Authentication

The nRF Asset Tracker web application on AWS connects to the AWS IoT broker using WebSockets, and the authentication is done through AWS Cognito.

See the AWS documentation on Amazon Cognito identities and Policies for HTTP and WebSocket clients for more information.

A user authenticated through Amazon Cognito needs the following policies to access AWS IoT:

  • A policy attached to the role of the authenticated pool, to authenticate and authorize the Cognito user to communicate with AWS IoT.

  • A policy attached to the authenticated Cognito user ID principal for fine-grained permissions.

Note

When authorizing Cognito identities, AWS IoT considers both policies and grants the least privilege among the specified privileges.

A requested action is allowed only if both policies allow it. If one of the policies prohibit an action, it is considered to be unauthorized.

Example

Following is an example of the authentication process with the specified policies:

IAM policy on the authenticated role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iot:Subscribe"],
      "Resource": ["*"]
    }
  ]
}

IoT policy assigned to the Cognito Identity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iot:Subscribe"],
      "Resource": ["arn:aws:iot:*:*:topicfilter/messages"]
    }
  ]
}

The two specified policies are combined using logical AND and only the least privilege of the combined privilege is granted. Hence, in this example, the user can only subscribe to the messages topic.