Building a centralized IoT Platform for Weather station > Setup AWS IoT Core > IoT Security Policies

IoT Security Policies

Two security policies are required for proper platform operation: Device Policy for weather stations and Platform Policy for user access.

Device Policy (WeatherStationPolicies)

This policy enables weather devices to connect and publish telemetry data to IoT Core.

Step 1: Create Device Policy

Navigate to AWS IoT Core Console
Go to Secure → Policies
Click Create policy
Enter Policy name: WeatherStationPolicies
Add tag (optional): fcj_workshop1 - FCJ Workshop 1
Copy and paste the following policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:<region>:<account_ID>:topic/weatherPlatform/telemetry/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:<region>:<account_ID>:client/*"
    }
  ]
}

Configure Policy Create Policy 7. Click Create

Step 2: Attach Policy to Thing Group

Navigate to IoT Core → All devices → Thing Groups
Select ITeaWeatherHub Thing Group
Go to Policies tab → Manage Policies
Click Attach policy
Select WeatherStationPolicies
Click Attach

Configure Policy Update Policy

This policy assignment automatically applies to all devices within the Thing Group.

Platform Policy (WeatherPlatformPubSubPolicy)

This policy enables the web platform to interact with IoT devices, receive telemetry data, and send notifications.

Step 1: Create Platform Policy

In AWS IoT Core Console, go to Secure → Policies
Click Create policy
Enter Policy name: WeatherPlatformPubSubPolicy
Add tag (optional): fcj_workshop1 - FCJ Workshop 1
Copy and paste the following policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:<region>:<account_ID>:client/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:<region>:<account_ID>:topic/weatherPlatform/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
        "arn:aws:iot:<region>:<account_ID>:topicfilter/weatherPlatform/telemetry/*",
        "arn:aws:iot:<region>:<account_ID>:topicfilter/weatherPlatform/notifications"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:<region>:<account_ID>:topic/weatherPlatform/notifications"
    }
  ]
}

Click Create

This policy is attached to individual Cognito Identity IDs to grant authenticated users access to IoT Core resources. See the User IoT Policy Attachment section for detailed implementation steps.

Verification

After creating both policies, you should see:

WeatherStationPolicies: Attached to ITeaWeatherHub Thing Group
WeatherPlatformPubSubPolicy: Ready for user assignment

Next Steps

Complete Amplify backend deployment
Set up user authentication and policy attachment