Copyright © 2023 The Author(s): This is an open-access article distributed under the terms of the Creative 
Commons Attribution 4.0 International License (CC BY-NC 4.0) which permits unrestricted use, distribution, 
and reproduction in any medium for non-commercial use provided the original author and source are credited. 
 
 
International Journal of Scientific Research in Science and Technology 
Print ISSN: 2395-6011 | Online ISSN: 2395-602X (www.ijsrst.com) 
doi : https://doi.org/10.32628/IJSRST523103161
995 
Attribute 
– Based Access Control for AWS Internet of Things- A 
Review
Pragya Bharti
1
, Jeetendra Singh Yadav
2
1
M. Tech Research Scholar, Computer Science Engineering, Bhabha Engineering Research Institute Bhopal 
Bhabha University Bhopal, Madhya Pradesh, India
2
Assistant Professor, Computer Science Engineering, Bhabha Engineering Research Institute Bhopal Bhabha 
University Bhopal, Madhya Pradesh, India
A
R
T
I
C
L
E
I
N
F
O 
A
B
S
T
R
A
C
T 
Article History: 
Accepted: 05 June 2023 
Published: 20 June 2023 
The rapid proliferation of Internet of Things (IoT) devices has presented 
significant security challenges, necessitating effective access control 
mechanisms. Attribute-Based Access Control (ABAC) has emerged as a 
promising approach for managing access to IoT resources in a flexible and 
fine-grained manner. This review paper provides a comprehensive analysis of 
ABAC for AWS Internet of Things, evaluating its implementation, 
effectiveness, and integration with other security features. The paper begins 
by outlining the fundamental principles and advantages of ABAC over 
traditional access control models. It then delves into the specific 
implementation of ABAC within the context of AWS IoT services, exploring 
the key components and mechanisms involved. Notably, the role of attributes, 
such as user attributes, resource attributes, and environmental attributes, in 
defining access policies is highlighted. Furthermore, the review investigates 
the integration of ABAC with other security features of AWS IoT, including 
Identity and Access Management (IAM), Security Groups, and AWS IoT 
Policies. It examines the interactions and dependencies between these 
components, providing insights into how ABAC can be effectively combined 
with existing security measures to enhance overall IoT security. The 
scalability, performance, and manageability aspects of ABAC for AWS IoT are 
also evaluated. The challenges and considerations in deploying ABAC in large-
scale IoT environments are discussed, along with recommendations for 
optimizing performance and usability Additionally, the review identifies 
current research trends and future directions in ABAC for AWS IoT. Emphasis 
is placed on the need for standardized protocols, interoperability, and 
advanced analytics techniques to enable more sophisticated access control 
mechanisms for the expanding IoT ecosystem.
Keywords : Attribute-Based Access Control, ABAC, AWS Internet of Things, 
IoT security, access control models.
Publication Issue 
Volume 10, Issue 3 
May-June-2023 
Page Number
995-1009 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
995 
I.
INTRODUCTION 
Attribute-Based Access Control (ABAC) is a security 
model that provides a flexible and dynamic approach 
to access control. It allows you to define access 
policies based on attributes associated with users, 
devices, or any other relevant entity. In the context of 
AWS Internet of Things (IoT), ABAC can be applied 
to control access to IoT resources, such as devices, 
data streams, and actions. AWS IoT provides a 
comprehensive platform for building and managing 
IoT applications. With ABAC, you can define fine-
grained access policies that consider various attributes, 
such as device type, location, ownership, and device 
state. These attributes can be dynamically evaluated 
during runtime to determine whether a user or device 
should be granted access to a particular resource or 
perform a specific action[1] 
ABAC in AWS IoT is typically implemented using 
AWS Identity and Access Management (IAM) policies 
and AWS IoT policies. IAM policies define access 
permissions for users and roles, while IoT policies are 
used to control access to IoT resources. By combining 
these policies with attribute-based conditions, you 
can create more flexible and context-aware access 
control rules. 
