

本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# AWS IoT 如何使用 IAM
<a name="security_iam_service-with-iam"></a>

在您使用 IAM 管理對 的存取之前 AWS IoT，您應該了解哪些 IAM 功能可與 搭配使用 AWS IoT。若要全面了解 AWS IoT 和其他 AWS 服務如何與 IAM 搭配使用，請參閱《[AWS IAM 使用者指南》中的與 IAM 搭配使用的 服務](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_aws-services-that-work-with-iam.html)。 **

**Topics**
+ [AWS IoT 身分型政策](#security_iam_service-with-iam-id-based-policies)
+ [AWS IoT 資源型政策](#security_iam_service-with-iam-resource-based-policies)
+ [以 AWS IoT 標籤為基礎的授權](#security_iam_service-with-iam-tags)
+ [AWS IoT IAM 角色](#security_iam_service-with-iam-roles)

## AWS IoT 身分型政策
<a name="security_iam_service-with-iam-id-based-policies"></a>

使用 IAM 身分類型政策，您可以指定允許或拒絕的動作和資源，以及在何種條件下會允許或拒絕動作。 AWS IoT 支援特定動作、資源及條件索引鍵。若要了解您在 JSON 政策中使用的所有元素，請參閱《*IAM 使用者指南*》中的 [JSON 政策元素參考](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_elements.html)。

