Best policy practices for production

[eercanayar]

In config.js line 11;

// In actual production, the policy document should be generated dynamically.

Isn't it a waste that generating a policy for every single thing? Assume that thousands of devices for an IoT solution. I think it should be only a single policy which allows publish and subscribe to topics by their certificate ID's. An example from AWS IoT docs is like this:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action":["iot:Publish"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"]
    },
    {
        "Effect": "Allow",
        "Action": ["iot:Connect"],
        "Resource": ["*"]
    }]
}

What do you think about this, what are your recommendations about that?

[cncoder]

• The policy for each device should be dynamic. In other words, it should not be that all devices have the same security policy, so that there is enough flexibility.

• For the same security policy that some devices have, you can assign them to an iot device group and then attach a policy for the group.