amazon-web-services amazon-cognito mqtt aws-iot aws-iot-core

How to allow an admin to override user IoT commands in AWS IoT Core (Device Shadow)?

I’m working with AWS IoT Core and using Device Shadows to control an IoT device (ESP32 connected to a relay to turn ON/OFF a motor), Right now, any user can turn the motor ON/OFF by updating the device shadow with:

"state": {
    "desired": {
        "status": "ON",
        "duration": 5,
    }
}

Current architecture

Users send a shadow update
ESP32 listens to the delta shadow update topic and switches the motor ON
A Lambda function listens to delta updates and triggers a Step Function for delayed shutdown.
After the delay, another Lambda updates the shadow state.desired.status: "OFF"

What I Need Help With

I want to introduce an admin role that can:

Override any user command and immediately turn the motor OFF.
Turn the motor ON indefinitely (without a time limit).

My Questions:

What is the best practice for enforcing admin control in AWS IoT Core involving Device Shadows?
Should I handle this in shadow update logic, IAM policies, AWS Cognito roles, or MQTT topic separation?
How do I prevent users from overriding an admin's action?

Would appreciate any guidance or examples!

Solution

To override a user command and immediately turn the motor OFF, we can use AWS Step Functions with a conditional check for adminOverride. If adminOverride is true, the Step Function bypasses the usual delay and immediately triggers the motor shutdown via a Lambda function.

How It Works

AWS IoT Rules detects when an admin publishes to a certain topic which triggers the AWS Step Function with payload adminOverride property set to to true
The Step Function checks for adminOverride.
- If true, it triggers the motor shutdown immediately.
- Otherwise, it follows the default wait time before shutting down the motor.

Step Function Definition

{
  "Comment": "Conditional flow with admin override OR delay",
  "StartAt": "Check Admin Override",
  "States": {
    "Check Admin Override": {
      "Type": "Choice",
      "Choices": [
        {
          "Variable": "$.adminOverride",
          "BooleanEquals": true,
          "Next": "TriggerMotorShutdown"
        }
      ],
      "Default": "Wait"
    },
    "Wait": {
      "Type": "Wait",
      "TimestampPath": "$.delayTimestamp",
      "Next": "TriggerMotorShutdown"
    },
    "TriggerMotorShutdown": {
      "Type": "Task",
      "Resource": "arn:aws:states:::lambda:invoke",
      "OutputPath": "$.Payload",
      "Parameters": {
        "FunctionName": "arn:aws:lambda:us-east-1:xxxxxxxxxx:function:TriggerMotorShutdown:$LATEST",
        "Payload": {
          "input.$": "$"
        }
      },
      "Retry": [
        {
          "ErrorEquals": [
            "Lambda.ServiceException",
            "Lambda.AWSLambdaException",
            "Lambda.SdkClientException",
            "Lambda.TooManyRequestsException"
          ],
          "IntervalSeconds": 1,
          "MaxAttempts": 3,
          "BackoffRate": 2,
          "JitterStrategy": "FULL"
        }
      ],
      "End": true
    }
  }
}