### 動作
<a name="security_iam_service-with-iam-id-based-policies-actions"></a>

管理員可以使用 AWS JSON 政策來指定誰可以存取內容。也就是說，哪個**主體**在什麼**條件**下可以對什麼**資源**執行哪些**動作**。

JSON 政策的 `Action` 元素描述您可以用來允許或拒絕政策中存取的動作。政策會使用動作來授予執行相關聯動作的許可。

下表列出 IAM IoT 動作、相關聯的 AWS IoT API，以及動作操作的資源。


****  

| 政策動作 | AWS IoT API | Resources | 
| --- | --- | --- | 
| iot:AcceptCertificateTransfer | AcceptCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 帳戶 指定的 必須是憑證要傳輸到的帳戶。  | 
| iot:AddThingToThingGroup | AddThingToThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:AssociateTargetsWithJob | AssociateTargetsWithJob | 無  | 
| iot:AttachPolicy | AttachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:AttachPrincipalPolicy | AttachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:AttachSecurityProfile | AttachSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:AttachThingPrincipal | AttachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:CancelCertificateTransfer | CancelCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 帳戶 指定的 必須是憑證要傳輸到的帳戶。  | 
| iot:CancelJob | CancelJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:CancelJobExecution | CancelJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ClearDefaultAuthorizer | ClearDefaultAuthorizer | 無 | 
| iot:CreateAuthorizer | CreateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| iot:CreateCertificateFromCsr | CreateCertificateFromCsr | \* | 
| iot:CreateDimension | CreateDimension | `arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:CreateJob | CreateJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| iot:CreateJobTemplate | CreateJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| iot:CreateKeysAndCertificate | CreateKeysAndCertificate | \* | 
| iot:CreatePolicy | CreatePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:CreatePolicyVersion | CreatePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` 這必須是 AWS IoT 政策，而非 IAM 政策。  | 
| iot:CreateRoleAlias | CreateRoleAlias | (參數：roleAlias)<br />`arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:CreateSecurityProfile | CreateSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:CreateThing | CreateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:CreateThingGroup | CreateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />適用正在建立的群組和父群組 (若使用) | 
| iot:CreateThingType | CreateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:CreateTopicRule | CreateTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:DeleteAuthorizer | DeleteAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-name}}` | 
| iot:DeleteCACertificate | DeleteCACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| iot:DeleteCertificate | DeleteCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DeleteDimension | DeleteDimension | `arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:DeleteJob | DeleteJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:DeleteJobTemplate | DeleteJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-template-id}}` | 
| iot:DeleteJobExecution | DeleteJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:DeletePolicy | DeletePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:DeletePolicyVersion | DeletePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:DeleteRegistrationCode | DeleteRegistrationCode | \* | 
| iot:DeleteRoleAlias | DeleteRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:DeleteSecurityProfile | DeleteSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:DeleteThing | DeleteThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:DeleteThingGroup | DeleteThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DeleteThingType | DeleteThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:DeleteTopicRule | DeleteTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:DeleteV2LoggingLevel | DeleteV2LoggingLevel | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DeprecateThingType | DeprecateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:DescribeAuthorizer | DescribeAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}`<br />(參數：authorizerName) 無  | 
| iot:DescribeCACertificate | DescribeCACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| iot:DescribeCertificate | DescribeCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DescribeDefaultAuthorizer | DescribeDefaultAuthorizer | 無  | 
| iot:DescribeEndpoint | DescribeEndpoint | \* | 
| iot:DescribeEventConfigurations | DescribeEventConfigurations | 無  | 
| iot:DescribeIndex | DescribeIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-name}}` | 
| iot:DescribeJob | DescribeJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:DescribeJobExecution | DescribeJobExecution | 無 | 
| iot:DescribeJobTemplate | DescribeJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-template-id}}` | 
| iot:DescribeRoleAlias | DescribeRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:DescribeThing | DescribeThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:DescribeThingGroup | DescribeThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DescribeThingRegistrationTask | DescribeThingRegistrationTask | 無 | 
| iot:DescribeThingType | DescribeThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:DetachPolicy | DetachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}`<br />或<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DetachPrincipalPolicy | DetachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DetachSecurityProfile | DetachSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:DetachThingPrincipal | DetachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DisableTopicRule | DisableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:EnableTopicRule | EnableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:GetEffectivePolicies | GetEffectivePolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:GetIndexingConfiguration | GetIndexingConfiguration | 無 | 
| iot:GetJobDocument | GetJobDocument | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:GetLoggingOptions | GetLoggingOptions | \* | 
| iot:GetPolicy | GetPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:GetPolicyVersion | GetPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:GetRegistrationCode | GetRegistrationCode | \* | 
| iot:GetTopicRule | GetTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:ListAttachedPolicies | ListAttachedPolicies | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:ListAuthorizers | ListAuthorizers | 無 | 
| iot:ListCACertificates | ListCACertificates | \* | 
| iot:ListCertificates | ListCertificates | \* | 
| iot:ListCertificatesByCA | ListCertificatesByCA | \* | 
| iot:ListIndices | ListIndices | 無 | 
| iot:ListJobExecutionsForJob | ListJobExecutionsForJob | 無 | 
| iot:ListJobExecutionsForThing | ListJobExecutionsForThing | 無 | 
| iot:ListJobs | ListJobs | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />若使用 thingGroupName 參數 | 
| iot:ListJobTemplates | ListJobs | 無 | 
| iot:ListOutgoingCertificates | ListOutgoingCertificates | \* | 
| iot:ListPolicies | ListPolicies | \* | 
| iot:ListPolicyPrincipals | ListPolicyPrincipals | \* | 
| iot:ListPolicyVersions | ListPolicyVersions | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:ListPrincipalPolicies | ListPrincipalPolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:ListPrincipalThings | ListPrincipalThings | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:ListRoleAliases | ListRoleAliases | 無 | 
| iot:ListTargetsForPolicy | ListTargetsForPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:ListThingGroups | ListThingGroups | 無 | 
| iot:ListThingGroupsForThing | ListThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ListThingPrincipals | ListThingPrincipals | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ListThingRegistrationTaskReports | ListThingRegistrationTaskReports | 無 | 
| iot:ListThingRegistrationTasks | ListThingRegistrationTasks | 無 | 
| iot:ListThingTypes | ListThingTypes | \* | 
| iot:ListThings | ListThings | \* | 
| iot:ListThingsInThingGroup | ListThingsInThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:ListTopicRules | ListTopicRules | \* | 
| iot:ListV2LoggingLevels | ListV2LoggingLevels | 無 | 
| iot:RegisterCACertificate | RegisterCACertificate | \* | 
| iot:RegisterCertificate | RegisterCertificate | \* | 
| iot:RegisterThing | RegisterThing | 無 | 
| iot:RejectCertificateTransfer | RejectCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:RemoveThingFromThingGroup | RemoveThingFromThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ReplaceTopicRule | ReplaceTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:SearchIndex | SearchIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-id}}` | 
| iot:SetDefaultAuthorizer | SetDefaultAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| iot:SetDefaultPolicyVersion | SetDefaultPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:SetLoggingOptions | SetLoggingOptions | `arn:aws:iot:{{region}}:{{account-id}}:role/{{role-name}}` | 
| iot:SetV2LoggingLevel | SetV2LoggingLevel | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:SetV2LoggingOptions | SetV2LoggingOptions | `arn:aws:iot:{{region}}:{{account-id}}:role/{{role-name}}` | 
| iot:StartThingRegistrationTask | StartThingRegistrationTask | 無 | 
| iot:StopThingRegistrationTask | StopThingRegistrationTask | 無 | 
| iot:TestAuthorization | TestAuthorization | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:TestInvokeAuthorizer | TestInvokeAuthorizer | 無 | 
| iot:TransferCertificate | TransferCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:UpdateAuthorizer | UpdateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizerfunction/{{authorizer-function-name}}` | 
| iot:UpdateCACertificate | UpdateCACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| iot:UpdateCertificate | UpdateCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:UpdateDimension | UpdateDimension | `arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:UpdateEventConfigurations | UpdateEventConfigurations | 無 | 
| iot:UpdateIndexingConfiguration | UpdateIndexingConfiguration | 無 | 
| iot:UpdateRoleAlias | UpdateRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:UpdateSecurityProfile | UpdateSecurityProfile | `arn:aws:iot:{{region}}:{{account-id}}:securityprofile/{{security-profile-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:dimension/{{dimension-name}}` | 
| iot:UpdateThing | UpdateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:UpdateThingGroup | UpdateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:UpdateThingGroupsForThing | UpdateThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 

