UpdateThingShadow"
            ],
            "Resource": "arn:aws:iot:*:*:thing/*",
            "Condition": {
                "StringEquals": {"iot:ResourceTag/Owner": "${aws:username}"}
            }
        }

We've tried with the following configuration with no luck:

IOT thing -> "thing00", tagged with "Owner=user00"

IAM user -> "user00" and "user01" with the above defined IAM policy.

Neither "user00" nor "user01" can access the Shadow Service for "thing00". Are we missing something?

Answer 1

According to this, IoT supports tag-based authorization. If you assign tags to your users or roles, you can grant access only if both the resource and the principal has the same tag attached.

I'd try the following condition after attaching the same tag to the resource and the user, e.g. Owner=UserA.

"Condition": {
    "StringEquals": {
        "aws:ResourceTag/Owner": "${aws:PrincipalTag/Owner}"
     }
}

If it works, you can tag your things in groups and assign an attribute (tag) to your users according to your access management policy.

This article suggests that UpdateThingsShadow can be used with PrincipalTag.