AWS IoT: Receive vs Subscribe

When setting up permissions for your devices in AWS IoT Core, you will see a pair of actions that might seem similar at first glance: iot:Receive and iot:Subscribe. While both are crucial for message handling, they govern different aspects of how your MQTT clients interact with the AWS IoT message broker.

iot:Subscribe

This is the permission a client needs to register it's interest in receiving messages on one or more MQTT topics. When a client wants to be notified of messages published to topics like my/device/data, it needs the iot:Subscribe permission for those specific topic filters.

Essentially, this action allows the client to tell the AWS IoT message broker, "Hey, if you see any messages matching this pattern, please send them my way!" Without this permission, the broker won't allow the client to even create a subscription.

iot:Receive

Now, once a client has successfully subscribed to a topic (thanks to iot:Subscribe), the iot:Receive permission comes into play. This action governs the actual delivery of messages from the AWS IoT message broker to the subscribed client.

So, even if a client has the iot:Subscribe permission for my/device/data and has an active subscription, it still needs the iot:Receive permission on that topic for the messages to be forwarded to it by the broker.