For example, you can create an access policy that 
allows only specific device types to publish data to an 
AWS IoT topic. This can be achieved by defining an 
attribute-based condition in the IoT policy associated 
with the topic, specifying the required device type 
attribute. Only devices that match the specified 
attribute value will be allowed to publish data to the 
topic[2]. 
By leveraging ABAC in AWS IoT, you can enhance 
the security and granularity of access control for your 
IoT infrastructure. It enables you to enforce access 
policies based on dynamic and contextual attributes, 
providing a more flexible and scalable approach to 
managing access to IoT resources. Industries of future 
with different types of communication is shown if 
figure 1. 
Figure 1 : Industries of the future with different types 
of communication [25] 
1.1 Background of IoT and Access Control- 
The Internet of Things (IoT) refers to the 
interconnected network of physical devices, vehicles, 
appliances, and other objects embedded with sensors, 
software, and network connectivity. These devices 
collect and exchange data, enabling them to interact 
with each other and the broader digital ecosystem. 
IoT has gained significant popularity and has 
applications in various domains such as smart homes, 
industrial automation, healthcare, transportation, and 
more[3]. 
With the proliferation of IoT devices and the vast 
amount of data they generate, ensuring secure and 
controlled access to these devices and their associated 
resources is crucial. Access control plays a vital role in 
maintaining the integrity, confidentiality, and 
availability of IoT systems[4]. 
Traditional 
access 
control 
models, 
such 
as 
discretionary access control (DAC) and role-based 
access control (RBAC), have limitations when it 
comes to IoT environments. These models typically 
rely on static user roles or permissions, which may 
not adequately address the dynamic nature of IoT 
systems. Additionally, IoT devices often have diverse 
attributes that need to be considered for access 
control, such as device type, location, ownership, 
firmware version, and more[5] [6] . 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
996 
Attribute-Based Access Control (ABAC) has emerged 
as a suitable access control model for IoT 
environments. ABAC allows access policies to be 
defined based on attributes associated with users, 
devices, and other relevant entities. These attributes 
can be dynamically evaluated during access 
evaluation, providing a more flexible and context-
aware approach to access control. ABAC in IoT 
enables organizations to define fine-grained access 
policies that consider various attributes of IoT devices 
and users. This allows for more precise control over 
who can access IoT resources, perform actions, or 
access specific data streams. For example, access 
policies can be defined based on the device type, 
location, time of day, or even specific data patterns 
generated by the device[7] [8] . 
Implementing ABAC in IoT typically involves 
integrating access control mechanisms provided by 
IoT platforms or frameworks. Cloud service providers 
like AWS offer specific features and tools for 
managing access control in IoT deployments. These 
platforms often combine ABAC with other security 
measures such as encryption, authentication, and 
authorization mechanisms to ensure end-to-end 
security in IoT systems. By incorporating ABAC into 
IoT access control, organizations can enhance security, 
enforce data privacy, and ensure compliance with 
regulatory requirements. The dynamic and contextual 
nature of ABAC allows for more flexible and scalable 
access control policies, making it well-suited for the 
complex and rapidly evolving IoT landscape[9] . 
1.2 Significance of Attribute- Based Access Control 
(ABAC)- 
Attribute-Based Access Control (ABAC) offers several 
significant advantages and benefits in the context of 
access control for various systems, including IoT 
environments. Here are some key reasons why ABAC 
is significant: 
1. Flexibility and Granularity: ABAC provides a 
flexible and granular approach to access control. It 
allows access policies to be defined based on attributes 
associated with users, devices, or any relevant entity. 
This flexibility enables organizations to define fine-
grained access rules that consider specific attributes, 
such as device type, location, ownership, and more. 
This level of granularity allows for more precise 
control over access to resources and actions, 
improving security and reducing the risk of 
unauthorized access[10] . 
