Actions, resources, and condition keys for AWS IoT Wireless
AWS IoT Wireless (service prefix: iotwireless) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS IoT Wireless
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateAwsAccountWithPartnerAccount | Grants permission to link partner accounts with AWS account | Write | |||
| AssociateMulticastGroupWithFuotaTask | Grants permission to associate the MulticastGroup with FuotaTask | Write | |||
| AssociateWirelessDeviceWithFuotaTask | Grants permission to associate the wireless device with FuotaTask | Write | |||
| AssociateWirelessDeviceWithMulticastGroup | Grants permission to associate the WirelessDevice with MulticastGroup | Write | |||
| AssociateWirelessDeviceWithThing | Grants permission to associate the wireless device with AWS IoT thing for a given wirelessDeviceId | Write |
iot:DescribeThing |
||
| AssociateWirelessGatewayWithCertificate | Grants permission to associate a WirelessGateway with the IoT Core Identity certificate | Write | |||
| AssociateWirelessGatewayWithThing | Grants permission to associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId | Write |
iot:DescribeThing |
||
| CancelMulticastGroupSession | Grants permission to cancel the MulticastGroup session | Write | |||
| CreateDestination | Grants permission to create a Destination resource | Write | |||
| CreateDeviceProfile | Grants permission to create a DeviceProfile resource | Write | |||
| CreateFuotaTask | Grants permission to create a FuotaTask resource | Write | |||
| CreateMulticastGroup | Grants permission to create a MulticastGroup resource | Write | |||
| CreateNetworkAnalyzerConfiguration | Grants permission to create a NetworkAnalyzerConfiguration resource | Write | |||
| CreateServiceProfile | Grants permission to create a ServiceProfile resource | Write | |||
| CreateWirelessDevice | Grants permission to create a WirelessDevice resource with given Destination | Write | |||
| CreateWirelessGateway | Grants permission to create a WirelessGateway resource | Write | |||
| CreateWirelessGatewayTask | Grants permission to create a task for a given WirelessGateway | Write | |||
| CreateWirelessGatewayTaskDefinition | Grants permission to create a WirelessGateway task definition | Write | |||
| DeleteDestination | Grants permission to delete a Destination | Write | |||
| DeleteDeviceProfile | Grants permission to delete a DeviceProfile | Write | |||
| DeleteFuotaTask | Grants permission to delete the FuotaTask | Write | |||
| DeleteMulticastGroup | Grants permission to delete the MulticastGroup | Write | |||
| DeleteNetworkAnalyzerConfiguration | Grants permission to delete the NetworkAnalyzerConfiguration | Write | |||
| DeleteQueuedMessages | Grants permission to delete QueuedMessages | Write | |||
| DeleteServiceProfile | Grants permission to delete a ServiceProfile | Write | |||
| DeleteWirelessDevice | Grants permission to delete a WirelessDevice | Write | |||
| DeleteWirelessDeviceImportTask | Grants permission to delete the wireless device import task | Write | |||
| DeleteWirelessGateway | Grants permission to delete a WirelessGateway | Write | |||
| DeleteWirelessGatewayTask | Grants permission to delete task for a given WirelessGateway | Write | |||
| DeleteWirelessGatewayTaskDefinition | Grants permission to delete a WirelessGateway task definition | Write | |||
| DeregisterWirelessDevice | Grants permission to deregister wireless device | Write | |||
| DisassociateAwsAccountFromPartnerAccount | Grants permission to disassociate an AWS account from a partner account | Write | |||
| DisassociateMulticastGroupFromFuotaTask | Grants permission to disassociate the MulticastGroup from FuotaTask | Write | |||
| DisassociateWirelessDeviceFromFuotaTask | Grants permission to disassociate the wireless device from FuotaTask | Write | |||
| DisassociateWirelessDeviceFromMulticastGroup | Grants permission to disassociate the wireless device from MulticastGroup | Write | |||
| DisassociateWirelessDeviceFromThing | Grants permission to disassociate a wireless device from a AWS IoT thing | Write |
iot:DescribeThing |
||
| DisassociateWirelessGatewayFromCertificate | Grants permission to disassociate a WirelessGateway from a IoT Core Identity certificate | Write | |||
| DisassociateWirelessGatewayFromThing | Grants permission to disassociate a WirelessGateway from a IoT Core thing | Write |
iot:DescribeThing |
||
| GetDestination | Grants permission to get the Destination | Read | |||
| GetDeviceProfile | Grants permission to get the DeviceProfile | Read | |||
| GetEventConfigurationByResourceTypes | Grants permission to get event configuration by resource types | Read | |||