中的政策動作在動作之前 AWS IoT 使用下列字首：`iot:`。例如，若要授予某人許可，以列出在 中 AWS 帳戶 向 `ListThings` API 註冊的所有 IoT 物件，請在其政策中包含 `iot:ListThings`動作。政策陳述式必須包含 `Action`或 `NotAction`元素。 AWS IoT 會定義自己的一組動作，描述您可以使用此服務執行的任務。

若要在單一陳述式中指定多個動作，請用逗號分隔，如下所示：

```
"Action": [
      "ec2:action1",
      "ec2:action2"
```

您也可以使用萬用字元 (\*) 來指定多個動作。例如，若要指定開頭是 `Describe` 文字的所有動作，請包含以下動作：

```
"Action": "iot:Describe*"
```

若要查看 AWS IoT 動作清單，請參閱《*IAM 使用者指南*》中的 [定義的動作 AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。

#### Device Advisor 動作
<a name="security_iam_service-actions-device-advisor"></a>

下表列出 IAM IoT Device Advisor 動作、相關的 AWS IoT Device Advisor API，以及動作所操控的資源。


****  

| 政策動作 | AWS IoT API | Resources | 
| --- | --- | --- | 
| iotdeviceadvisor:CreateSuiteDefinition | CreateSuiteDefinition | 無 | 
| iotdeviceadvisor:DeleteSuiteDefinition | DeleteSuiteDefinition | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceadvisor:GetSuiteDefinition | GetSuiteDefinition | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceadvisor:GetSuiteRun | GetSuiteRun | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-run-id}}` | 
| iotdeviceadvisor:GetSuiteRunReport | GetSuiteRunReport | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/{{suite-definition-id}}/{{suite-run-id}}` | 
| iotdeviceadvisor:ListSuiteDefinitions | ListSuiteDefinitions | 無 | 
| iotdeviceadvisor:ListSuiteRuns | ListSuiteRuns | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceadvisor:ListTagsForResource | ListTagsForResource | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`<br />`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 
| iotdeviceadvisor:StartSuiteRun | StartSuiteRun | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceadvisor:TagResource | TagResource | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`<br />`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 
| iotdeviceadvisor:UntagResource | UntagResource | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`<br />`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 
| iotdeviceadvisor:UpdateSuiteDefinition | UpdateSuiteDefinition | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}` | 
| iotdeviceadvisor:StopSuiteRun | StopSuiteRun | `arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/suite-definition-id/{{suite-run-id}}` | 