2. Dynamic and Context-Aware Access Control: 
ABAC supports dynamic evaluation of attributes 
during access evaluation. This means that access 
decisions can be based on real-time information, such 
as the current state of a device or the contextual 
attributes of a user. For example, access to a specific 
IoT resource can be granted or denied based on 
attributes like the time of day, location, or the specific 
data patterns generated by the device. This context-
aware access control enhances security and enables 
organizations to adapt access policies based on 
changing conditions or requirements. 
3. Scalability and Adaptability: ABAC is highly 
scalable and adaptable to evolving environments. As 
the number of IoT devices and users grows, 
traditional access control models may become difficult 
to manage. ABAC can handle large-scale deployments 
by efficiently managing access policies based on 
attributes. It can easily accommodate new devices, 
users, or attributes without requiring significant 
changes to the access control infrastructure. This 
scalability and adaptability are crucial for managing 
complex IoT ecosystems with diverse entities and 
access requirements[11] . 
4. Compliance and Policy Enforcement: ABAC 
facilitates compliance with regulations and policies. 
Access control policies can be aligned with regulatory 
requirements by incorporating specific attributes into 
the policies. For example, data privacy regulations 
may dictate that only users with specific attributes 
can access sensitive data streams. ABAC enables 
organizations to enforce such policies effectively by 
considering the relevant attributes during access 
evaluation. This helps organizations meet compliance 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
997 
requirements and mitigate the risk of data breaches or 
unauthorized access. 
5. Integration with Identity Management Systems: 
ABAC can be seamlessly integrated with existing 
identity management systems. It can leverage 
attributes from user directories, identity providers, or 
other sources to define access policies. This 
integration enables organizations to leverage their 
existing identity infrastructure while extending access 
control to include contextual attributes. It simplifies 
the management of access control by leveraging 
existing user and device attributes, reducing 
administrative overhead and ensuring consistency in 
access policies across the organization. Overall, ABAC 
offers a powerful and flexible approach to access 
control in various systems, including IoT. Its ability to 
define access policies based on attributes, support 
dynamic evaluation, and provide scalability and 
adaptability makes it a significant solution for 
managing 
access 
in 
complex 
and 
evolving 
environments[12]. 
2. IoT and AWS- 
The combination of the Internet of Things (IoT) and 
Amazon Web Services (AWS) offers powerful 
capabilities for building, deploying, and managing IoT 
applications and infrastructure. AWS provides a 
comprehensive suite of services specifically designed 
to support IoT deployments. Here are some key 
aspects of IoT and AWS[13] : 
1. IoT Device Management: AWS IoT Core is a fully 
managed service that enables secure and reliable 
communication between IoT devices and the AWS 
Cloud. It provides device management features such 
as device registration, provisioning, and remote 
management. AWS IoT Core also supports device 
authentication and secure communication protocols, 
ensuring the integrity and confidentiality of IoT data. 
2. Data Ingestion and Processing: AWS IoT services 
allow you to ingest and process massive amounts of 
IoT data. AWS IoT Core can securely ingest data from 
millions of devices, while services like AWS IoT 
Analytics and AWS IoT Events enable data processing, 
analytics, and real-time rule-based event detection. 
AWS IoT Analytics allows you to perform complex 
queries, run machine learning algorithms, and 
generate insights from IoT data. 
3. Edge Computing and Greengrass: AWS IoT 
Greengrass extends AWS services to the edge devices, 
enabling local compute, messaging, and data caching 
capabilities. With Greengrass, you can run AWS 
Lambda functions on edge devices, process data 
locally, and communicate securely with AWS services. 
This enables reduced latency, offline operation, and 
edge intelligence in IoT deployments[14] . 
4. Machine Learning for IoT: AWS offers machine 
learning services that can be integrated with IoT 
applications. AWS IoT Core integrates with Amazon 
Machine Learning and Amazon SageMaker, allowing 
you to build and deploy machine learning models for 
IoT use cases. This enables predictive analytics, 
anomaly detection, and intelligent decision-making at 
the edge or in the cloud. 