| GetFuotaTask | Grants permission to get the FuotaTask | Read | |||
| GetLogLevelsByResourceTypes | Grants permission to get log levels by resource types | Read | |||
| GetMetricConfiguration | Grants permission to get metric configuration | Read | |||
| GetMetrics | Grants permission to get metrics | Read | |||
| GetMulticastGroup | Grants permission to get the MulticastGroup | Read | |||
| GetMulticastGroupSession | Grants permission to get the MulticastGroup session | Read | |||
| GetNetworkAnalyzerConfiguration | Grants permission to get the NetworkAnalyzerConfiguration | Read | |||
| GetPartnerAccount | Grants permission to get the associated PartnerAccount | Read | |||
| GetPosition | Grants permission to get position for a given resource | Read | |||
| GetPositionConfiguration | Grants permission to get position configuration for a given resource | Read | |||
| GetPositionEstimate | Grants permission to get position estimate | Read | |||
| GetResourceEventConfiguration | Grants permission to get an event configuration for an identifier | Read | |||
| GetResourceLogLevel | Grants permission to get resource log level | Read | |||
| GetResourcePosition | Grants permission to get position for a given resource | Read | |||
| GetServiceEndpoint | Grants permission to retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format | Read | |||
| GetServiceProfile | Grants permission to get the ServiceProfile | Read | |||
| GetWirelessDevice | Grants permission to get the WirelessDevice | Read | |||
| GetWirelessDeviceImportTask | Grants permission to get the wireless device import task | Read | |||
| GetWirelessDeviceStatistics | Grants permission to get statistics info for a given WirelessDevice | Read | |||
| GetWirelessGateway | Grants permission to get the WirelessGateway | Read | |||
| GetWirelessGatewayCertificate | Grants permission to get the IoT Core Identity certificate id associated with the WirelessGateway | Read | |||
| GetWirelessGatewayFirmwareInformation | Grants permission to get Current firmware version and other information for the WirelessGateway | Read | |||
| GetWirelessGatewayStatistics | Grants permission to get statistics info for a given WirelessGateway | Read | |||
| GetWirelessGatewayTask | Grants permission to get the task for a given WirelessGateway | Read | |||
| GetWirelessGatewayTaskDefinition | Grants permission to get the given WirelessGateway task definition | Read | |||
| ListDestinations | Grants permission to list information of available Destinations based on the AWS account | Read | |||
| ListDeviceProfiles | Grants permission to list information of available DeviceProfiles based on the AWS account | Read | |||
| ListDevicesForWirelessDeviceImportTask | Grants permission to list information of devices by wireless device import task based on the AWS account | Read | |||
| ListEventConfigurations | Grants permission to list information of available event configurations based on the AWS account | Read | |||
| ListFuotaTasks | Grants permission to list information of available FuotaTasks based on the AWS account | Read | |||
| ListMulticastGroups | Grants permission to list information of available MulticastGroups based on the AWS account | Read | |||
| ListMulticastGroupsByFuotaTask | Grants permission to list information of available MulticastGroups by FuotaTask based on the AWS account | Read | |||
| ListNetworkAnalyzerConfigurations | Grants permission to list information of available NetworkAnalyzerConfigurations based on the AWS account | Read | |||
| ListPartnerAccounts | Grants permission to list the available partner accounts | Read | |||
| ListPositionConfigurations | Grants permission to list information of available position configurations based on the AWS account | Read | |||
| ListQueuedMessages | Grants permission to list the Queued Messages | Read | |||
| ListServiceProfiles | Grants permission to list information of available ServiceProfiles based on the AWS account | Read | |||
| ListTagsForResource | Grants permission to list all tags for a given resource | Read | |||
| ListWirelessDeviceImportTasks | Grants permission to list wireless device import tasks information of based on the AWS account | Read | |||
| ListWirelessDevices | Grants permission to list information of available WirelessDevices based on the AWS account | Read | |||
| ListWirelessGatewayTaskDefinitions | Grants permission to list information of available WirelessGateway task definitions based on the AWS account | Read | |||
| ListWirelessGateways | Grants permission to list information of available WirelessGateways based on the AWS account | Read | |||
| PutPositionConfiguration | Grants permission to put position configuration for a given resource | Write | |||
