Authentication

The Cat Tracker Web Application on AWS connects to the AWS IoT broker using WebSockets, and the authentication is done through AWS Cognito.

See the AWS documentation on Amazon Cognito identities and Policies for HTTP and WebSocket clients for more information.

A user authenticated via Amazon Cognito needs the following policies to access AWS IoT:

• A policy attached to the role of the authenticated pool, to authenticate and authorize the Cognito user to communicate with AWS IoT.

• A policy attached to the authenticated Cognito user ID principal for fine-grained permissions.

Note

When authorizing Cognito identities, AWS IoT will consider both policies and grant the least privilege among the specified privileges.

An action is allowed only if both policies allow the requested action. If one of the policies prohibit an action, the action is considered to be unauthorized.

Example

See below for an example of the authentication process with the specified policies:

IAM policy on the authenticated role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iot:Subscribe"],
      "Resource": ["*"]
    }
  ]
}

IoT policy assigned to the Cognito Identity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iot:Subscribe"],
      "Resource": ["arn:aws:iot:*:*:topicfilter/messages"]
    }
  ]
}

The two specified policies will be ANDed and only the least privilege of the combined privilege is granted. Hence, in this example, the user can only subscribe to the messages topic.