2.1 Overview of Internet of Things (IoT)-
The Internet of Things (IoT) refers to the network of 
physical objects, devices, vehicles, and other items 
embedded with sensors, software, and connectivity 
that enables them to collect and exchange data over 
the internet. These objects, often referred to as 
"smart" or "connected" devices, interact with each 
other and with the digital world, creating a seamless 
integration between the physical and digital realms. 
Here is an overview of the key aspects of the Internet 
of Things (IoT): 
1. Connectivity: IoT devices are equipped with 
various connectivity options, including Wi-Fi, 
Bluetooth, cellular networks, and low-power wireless 
protocols such as Zigbee or LoRaWAN. These 
connections enable devices to communicate and share 
data with each other, cloud platforms, or centralized 
systems. 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
998 
2. Sensors and Actuators: IoT devices are equipped 
with sensors to collect data from the physical 
environment. These sensors can detect and measure 
various parameters such as temperature, humidity, 
light, motion, pressure, and more. Additionally, IoT 
devices often have actuators that allow them to take 
physical actions based on the data received. 
3. Data Collection and Analytics: IoT generates vast 
amounts of data from connected devices. This data 
can be collected, processed, and analyzed to extract 
valuable insights and drive informed decision-making. 
Advanced analytics techniques such as machine 
learning and artificial intelligence are often employed 
to derive meaningful patterns, trends, and predictions 
from IoT data. 
4. Automation and Control: IoT enables automation 
and control of physical processes and systems. By 
connecting and integrating devices, IoT allows for 
centralized 
monitoring, 
remote 
control, 
and 
automated responses based on predefined rules or 
real-time data. This automation improves efficiency, 
productivity, and operational effectiveness across 
various industries. 
5. Applications and Use Cases: IoT has numerous 
applications across industries and domains. Some 
common use cases include smart homes and buildings, 
industrial automation and monitoring, agriculture and 
farming, healthcare monitoring, transportation and 
logistics, energy management, and environmental 
monitoring. IoT solutions can be tailored to specific 
needs and requirements, providing innovative 
solutions and improving quality of life. 
6. Security and Privacy: As IoT involves the collection 
and sharing of sensitive data, security and privacy are 
crucial considerations. Protecting IoT devices and 
networks from unauthorized access, ensuring data 
encryption, implementing secure communication 
protocols, and following best practices for device 
authentication and access control are vital to 
maintaining the integrity and confidentiality of IoT 
systems. 
7. Standardization and Interoperability: IoT devices 
and systems come from various manufacturers and 
operate on different platforms. Standardization and 
interoperability efforts aim to establish common 
protocols, frameworks, and communication standards 
that allow devices and platforms to work together 
seamlessly. This enables easy integration, scalability, 
and broader adoption of IoT solutions. The Internet of 
Things (IoT) has the potential to revolutionize 
industries, improve efficiency, and enable new 
business models. As technology advances and 
connectivity becomes more pervasive, the IoT 
ecosystem continues to grow and evolve, offering 
immense opportunities for innovation and digital 
transformation. 
2.2 Introduction to AWS IoT Platform – 
The AWS IoT platform is a comprehensive set of 
services and tools provided by Amazon Web Services 
(AWS) that enables the building, deployment, and 
management of Internet of Things (IoT) applications 
and infrastructure. It offers a scalable, secure, and 
reliable foundation for connecting, managing, and 
analyzing IoT devices and the data they generate. 
Here's an introduction to the key components and 
features of the AWS IoT platform: 
1. AWS IoT Core: AWS IoT Core is the central service 
of the AWS IoT platform. It provides secure and 
reliable connectivity between IoT devices and the 
cloud. IoT Core allows devices to securely connect 
and communicate with the cloud through various 
protocols such as MQTT, HTTP, and WebSockets. It 
handles device registration, message routing, and 
device 
shadowing, 
which 
enables 
persistent 
representation of device state for easier device 
management. 
