aws iot

AWS IoT AWS IoT provides secure, bi-directional communication between Internet-connected devices (such as sensors, actuators, embedded devices, or smart appliances) and the AWS cloud. You can discover your custom IoT-Data endpoint to communicate with, configure rules for data processing and integration with other services, organize resources associated with each device (Registry), configure logging, and create and manage policies and credentials to authenticate devices. The service endpoints that expose this API are listed in AWS IoT Core Endpoints and Quotas. You must use the endpoint for the region that has the resources you want to access. The service name used by AWS Signature Version 4 to sign the request is: execute-api. For more information about how AWS IoT works, see the Developer Guide. For information about how to use the credentials provider for AWS IoT, see Authorizing Direct Calls to AWS Services

Subcommands

NameDescription
accept-certificate-transferAccepts a pending certificate transfer. The default state of the certificate is INACTIVE. To check for pending certificate transfers, call ListCertificates to enumerate your certificates
add-thing-to-billing-groupAdds a thing to a billing group
add-thing-to-thing-groupAdds a thing to a thing group
associate-targets-with-jobAssociates a group with a continuous job. The following criteria must be met: The job must have been created with the targetSelection field set to "CONTINUOUS". The job status must currently be "IN_PROGRESS". The total number of targets associated with a job must not exceed 100
attach-policyAttaches a policy to the specified target
attach-principal-policyAttaches the specified policy to the specified principal (certificate or other credential). Note: This API is deprecated. Please use AttachPolicy instead
attach-security-profileAssociates a Device Defender security profile with a thing group or this account. Each thing group or account can have up to five security profiles associated with it
attach-thing-principalAttaches the specified principal to the specified thing. A principal can be X.509 certificates, IAM users, groups, and roles, Amazon Cognito identities or federated identities
cancel-audit-mitigation-actions-taskCancels a mitigation action task that is in progress. If the task is not in progress, an InvalidRequestException occurs
cancel-audit-taskCancels an audit that is in progress. The audit can be either scheduled or on demand. If the audit isn't in progress, an "InvalidRequestException" occurs
cancel-certificate-transferCancels a pending transfer for the specified certificate. Note Only the transfer source account can use this operation to cancel a transfer. (Transfer destinations can use RejectCertificateTransfer instead.) After transfer, AWS IoT returns the certificate to the source account in the INACTIVE state. After the destination account has accepted the transfer, the transfer cannot be cancelled. After a certificate transfer is cancelled, the status of the certificate changes from PENDING_TRANSFER to INACTIVE
cancel-detect-mitigation-actions-taskCancels a Device Defender ML Detect mitigation action
cancel-jobCancels a job
cancel-job-executionCancels the execution of a job for a given thing
clear-default-authorizerClears the default authorizer
confirm-topic-rule-destinationConfirms a topic rule destination. When you create a rule requiring a destination, AWS IoT sends a confirmation message to the endpoint or base address you specify. The message includes a token which you pass back when calling ConfirmTopicRuleDestination to confirm that you own or have access to the endpoint
create-audit-suppressionCreates a Device Defender audit suppression
create-authorizerCreates an authorizer
create-billing-groupCreates a billing group
create-certificate-from-csrCreates an X.509 certificate using the specified certificate signing request. Note: The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256 or NIST P-384 curves. Note: Reusing the same certificate signing request (CSR) results in a distinct certificate. You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs. Assuming a set of CSRs are located inside of the directory my-csr-directory: On Linux and OS X, the command is: $ ls my-csr-directory/ | xargs -I {} aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/{} This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr AWS CLI command to create a certificate for the corresponding CSR. The aws iot create-certificate-from-csr part of the command can also be run in parallel to speed up the certificate creation process: $ ls my-csr-directory/ | xargs -P 10 -I {} aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/{} On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is: > ls -Name my-csr-directory | %{aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/$_} On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is: > forfiles /p my-csr-directory /c "cmd /c aws iot create-certificate-from-csr --certificate-signing-request file://@path"