 AWS IoT Device Advisor 中的政策動作在動作之前使用以下字首：`iotdeviceadvisor:`。例如，若要授予某人許可，以列出 AWS 帳戶 在其中使用 ListSuiteDefinitions API 註冊的所有套件定義，請在其政策中包含 `iotdeviceadvisor:ListSuiteDefinitions`動作。

### Resources
<a name="security_iam_service-with-iam-id-based-policies-resources"></a>

管理員可以使用 AWS JSON 政策來指定誰可以存取內容。也就是說，哪個**主體**在什麼**條件**下可以對什麼**資源**執行哪些**動作**。

`Resource` JSON 政策元素可指定要套用動作的物件。最佳實務是使用其 [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) 來指定資源。若動作不支援資源層級許可，使用萬用字元 (\*) 表示該陳述式適用於所有資源。

```
"Resource": "*"
```


**AWS IoT 資源**  

| 政策動作 | AWS IoT API | Resources | 
| --- | --- | --- | 
| iot:AcceptCertificateTransfer | AcceptCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 帳戶 指定的 必須是憑證要傳輸到的帳戶。  | 
| iot:AddThingToThingGroup | AddThingToThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:AssociateTargetsWithJob | AssociateTargetsWithJob | 無  | 
| iot:AttachPolicy | AttachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:AttachPrincipalPolicy | AttachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:AttachThingPrincipal | AttachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:CancelCertificateTransfer | CancelCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` ARN 中 AWS 帳戶 指定的 必須是憑證要傳輸到的帳戶。  | 
| iot:CancelJob | CancelJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:CancelJobExecution | CancelJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ClearDefaultAuthorizer | ClearDefaultAuthorizer | 無 | 
| iot:CreateAuthorizer | CreateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| iot:CreateCertificateFromCsr | CreateCertificateFromCsr | \* | 
| iot:CreateJob | CreateJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| iot:CreateJobTemplate | CreateJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| iot:CreateKeysAndCertificate | CreateKeysAndCertificate | \* | 
| iot:CreatePolicy | CreatePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| CreatePolicyVersion | iot:CreatePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` 這必須是 AWS IoT 政策，而非 IAM 政策。  | 
| iot:CreateRoleAlias | CreateRoleAlias | (參數：roleAlias)<br />`arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:CreateThing | CreateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:CreateThingGroup | CreateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />適用正在建立的群組和父群組 (若使用) | 
| iot:CreateThingType | CreateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:CreateTopicRule | CreateTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:DeleteAuthorizer | DeleteAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-name}}` | 
| iot:DeleteCACertificate | DeleteCACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| iot:DeleteCertificate | DeleteCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DeleteJob | DeleteJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:DeleteJobExecution | DeleteJobExecution | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:DeleteJobTemplate | DeleteJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| iot:DeletePolicy | DeletePolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:DeletePolicyVersion | DeletePolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:DeleteRegistrationCode | DeleteRegistrationCode | \* | 
| iot:DeleteRoleAlias | DeleteRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:DeleteThing | DeleteThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:DeleteThingGroup | DeleteThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DeleteThingType | DeleteThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:DeleteTopicRule | DeleteTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:DeleteV2LoggingLevel | DeleteV2LoggingLevel | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DeprecateThingType | DeprecateThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:DescribeAuthorizer | DescribeAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}`<br />(參數：authorizerName) 無  | 
| iot:DescribeCACertificate | DescribeCACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| iot:DescribeCertificate | DescribeCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DescribeDefaultAuthorizer | DescribeDefaultAuthorizer | 無  | 
| iot:DescribeEndpoint | DescribeEndpoint | \* | 
| iot:DescribeEventConfigurations | DescribeEventConfigurations | 無  | 
| iot:DescribeIndex | DescribeIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-name}}` | 
| iot:DescribeJob | DescribeJob | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:DescribeJobExecution | DescribeJobExecution | 無 | 
| iot:DescribeJobTemplate | DescribeJobTemplate | `arn:aws:iot:{{region}}:{{account-id}}:jobtemplate/{{job-template-id}}` | 
| iot:DescribeRoleAlias | DescribeRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:DescribeThing | DescribeThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:DescribeThingGroup | DescribeThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DescribeThingRegistrationTask | DescribeThingRegistrationTask | 無 | 
| iot:DescribeThingType | DescribeThingType | `arn:aws:iot:{{region}}:{{account-id}}:thingtype/{{thing-type-name}}` | 
