The default AWS IoT Policy allows Client ID spoofing

[debug-ito]

The registration_helper.py in the Blinky-Hello-World example creates a AWS IoT Policy (named "Default") like the following.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:*:*:client/${iot:ClientId}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:*:*:topic/${iot:ClientId}/*",
        "arn:aws:iot:*:*:topic/$aws/things/${iot:ClientId}/shadow/*"
      ]
    },
  (snip)
}

This policy is insecure. This policy allows a client to use ANY client ID. As a result, a device can publish messages impersonating other devices, and it can eavesdrop messages for other devices.

See also: https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html#secure-mqtt

Although I didn't test it, a solution would be to use ${iot:Connection.Thing.ThingName} for the resource to allow iot:Connect action, as described in the above link. The Thing Name is bound to the client certificate, so it would force a device to use its own client ID only.

[debug-ito]

OK, I just tested it.

Using this policy,

{
  "Effect": "Allow",
  "Action": [
    "iot:Connect"
  ],
  "Resource": [
    "arn:aws:iot:*:*:client/${iot:Connection.Thing.ThingName}"
  ]
}

AWS IoT now accepted connection from a device if and only if it used the correct client ID.

[rashedtalukder]

@debug-ito, thank you for reporting and filing this. I've updated the policy document and given the policy a more unique name.

[debug-ito]

Thanks!