create-custom-metricUse this API to define a Custom Metric published by your devices to Device Defender
create-dimensionCreate a dimension that you can use to limit the scope of a metric used in a security profile for AWS IoT Device Defender. For example, using a TOPIC_FILTER dimension, you can narrow down the scope of the metric only to MQTT topics whose name match the pattern specified in the dimension
create-domain-configurationCreates a domain configuration. The domain configuration feature is in public preview and is subject to change
create-dynamic-thing-groupCreates a dynamic thing group
create-jobCreates a job
create-keys-and-certificateCreates a 2048-bit RSA key pair and issues an X.509 certificate using the issued public key. You can also call CreateKeysAndCertificate over MQTT from a device, for more information, see Provisioning MQTT API. Note This is the only time AWS IoT issues the private key for this certificate, so it is important to keep it in a secure location
create-mitigation-actionDefines an action that can be applied to audit findings by using StartAuditMitigationActionsTask. Only certain types of mitigation actions can be applied to specific check names. For more information, see Mitigation actions. Each mitigation action can apply only one type of change
create-ota-updateCreates an AWS IoT OTAUpdate on a target group of things or groups
create-policyCreates an AWS IoT policy. The created policy is the default version for the policy. This operation creates a policy version with a version identifier of 1 and sets 1 as the policy's default version
create-policy-versionCreates a new version of the specified AWS IoT policy. To update a policy, create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must use DeletePolicyVersion to delete an existing version before you create a new one. Optionally, you can set the new version as the policy's default version. The default version is the operative version (that is, the version that is in effect for the certificates to which the policy is attached)
create-provisioning-claimCreates a provisioning claim
create-provisioning-templateCreates a fleet provisioning template
create-provisioning-template-versionCreates a new version of a fleet provisioning template
create-role-aliasCreates a role alias
create-scheduled-auditCreates a scheduled audit that is run at a specified time interval
create-security-profileCreates a Device Defender security profile
create-streamCreates a stream for delivering one or more large files in chunks over MQTT. A stream transports data bytes in chunks or blocks packaged as MQTT messages from a source like S3. You can have one or more files associated with a stream
create-thingCreates a thing record in the registry. If this call is made multiple times using the same thing name and configuration, the call will succeed. If this call is made with the same thing name but different configuration a ResourceAlreadyExistsException is thrown. This is a control plane operation. See Authorization for information about authorizing control plane actions
create-thing-groupCreate a thing group. This is a control plane operation. See Authorization for information about authorizing control plane actions
create-thing-typeCreates a new thing type
create-topic-ruleCreates a rule. Creating rules is an administrator-level action. Any user who has permission to create rules will be able to access data processed by the rule
create-topic-rule-destinationCreates a topic rule destination. The destination must be confirmed prior to use
delete-account-audit-configurationRestores the default settings for Device Defender audits for this account. Any configuration data you entered is deleted and all audit checks are reset to disabled
delete-audit-suppressionDeletes a Device Defender audit suppression
delete-authorizerDeletes an authorizer
delete-billing-groupDeletes the billing group
delete-ca-certificateDeletes a registered CA certificate
delete-certificateDeletes the specified certificate. A certificate cannot be deleted if it has a policy or IoT thing attached to it or if its status is set to ACTIVE. To delete a certificate, first use the DetachPrincipalPolicy API to detach all policies. Next, use the UpdateCertificate API to set the certificate to the INACTIVE status
delete-custom-metricBefore you can delete a custom metric, you must first remove the custom metric from all security profiles it's a part of. The security profile associated with the custom metric can be found using the ListSecurityProfiles API with metricName set to your custom metric name. Deletes a Device Defender detect custom metric
delete-dimensionRemoves the specified dimension from your AWS account
delete-domain-configurationDeletes the specified domain configuration. The domain configuration feature is in public preview and is subject to change
delete-dynamic-thing-groupDeletes a dynamic thing group
