fix: #114 More secure IoT policy (#115)

ServerlessLife · web-flow · commit f049b76e8e70 · 2025-03-11T19:38:21.000+01:00
* fix: #114 More secure IoT policy * chore: add contributor
diff --git a/README.md b/README.md
@@ -331,6 +331,7 @@ If you have a new feature idea, please create and issue.
 
 (alphabetical)
 
+- [Ben Moses](https://github.com/benjymoses)
 - [Kristian Dreher](https://www.linkedin.com/in/kristiandreher)
 - [Roger Chi](https://rogerchi.com/)
 - [Sebastian / avocadomaster](https://github.com/avocadomaster)
diff --git a/src/infraDeploy.ts b/src/infraDeploy.ts
@@ -37,9 +37,15 @@ const policyDocument = {
   Version: '2012-10-17',
   Statement: [
     {
-      Action: 'iot:*',
-      Resource: '*',
       Effect: 'Allow',
+      Action: [
+        'iot:DescribeEndpoint',
+        'iot:Connect',
+        'iot:Publish',
+        'iot:Subscribe',
+        'iot:Receive',
+      ],
+      Resource: '*',
     },
   ],
 };
diff --git a/test/utils/expectInfraDeployed.ts b/test/utils/expectInfraDeployed.ts
@@ -30,14 +30,20 @@ export async function expectInfraDeployed(lambdaName: any) {
       ':layer:LambdaLiveDebugger:',
     );
     expect(policyDocument).toEqual({
+      Version: '2012-10-17',
       Statement: [
         {
-          Action: 'iot:*',
           Effect: 'Allow',
+          Action: [
+            'iot:DescribeEndpoint',
+            'iot:Connect',
+            'iot:Publish',
+            'iot:Subscribe',
+            'iot:Receive',
+          ],
           Resource: '*',
         },
       ],
-      Version: '2012-10-17',
     });
   }
 }