| PutResourceLogLevel | Grants permission to put resource log level | Write | |||
| ResetAllResourceLogLevels | Grants permission to reset all resource log levels | Write | |||
| ResetResourceLogLevel | Grants permission to reset resource log level | Write | |||
| SendDataToMulticastGroup | Grants permission to send data to the MulticastGroup | Write | |||
| SendDataToWirelessDevice | Grants permission to send the decrypted application data frame to the target device | Write | |||
| StartBulkAssociateWirelessDeviceWithMulticastGroup | Grants permission to associate the WirelessDevices with MulticastGroup | Write | |||
| StartBulkDisassociateWirelessDeviceFromMulticastGroup | Grants permission to bulk disassociate the WirelessDevices from MulticastGroup | Write | |||
| StartFuotaTask | Grants permission to start the FuotaTask | Write | |||
| StartMulticastGroupSession | Grants permission to start the MulticastGroup session | Write | |||
| StartNetworkAnalyzerStream | Grants permission to start NetworkAnalyzer stream | Write | |||
| StartSingleWirelessDeviceImportTask | Grants permission to start the single wireless device import task | Write | |||
| StartWirelessDeviceImportTask | Grants permission to start the wireless device import task | Write | |||
| TagResource | Grants permission to tag a given resource | Tagging | |||
| TestWirelessDevice | Grants permission to simulate a provisioned device to send an uplink data with payload of 'Hello' | Write | |||
| UntagResource | Grants permission to remove the given tags from the resource | Tagging | |||
| UpdateDestination | Grants permission to update a Destination resource | Write | |||
| UpdateEventConfigurationByResourceTypes | Grants permission to update event configuration by resource types | Write | |||
| UpdateFuotaTask | Grants permission to update the FuotaTask | Write | |||
| UpdateLogLevelsByResourceTypes | Grants permission to update log levels by resource types | Write | |||
| UpdateMetricConfiguration | Grants permission to update metric configuration | Write | |||
| UpdateMulticastGroup | Grants permission to update the MulticastGroup | Write | |||
| UpdateNetworkAnalyzerConfiguration | Grants permission to update the NetworkAnalyzerConfiguration | Write | |||
| UpdatePartnerAccount | Grants permission to update a partner account | Write | |||
| UpdatePosition | Grants permission to update position for a given resource | Write | |||
| UpdateResourceEventConfiguration | Grants permission to update an event configuration for an identifier | Write | |||
| UpdateResourcePosition | Grants permission to update position for a given resource | Write | |||
| UpdateWirelessDevice | Grants permission to update a WirelessDevice resource | Write | |||
| UpdateWirelessDeviceImportTask | Grants permission to update a wireless device import task | Write | |||
| UpdateWirelessGateway | Grants permission to update a WirelessGateway resource | Write |
Resource types defined by AWS IoT Wireless
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| WirelessDevice |
arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}
|
|
| WirelessGateway |
arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}
|
|
| DeviceProfile |
arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}
|
|
| ServiceProfile |
arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}
|
|
| Destination |
arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}
|
|
| SidewalkAccount |
arn:${Partition}:iotwireless:${Region}:${Account}:SidewalkAccount/${SidewalkAccountId}
|
|
| WirelessGatewayTaskDefinition |
arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGatewayTaskDefinition/${WirelessGatewayTaskDefinitionId}
|
|
| FuotaTask |
arn:${Partition}:iotwireless:${Region}:${Account}:FuotaTask/${FuotaTaskId}
|
|
| MulticastGroup |
arn:${Partition}:iotwireless:${Region}:${Account}:MulticastGroup/${MulticastGroupId}
|
|
| NetworkAnalyzerConfiguration |
arn:${Partition}:iotwireless:${Region}:${Account}:NetworkAnalyzerConfiguration/${NetworkAnalyzerConfigurationName}
|
|
| thing |
arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
|
|
| cert |
arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}
|
|
| ImportTask |
arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId}
|
Condition keys for AWS IoT Wireless
AWS IoT Wireless defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by a tag key that is present in the request that the user makes to IoT Wireless | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key component of a tag attached to an IoT Wireless resource | String |
| aws:TagKeys | Filters access by the list of all the tag key names associated with the resource in the request | ArrayOfString |