delete-jobDeletes a job and its related job executions. Deleting a job may take time, depending on the number of job executions created for the job and various other factors. While the job is being deleted, the status of the job will be shown as "DELETION_IN_PROGRESS". Attempting to delete or cancel a job whose status is already "DELETION_IN_PROGRESS" will result in an error. Only 10 jobs may have status "DELETION_IN_PROGRESS" at the same time, or a LimitExceededException will occur
delete-job-executionDeletes a job execution
delete-mitigation-actionDeletes a defined mitigation action from your AWS account
delete-ota-updateDelete an OTA update
delete-policyDeletes the specified policy. A policy cannot be deleted if it has non-default versions or it is attached to any certificate. To delete a policy, use the DeletePolicyVersion API to delete all non-default versions of the policy; use the DetachPrincipalPolicy API to detach the policy from any certificate; and then use the DeletePolicy API to delete the policy. When a policy is deleted using DeletePolicy, its default version is deleted with it
delete-policy-versionDeletes the specified version of the specified policy. You cannot delete the default version of a policy using this API. To delete the default version of a policy, use DeletePolicy. To find out which version of a policy is marked as the default version, use ListPolicyVersions
delete-provisioning-templateDeletes a fleet provisioning template
delete-provisioning-template-versionDeletes a fleet provisioning template version
delete-registration-codeDeletes a CA certificate registration code
delete-role-aliasDeletes a role alias
delete-scheduled-auditDeletes a scheduled audit
delete-security-profileDeletes a Device Defender security profile
delete-streamDeletes a stream
delete-thingDeletes the specified thing. Returns successfully with no error if the deletion is successful or you specify a thing that doesn't exist
delete-thing-groupDeletes a thing group
delete-thing-typeDeletes the specified thing type. You cannot delete a thing type if it has things associated with it. To delete a thing type, first mark it as deprecated by calling DeprecateThingType, then remove any associated things by calling UpdateThing to change the thing type on any associated thing, and finally use DeleteThingType to delete the thing type
delete-topic-ruleDeletes the rule
delete-topic-rule-destinationDeletes a topic rule destination
delete-v2-logging-levelDeletes a logging level
deprecate-thing-typeDeprecates a thing type. You can not associate new things with deprecated thing type
describe-account-audit-configurationGets information about the Device Defender audit settings for this account. Settings include how audit notifications are sent and which audit checks are enabled or disabled
describe-audit-findingGets information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and the start time when the audit that returned the finding
describe-audit-mitigation-actions-taskGets information about an audit mitigation task that is used to apply mitigation actions to a set of audit findings. Properties include the actions being applied, the audit checks to which they're being applied, the task status, and aggregated task statistics
describe-audit-suppressionGets information about a Device Defender audit suppression
describe-audit-taskGets information about a Device Defender audit
describe-authorizerDescribes an authorizer
describe-billing-groupReturns information about a billing group
describe-ca-certificateDescribes a registered CA certificate
describe-certificateGets information about the specified certificate
describe-custom-metricGets information about a Device Defender detect custom metric
describe-default-authorizerDescribes the default authorizer
describe-detect-mitigation-actions-taskGets information about a Device Defender ML Detect mitigation action
describe-dimensionProvides details about a dimension that is defined in your AWS account
describe-domain-configurationGets summary information about a domain configuration. The domain configuration feature is in public preview and is subject to change
describe-endpointReturns a unique endpoint specific to the AWS account making the call
describe-event-configurationsDescribes event configurations
describe-indexDescribes a search index
describe-jobDescribes a job
describe-job-executionDescribes a job execution
describe-mitigation-actionGets information about a mitigation action
describe-provisioning-templateReturns information about a fleet provisioning template
describe-provisioning-template-versionReturns information about a fleet provisioning template version
describe-role-aliasDescribes a role alias
describe-scheduled-auditGets information about a scheduled audit
describe-security-profileGets information about a Device Defender security profile
describe-streamGets information about a stream
describe-thingGets information about the specified thing
describe-thing-groupDescribe a thing group
describe-thing-registration-taskDescribes a bulk thing provisioning task