| iot:DetachPolicy | DetachPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}`<br />或<br />`arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:DetachPrincipalPolicy | DetachPrincipalPolicy | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DetachThingPrincipal | DetachThingPrincipal | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:DisableTopicRule | DisableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:EnableTopicRule | EnableTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:GetEffectivePolicies | GetEffectivePolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:GetIndexingConfiguration | GetIndexingConfiguration | 無 | 
| iot:GetJobDocument | GetJobDocument | `arn:aws:iot:{{region}}:{{account-id}}:job/{{job-id}}` | 
| iot:GetLoggingOptions | GetLoggingOptions | \* | 
| iot:GetPolicy | GetPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:GetPolicyVersion | GetPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:GetRegistrationCode | GetRegistrationCode | \* | 
| iot:GetTopicRule | GetTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:ListAttachedPolicies | ListAttachedPolicies | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />或<br />`arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:ListAuthorizers | ListAuthorizers | 無 | 
| iot:ListCACertificates | ListCACertificates | \* | 
| iot:ListCertificates | ListCertificates | \* | 
| iot:ListCertificatesByCA | ListCertificatesByCA | \* | 
| iot:ListIndices | ListIndices | 無 | 
| iot:ListJobExecutionsForJob | ListJobExecutionsForJob | 無 | 
| iot:ListJobExecutionsForThing | ListJobExecutionsForThing | 無 | 
| iot:ListJobs | ListJobs | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />若使用 thingGroupName 參數 | 
| iot:ListJobTemplates | ListJobTemplates | 無 | 
| iot:ListOutgoingCertificates | ListOutgoingCertificates | \* | 
| iot:ListPolicies | ListPolicies | \* | 
| iot:ListPolicyPrincipals | ListPolicyPrincipals | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:ListPolicyVersions | ListPolicyVersions | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:ListPrincipalPolicies | ListPrincipalPolicies | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:ListPrincipalThings | ListPrincipalThings | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:ListRoleAliases | ListRoleAliases | 無 | 
| iot:ListTargetsForPolicy | ListTargetsForPolicy | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:ListThingGroups | ListThingGroups | 無 | 
| iot:ListThingGroupsForThing | ListThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ListThingPrincipals | ListThingPrincipals | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ListThingRegistrationTaskReports | ListThingRegistrationTaskReports | 無 | 
| iot:ListThingRegistrationTasks | ListThingRegistrationTasks | 無 | 
| iot:ListThingTypes | ListThingTypes | \* | 
| iot:ListThings | ListThings | \* | 
| iot:ListThingsInThingGroup | ListThingsInThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:ListTopicRules | ListTopicRules | \* | 
| iot:ListV2LoggingLevels | ListV2LoggingLevels | 無 | 
| iot:RegisterCACertificate | RegisterCACertificate | \* | 
| iot:RegisterCertificate | RegisterCertificate | \* | 
| iot:RegisterThing | RegisterThing | 無 | 
| iot:RejectCertificateTransfer | RejectCertificateTransfer | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:RemoveThingFromThingGroup | RemoveThingFromThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}`<br />`arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:ReplaceTopicRule | ReplaceTopicRule | `arn:aws:iot:{{region}}:{{account-id}}:rule/{{rule-name}}` | 
| iot:SearchIndex | SearchIndex | `arn:aws:iot:{{region}}:{{account-id}}:index/{{index-id}}` | 
| iot:SetDefaultAuthorizer | SetDefaultAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizer/{{authorizer-function-name}}` | 
| iot:SetDefaultPolicyVersion | SetDefaultPolicyVersion | `arn:aws:iot:{{region}}:{{account-id}}:policy/{{policy-name}}` | 
| iot:SetLoggingOptions | SetLoggingOptions | \* | 
| iot:SetV2LoggingLevel | SetV2LoggingLevel | \* | 
| iot:SetV2LoggingOptions | SetV2LoggingOptions | \* | 
| iot:StartThingRegistrationTask | StartThingRegistrationTask | 無 | 
| iot:StopThingRegistrationTask | StopThingRegistrationTask | 無 | 
| iot:TestAuthorization | TestAuthorization | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:TestInvokeAuthorizer | TestInvokeAuthorizer | 無 | 
| iot:TransferCertificate | TransferCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:UpdateAuthorizer | UpdateAuthorizer | `arn:aws:iot:{{region}}:{{account-id}}:authorizerfunction/{{authorizer-function-name}}` | 
| iot:UpdateCACertificate | UpdateCACertificate | `arn:aws:iot:{{region}}:{{account-id}}:cacert/{{cert-id}}` | 
| iot:UpdateCertificate | UpdateCertificate | `arn:aws:iot:{{region}}:{{account-id}}:cert/{{cert-id}}` | 
| iot:UpdateEventConfigurations | UpdateEventConfigurations | 無 | 
| iot:UpdateIndexingConfiguration | UpdateIndexingConfiguration | 無 | 
| iot:UpdateRoleAlias | UpdateRoleAlias | `arn:aws:iot:{{region}}:{{account-id}}:rolealias/{{role-alias-name}}` | 
| iot:UpdateThing | UpdateThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 
| iot:UpdateThingGroup | UpdateThingGroup | `arn:aws:iot:{{region}}:{{account-id}}:thinggroup/{{thing-group-name}}` | 
| iot:UpdateThingGroupsForThing | UpdateThingGroupsForThing | `arn:aws:iot:{{region}}:{{account-id}}:thing/{{thing-name}}` | 

