如何限制AWS物联网发布/订阅AWS物联网核心中的某些主题?

我正在动态创建一个AWS-IoT东西,它可以发布任何主题,并且可以在AWS-IoT核心代理中侦听任何主题。

我使用的策略非常广泛,这个东西可以执行服务器中的所有操作:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

TOPICS-TEST/# . 尽管我们在代理中有许多不同的主题,但我希望这个东西只能访问以 TOPICS-TEST/ .

this documentation 我制定了这个政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:xxxx:client/${iot:Connection.Thing.ThingName}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Subscribe"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:xxxx:topicfilter/TOPICS-TEST/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Receive"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:xxxx:topicfilter/TOPICS-TEST/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:xxxx:topicfilter/TOPICS-TEST/*"
            ]
    }
    ]
}

以前的策略不起作用。 我错过了什么?