Most of the time I eventually create AWS IoT policies with the same content for Subscribe and Receive actions. If someone is allowed to subscribe one topic, it must be allowed to receive a message published to that topic.
Another approach is to specify the exact topics to subscribe and use everything wildcard (*) for Receive action. If someone is allowed to subscribe a list of topics, it will never receive messages from other topics, so why bother to specify the exact topics in Receive actions too?
The only use case when Receive should be different from Subscribe is when an already connected and subscribed thing/user must be disallowed to receive messages publish to one topic already subscribed. However this is a very particular situation.
AWS IoT Core policies allow you to control access to the AWS IoT Core data plane. The AWS IoT Core data plane consists of operations that allow you to connect to the AWS IoT Core message broker, send and receive MQTT messages, and get or update a thing's Device Shadow.
Publish/subscribe (pubsub) messaging enables you to send and receive messages to topics. Components can publish messages to topics to send messages to other components. Then, components that are subscribed to that topic can act on the messages that they receive.
PDF. AWS IoT rule actions specify what to do when a rule is triggered. You can define actions to send data to an Amazon DynamoDB database, send data to Amazon Kinesis Data Streams, invoke an AWS Lambda function, and so on.
This situation you describe is the exactly the situation described in the AWS documentation.
https://docs.aws.amazon.com/iot/latest/developerguide/policy-actions.html
iot:Receive
Represents the permission to receive a message from AWS IoT. The iot:Receive permission is checked every time a message is delivered to a client. Because this permission is checked on every delivery, it can be used to revoke permissions to clients that are currently subscribed to a topic.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With