如需 ARNs 格式的詳細資訊，請參閱 [Amazon Resource Name (ARNs AWS 和服務命名空間](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)。

有些 AWS IoT 動作無法對特定資源執行，例如用於建立資源的動作。在這些情況下，您必須使用萬用字元 (\*)。

```
"Resource": "*"
```

若要查看 AWS IoT 資源類型及其 ARNs的清單，請參閱《*IAM 使用者指南*》中的 [定義的資源 AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-resources-for-iam-policies)。若要了解您可以使用哪些動作指定每個資源的 ARN，請參閱 [AWS IoT定義的動作](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。

#### Device Advisor 資源
<a name="security_iam_service-device-advisor-resources"></a>

若要定義 AWS IoT Device Advisor IAM 政策的資源層級限制，請針對套件定義和套件執行使用以下資源 ARN 格式。

套件定義資源 ARN 格式  
`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suitedefinition/{{suite-definition-id}}`

套件執行資源 ARN 格式  
`arn:aws:iotdeviceadvisor:{{region}}:{{account-id}}:suiterun/{{suite-definition-id}}/{{suite-run-id}}`

### 條件索引鍵
<a name="security_iam_service-with-iam-id-based-policies-conditionkeys"></a>

管理員可以使用 AWS JSON 政策來指定誰可以存取內容。也就是說，哪個**主體**在什麼**條件**下可以對什麼**資源**執行哪些**動作**。

`Condition` 元素會根據定義的條件，指定陳述式的執行時機。您可以建立使用[條件運算子](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)的條件運算式 (例如等於或小於)，來比對政策中的條件和請求中的值。若要查看所有 AWS 全域條件索引鍵，請參閱《*IAM 使用者指南*》中的[AWS 全域條件內容索引鍵](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。

AWS IoT 會定義自己的一組條件金鑰，也支援使用一些全域條件金鑰。若要查看所有 AWS 全域條件金鑰，請參閱《*IAM 使用者指南*》中的[AWS 全域條件內容金鑰](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_condition-keys.html)。


