You have a new request from the Marketing and Development department: They want to enable a beta feature in the SanFrancisco
devices in Production to integrate an Alexa skill on smart A/C devices, that enables voice control for room temperature.
You need an additional security policy that allows the devices in the SanFrancisco location to listen to a new topic named alexa/integration/<deviceName>
.
The device already has the code to process the command.
Attaching a policy to a group will allow every thing under this group or any things/groups bellow its hierarchy, to inherit the policy permissions.
In this exercise, you will use a previously created policy file, alexaPolicy.json
added on your Cloud9 environment.
This policy allows the subscribe
action to the new topic alexa/integration/<device-name>
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Subscribe",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account>:topicfilter/alexa/integration/*",
"arn:aws:iot:<region>:<account>:topic/alexa/integration/*"
]
}
]
}
In order to process the message successfully, the policy needs to allow both Subscribe and Receive actions. Additionally, it contains a wild card (*) after the alexa/integration/
because you need to apply the same policy to every device in the group.
A very permissive policy has been used to help the flow of the task. The recommended way in production would be using a policy Variable like ${iot.Connection.Thing.ThingName}
or another certificate parameter.
Go back to the Cloud9 tab opened previously:
cd ~/environment/IoTRepository/
# create iot policy
aws iot create-policy \
--policy-name alexaPolicy \
--policy-document file://scripts/alexaPolicy.json
Ok! if you see this output, the command run successfully:
Open the AWS IoT Console, if it is not already opened:
iot core
on the Find ServicesSanFrancisco
You can use the Fleet Dashboard to get an overview of your current fleet and see the devices provisioned on your account.
After opening the Fleet Dashboard, you see all the current devices provisioned on your account.
Notice that each device has the following information (in that order):
Scroll down to the SanFrancisco location devices and check if the Alexa icon changed from |this: to this:
.
The other locations remains with no Alexa integration, since we just applied alexaPolicy on SanFrancisco group.
Congratulations! You have enabled group policies. You can now move to the other section.