describe-thing-typeGets information about the specified thing type
detach-policyDetaches a policy from the specified target
detach-principal-policyRemoves the specified policy from the specified certificate. Note: This API is deprecated. Please use DetachPolicy instead
detach-security-profileDisassociates a Device Defender security profile from a thing group or from this account
detach-thing-principalDetaches the specified principal from the specified thing. A principal can be X.509 certificates, IAM users, groups, and roles, Amazon Cognito identities or federated identities. This call is asynchronous. It might take several seconds for the detachment to propagate
disable-topic-ruleDisables the rule
enable-topic-ruleEnables the rule
get-behavior-model-training-summariesReturns a Device Defender's ML Detect Security Profile training model's status
get-cardinalityReturns the approximate count of unique values that match the query
get-effective-policiesGets a list of the policies that have an effect on the authorization behavior of the specified device when it connects to the AWS IoT device gateway
get-indexing-configurationGets the indexing configuration
get-job-documentGets a job document
get-logging-optionsGets the logging options. NOTE: use of this command is not recommended. Use GetV2LoggingOptions instead
get-ota-updateGets an OTA update
get-percentilesGroups the aggregated values that match the query into percentile groupings. The default percentile groupings are: 1,5,25,50,75,95,99, although you can specify your own when you call GetPercentiles. This function returns a value for each percentile group specified (or the default percentile groupings). The percentile group "1" contains the aggregated field value that occurs in approximately one percent of the values that match the query. The percentile group "5" contains the aggregated field value that occurs in approximately five percent of the values that match the query, and so on. The result is an approximation, the more values that match the query, the more accurate the percentile values
get-policyGets information about the specified policy with the policy document of the default version
get-policy-versionGets information about the specified policy version
get-registration-codeGets a registration code used to register a CA certificate with AWS IoT
get-statisticsReturns the count, average, sum, minimum, maximum, sum of squares, variance, and standard deviation for the specified aggregated field. If the aggregation field is of type String, only the count statistic is returned
get-topic-ruleGets information about the rule
get-topic-rule-destinationGets information about a topic rule destination
get-v2-logging-optionsGets the fine grained logging options
list-active-violationsLists the active violations for a given Device Defender security profile
list-attached-policiesLists the policies attached to the specified thing group
list-audit-findingsLists the findings (results) of a Device Defender audit or of the audits performed during a specified time period. (Findings are retained for 90 days.)
list-audit-mitigation-actions-executionsGets the status of audit mitigation action tasks that were executed
list-audit-mitigation-actions-tasksGets a list of audit mitigation action tasks that match the specified filters
list-audit-suppressionsLists your Device Defender audit listings
list-audit-tasksLists the Device Defender audits that have been performed during a given time period
list-authorizersLists the authorizers registered in your account
list-billing-groupsLists the billing groups you have created
list-ca-certificatesLists the CA certificates registered for your AWS account. The results are paginated with a default page size of 25. You can use the returned marker to retrieve additional results
list-certificatesLists the certificates registered in your AWS account. The results are paginated with a default page size of 25. You can use the returned marker to retrieve additional results
list-certificates-by-caList the device certificates signed by the specified CA certificate
list-custom-metricsLists your Device Defender detect custom metrics
list-detect-mitigation-actions-executionsLists mitigation actions executions for a Device Defender ML Detect Security Profile
list-detect-mitigation-actions-tasksList of Device Defender ML Detect mitigation actions tasks
list-dimensionsList the set of dimensions that are defined for your AWS account
list-domain-configurationsGets a list of domain configurations for the user. This list is sorted alphabetically by domain configuration name. The domain configuration feature is in public preview and is subject to change
list-indicesLists the search indices
list-job-executions-for-jobLists the job executions for a job
list-job-executions-for-thingLists the job executions for the specified thing
list-jobsLists jobs
list-mitigation-actionsGets a list of all mitigation actions that match the specified filter criteria
list-ota-updatesLists OTA updates