**AWS IoT 條件索引鍵**  

| AWS IoT 條件索引鍵 | 描述 | Type | 
| --- | --- | --- | 
| aws:RequestTag/${{{tag-key}}} | 在使用者對 AWS IoT提出的請求中存在的標籤金鑰。 | String | 
| aws:ResourceTag/${{{tag-key}}} | 連接至 AWS IoT 資源之標籤的標籤索引鍵元件。 | String | 
| aws:TagKeys | 與請求中資源相關聯的所有標籤鍵名稱清單。 | String | 

若要查看 AWS IoT 條件金鑰清單，請參閱《*IAM 使用者指南*》中的 [的條件金鑰 AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-policy-keys)。若要了解您可以使用條件金鑰的動作和資源，請參閱 [定義的動作 AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions)。

### 範例
<a name="security_iam_service-with-iam-id-based-policies-examples"></a>


若要檢視 AWS IoT 身分型政策的範例，請參閱 [AWS IoT 身分型政策範例](security_iam_id-based-policy-examples.md)。

## AWS IoT 資源型政策
<a name="security_iam_service-with-iam-resource-based-policies"></a>

以資源為基礎的政策是 JSON 政策文件，指定指定委託人可以在 AWS IoT 資源上執行的動作，以及在哪些條件下執行的動作。

AWS IoT 不支援 IAM 資源型政策。不過，它支援以 AWS IoT 資源為基礎的政策。如需詳細資訊，請參閱[AWS IoT Core 政策](iot-policies.md)。

## 以 AWS IoT 標籤為基礎的授權
<a name="security_iam_service-with-iam-tags"></a>

您可以將標籤連接至 AWS IoT 資源，或將請求中的標籤傳遞至 AWS IoT。如需根據標籤控制存取，請使用 `iot:ResourceTag/{{key-name}}`、`aws:RequestTag/{{key-name}}` 或 `aws:TagKeys` 條件索引鍵，在政策的[條件元素](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_elements_condition.html)中，提供標籤資訊。如需詳細資訊，請參閱[搭配 IAM 政策使用標籤](tagging-iot-iam.md)。如需標記 AWS IoT 資源的詳細資訊，請參閱 [標記您的 AWS IoT 資源](tagging-iot.md)。

若要檢視身分型原則範例，以根據該資源上的標籤來限制存取資源，請參閱[根據標籤檢視 AWS IoT 資源](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-thing-tags)。

## AWS IoT IAM 角色
<a name="security_iam_service-with-iam-roles"></a>

[IAM 角色](https://docs.aws.amazon.com/service-authorization/latest/reference/id_roles.html)是 中具有特定許可 AWS 帳戶 的實體。

### 搭配 使用臨時登入資料 AWS IoT
<a name="security_iam_service-with-iam-roles-tempcreds"></a>

您可以搭配聯合使用暫時憑證、擔任 IAM 角色，或是擔任跨帳戶角色。您可以透過呼叫 [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) 或 [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html) 等 AWS STS API 操作來取得臨時安全登入資料。

AWS IoT 支援使用臨時登入資料。

### 服務連結角色
<a name="security_iam_service-with-iam-roles-service-linked"></a>

[服務連結角色](https://docs.aws.amazon.com/service-authorization/latest/reference/id_roles_terms-and-concepts.html#iam-term-service-linked-role)可讓 AWS 服務存取其他服務中的資源，以代表您完成 動作。服務連結角色會顯示在您的 IAM 帳戶中，並由該服務所擁有。IAM 管理員可以檢視，但不能編輯服務連結角色的許可。

AWS IoT 不支援服務連結角色。

### 服務角色
<a name="security_iam_service-with-iam-roles-service"></a>

此功能可讓服務代表您擔任[服務角色](https://docs.aws.amazon.com/service-authorization/latest/reference/id_roles_terms-and-concepts.html#iam-term-service-role)。此角色可讓服務存取其他服務中的資源，以代表您完成動作。服務角色會出現在您的 IAM 帳戶中，且由該帳戶所擁有。這表示 IAM 管理員可以變更此角色的許可。不過，這樣可能會破壞此服務的功能。