AWS Security ChangesHomeSearch

AWS iot-sitewise documentation change

Service: iot-sitewise · 2025-06-13 · Documentation low

File: iot-sitewise/latest/userguide/add-auth-rules-database-emqx-broker-windows.md

Summary

Replaced manual ACL file creation steps with automated CLI tool usage for EMQX broker authorization rules

Security assessment

The change replaces error-prone manual configuration with an automated tool that enforces secure defaults (localhost-only access). While this improves security posture by reducing misconfiguration risks, there's no evidence of addressing a specific existing vulnerability. The security implications are preventive rather than reactive.

Diff

diff --git a/iot-sitewise/latest/userguide/add-auth-rules-database-emqx-broker-windows.md b/iot-sitewise/latest/userguide/add-auth-rules-database-emqx-broker-windows.md
index 1010bdae0..3db076d66 100644
--- a//iot-sitewise/latest/userguide/add-auth-rules-database-emqx-broker-windows.md
+++ b//iot-sitewise/latest/userguide/add-auth-rules-database-emqx-broker-windows.md
@@ -13 +13 @@ This section covers configuring authorization rules using the built-in database
-  2. Navigate to the following directory: 
+  2. Run the AWS IoT SiteWise EMQX CLI tool: 
@@ -15 +15 @@ This section covers configuring authorization rules using the built-in database
-        C:\greengrass\v2\work\aws.greengrass.clientdevices.mqtt.EMQX\v2\data 
+        C:\greengrass\v2\bin\swe-emqx-cli.ps1 acl init
@@ -17 +17 @@ This section covers configuring authorization rules using the built-in database
-  3. Open the `authz` folder. If the folder doesn't exist, create it.
+The tool automatically creates and applies ACL rules allowing connections from localhost (127.0.0.1) to the broker. It allows access to all topics. This includes the IoT SiteWise OPC UA collector and IoT SiteWise publisher.
@@ -19,42 +19 @@ This section covers configuring authorization rules using the built-in database
-  4. Create an Access Control List (ACL) file called `acl.conf`.
-
-  5. Paste the following content in the `acl.conf` file:
-    
-        %%--------------------------------------------------------------------
-    %% -type(ipaddr() :: {ipaddr, string()}).
-    %%
-    %% -type(ipaddrs() :: {ipaddrs, string()}).
-    %%
-    %% -type(username() :: {user | username, string()} | {user | username, {re, regex()}}).
-    %%
-    %% -type(clientid() :: {client | clientid, string()} | {client | clientid, {re, regex()}}).
-    %%
-    %% -type(who() :: ipaddr() | ipaddrs() |username() | clientid() |
-    %%                {'and', [ipaddr() | ipaddrs()| username() | clientid()]} |
-    %%                {'or',  [ipaddr() | ipaddrs()| username() | clientid()]} |
-    %%                all).
-    %%
-    %% -type(action() :: subscribe | publish | all).
-    %%
-    %% -type(topic_filters() :: string()).
-    %%
-    %% -type(topics() :: [topic_filters() | {eq, topic_filters()}]).
-    %%
-    %% -type(permission() :: allow | deny).
-    %%
-    %% -type(rule() :: {permission(), who(), access(), topics()} | {permission(), all}).
-    %%--------------------------------------------------------------------
-    
-    {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.
-    
-    {deny, all}.
-
-This policy allows all connections from within the gateway host to connect to the broker, publish, and subscribe to all topics. This includes the IoT SiteWise OPC UA collector and IoT SiteWise publisher.
-
-  6. Save the file.
-
-###### Note
-
-At this point, the rules are written to the file but not yet applied.
-
-  7. Proceed to [Update the EMQX deployment configuration for authorization](./update-emqx-broker-authorization.html).
+  3. Proceed to [Update the EMQX deployment configuration for authorization](./update-emqx-broker-authorization.html).