list-outgoing-certificatesLists certificates that are being transferred but not yet accepted
list-policiesLists your policies
list-policy-principalsLists the principals associated with the specified policy. Note: This API is deprecated. Please use ListTargetsForPolicy instead
list-policy-versionsLists the versions of the specified policy and identifies the default version
list-principal-policiesLists the policies attached to the specified principal. If you use an Cognito identity, the ID must be in AmazonCognito Identity format. Note: This API is deprecated. Please use ListAttachedPolicies instead
list-principal-thingsLists the things associated with the specified principal. A principal can be X.509 certificates, IAM users, groups, and roles, Amazon Cognito identities or federated identities
list-provisioning-template-versionsA list of fleet provisioning template versions
list-provisioning-templatesLists the fleet provisioning templates in your AWS account
list-role-aliasesLists the role aliases registered in your account
list-scheduled-auditsLists all of your scheduled audits
list-security-profilesLists the Device Defender security profiles you've created. You can filter security profiles by dimension or custom metric. dimensionName and metricName cannot be used in the same request
list-security-profiles-for-targetLists the Device Defender security profiles attached to a target (thing group)
list-streamsLists all of the streams in your AWS account
list-tags-for-resourceLists the tags (metadata) you have assigned to the resource
list-targets-for-policyList targets for the specified policy
list-targets-for-security-profileLists the targets (thing groups) associated with a given Device Defender security profile
list-thing-groupsList the thing groups in your account
list-thing-groups-for-thingList the thing groups to which the specified thing belongs
list-thing-principalsLists the principals associated with the specified thing. A principal can be X.509 certificates, IAM users, groups, and roles, Amazon Cognito identities or federated identities
list-thing-registration-task-reportsInformation about the thing registration tasks
list-thing-registration-tasksList bulk thing provisioning tasks
list-thing-typesLists the existing thing types
list-thingsLists your things. Use the attributeName and attributeValue parameters to filter your things. For example, calling ListThings with attributeName=Color and attributeValue=Red retrieves all things in the registry that contain an attribute Color with the value Red. You will not be charged for calling this API if an Access denied error is returned. You will also not be charged if no attributes or pagination token was provided in request and no pagination token and no results were returned
list-things-in-billing-groupLists the things you have added to the given billing group
list-things-in-thing-groupLists the things in the specified group
list-topic-rule-destinationsLists all the topic rule destinations in your AWS account
list-topic-rulesLists the rules for the specific topic
list-v2-logging-levelsLists logging levels
list-violation-eventsLists the Device Defender security profile violations discovered during the given time period. You can use filters to limit the results to those alerts issued for a particular security profile, behavior, or thing (device)
register-ca-certificateRegisters a CA certificate with AWS IoT. This CA certificate can then be used to sign device certificates, which can be then registered with AWS IoT. You can register up to 10 CA certificates per AWS account that have the same subject field. This enables you to have up to 10 certificate authorities sign your device certificates. If you have more than one CA certificate registered, make sure you pass the CA certificate when you register your device certificates with the RegisterCertificate API
register-certificateRegisters a device certificate with AWS IoT. If you have more than one CA certificate that has the same subject field, you must specify the CA certificate that was used to sign the device certificate being registered
register-certificate-without-caRegister a certificate that does not have a certificate authority (CA)
register-thingProvisions a thing in the device registry. RegisterThing calls other AWS IoT control plane APIs. These calls might exceed your account level AWS IoT Throttling Limits and cause throttle errors. Please contact AWS Customer Support to raise your throttling limits if necessary
reject-certificate-transferRejects a pending certificate transfer. After AWS IoT rejects a certificate transfer, the certificate status changes from PENDING_TRANSFER to INACTIVE. To check for pending certificate transfers, call ListCertificates to enumerate your certificates. This operation can only be called by the transfer destination. After it is called, the certificate will be returned to the source's account in the INACTIVE state
remove-thing-from-billing-groupRemoves the given thing from the billing group
remove-thing-from-thing-groupRemove the specified thing from the specified group. You must specify either a thingGroupArn or a thingGroupName to identify the thing group and either a thingArn or a thingName to identify the thing to remove from the thing group
replace-topic-ruleReplaces the rule. You must specify all parameters for the new rule. Creating rules is an administrator-level action. Any user who has permission to create rules will be able to access data processed by the rule
search-indexThe query search index
set-default-authorizerSets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer
set-default-policy-versionSets the specified version of the specified policy as the policy's default (operative) version. This action affects all certificates to which the policy is attached. To list the principals the policy is attached to, use the ListPrincipalPolicy API
set-logging-optionsSets the logging options. NOTE: use of this command is not recommended. Use SetV2LoggingOptions instead
set-v2-logging-levelSets the logging level
set-v2-logging-optionsSets the logging options for the V2 logging service
start-audit-mitigation-actions-taskStarts a task that applies a set of mitigation actions to the specified target
start-detect-mitigation-actions-taskStarts a Device Defender ML Detect mitigation actions task
start-on-demand-audit-taskStarts an on-demand Device Defender audit
start-thing-registration-taskCreates a bulk thing provisioning task
stop-thing-registration-taskCancels a bulk thing provisioning task
tag-resourceAdds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource
test-authorizationTests if a specified principal is authorized to perform an AWS IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the AWS IoT device gateway
test-invoke-authorizerTests a custom authorization behavior by invoking a specified custom authorizer. Use this to test and debug the custom authorization behavior of devices that connect to the AWS IoT device gateway
transfer-certificateTransfers the specified certificate to the specified AWS account. You can cancel the transfer until it is acknowledged by the recipient. No notification is sent to the transfer destination's account. It is up to the caller to notify the transfer target. The certificate being transferred must not be in the ACTIVE state. You can use the UpdateCertificate API to deactivate it. The certificate must not have any policies attached to it. You can use the DetachPrincipalPolicy API to detach them
untag-resourceRemoves the given tags (metadata) from the resource
update-account-audit-configurationConfigures or reconfigures the Device Defender audit settings for this account. Settings include how audit notifications are sent and which audit checks are enabled or disabled
update-audit-suppressionUpdates a Device Defender audit suppression
update-authorizerUpdates an authorizer
update-billing-groupUpdates information about the billing group
update-ca-certificateUpdates a registered CA certificate
update-certificateUpdates the status of the specified certificate. This operation is idempotent. Certificates must be in the ACTIVE state to authenticate devices that use a certificate to connect to AWS IoT. Within a few minutes of updating a certificate from the ACTIVE state to any other state, AWS IoT disconnects all devices that used that certificate to connect. Devices cannot use a certificate that is not in the ACTIVE state to reconnect
update-custom-metricUpdates a Device Defender detect custom metric
update-dimensionUpdates the definition for a dimension. You cannot change the type of a dimension after it is created (you can delete it and recreate it)
update-domain-configurationUpdates values stored in the domain configuration. Domain configurations for default endpoints can't be updated. The domain configuration feature is in public preview and is subject to change
update-dynamic-thing-groupUpdates a dynamic thing group
update-event-configurationsUpdates the event configurations
update-indexing-configurationUpdates the search configuration
update-jobUpdates supported fields of the specified job
update-mitigation-actionUpdates the definition for the specified mitigation action
update-provisioning-templateUpdates a fleet provisioning template
update-role-aliasUpdates a role alias
update-scheduled-auditUpdates a scheduled audit, including which checks are performed and how often the audit takes place
update-security-profileUpdates a Device Defender security profile
update-streamUpdates an existing stream. The stream version will be incremented by one
update-thingUpdates the data for a thing
update-thing-groupUpdate a thing group
update-thing-groups-for-thingUpdates the groups to which the thing belongs
update-topic-rule-destinationUpdates a topic rule destination. You use this to change the status, endpoint URL, or confirmation URL of the destination
validate-security-profile-behaviorsValidates a Device Defender security profile behaviors specification