2. Device Management: AWS IoT Core offers device 
management capabilities, allowing you to register, 
provision, and manage IoT devices at scale. It provides 
mechanisms for secure device authentication and 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
999 
authorization, ensuring that only authorized devices 
can connect and communicate with the cloud. Device 
management features also include over-the-air (OTA) 
updates, remote management, and device monitoring 
and diagnostics. 
3. Rule Engine: The AWS IoT Core Rule Engine 
enables you to define rules and actions based on 
incoming IoT data. It allows you to create rules that 
evaluate incoming messages from devices and trigger 
actions such as invoking AWS Lambda functions, 
storing data in databases, or sending notifications via 
various AWS services. The Rule Engine provides a 
powerful mechanism for processing and acting upon 
IoT data in real time. 
4. Device Shadows: Device Shadows are virtual 
representations of IoT devices' state and metadata. 
AWS IoT Core maintains a shadow for each device, 
allowing applications to read and update the desired 
and reported state of the device, even when the 
device is offline. Device Shadows provide a 
convenient way to synchronize device state and 
enable applications to interact with devices regardless 
of their online status. 
5. Device SDKs and Integrations: AWS IoT Core 
provides software development kits (SDKs) for various 
programming languages to simplify device integration 
with the platform. These SDKs enable developers to 
connect devices, publish and subscribe to MQTT 
messages, and interact with other AWS services. 
Additionally, AWS IoT Core integrates with other 
AWS services such as AWS Lambda, Amazon S3, 
Amazon DynamoDB, and Amazon Kinesis, enabling 
seamless integration with the broader AWS ecosystem. 
6. Security and Access Control: Security is a 
fundamental aspect of the AWS IoT platform. AWS 
IoT Core offers built-in security mechanisms, 
including device authentication and authorization 
using X.509 certificates, AWS Identity and Access 
Management (IAM) policies, and fine-grained access 
control. It also supports encryption of data both at rest 
and in transit, ensuring the confidentiality and 
integrity of IoT data. 
7. Analytics and Integration: AWS IoT integrates with 
various AWS analytics services to enable advanced 
data processing and analysis. For example, AWS IoT 
Analytics provides capabilities for ingesting, storing, 
analyzing, and visualizing large volumes of IoT data. 
Integration with other AWS services like Amazon 
QuickSight and Amazon SageMaker enables advanced 
analytics, machine learning, and visualization of IoT 
data. 
The AWS IoT platform offers a comprehensive suite 
of services and tools that simplify the development, 
deployment, and management of IoT applications. 
With its scalability, security features, device 
management capabilities, and integration with other 
AWS services, the AWS IoT platform provides a 
robust foundation for building innovative and scalable 
IoT solutions. 
2.3 Importance of Access Control Access in IoT – 
Access control is of paramount importance in IoT 
(Internet of Things) environments due to the 
following reasons: 
1. Security: IoT devices are connected to networks 
and can exchange sensitive data. Implementing access 
control ensures that only authorized entities, such as 
devices, users, or services, can access and interact 
with the IoT system. By enforcing access control, 
organizations can prevent unauthorized access, data 
breaches, malicious activities, and potential damage to 
the IoT infrastructure. 
2. Privacy: IoT devices often collect and process 
personal and sensitive data. Access control 
mechanisms play a critical role in safeguarding user 
privacy by ensuring that only authorized individuals 
or systems can access and utilize this data. 
Implementing access control policies aligned with 
privacy regulations helps protect individuals' data and 
maintain their trust in IoT systems. 
3. Device Integrity: IoT ecosystems comprise a wide 
range of devices, including sensors, actuators, 
gateways, and controllers. Access control prevents 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
1000 
unauthorized devices from joining the network or 
accessing critical resources, thus preserving the 
integrity of the IoT system. It helps protect against 
device tampering, unauthorized modifications, and 
the introduction of rogue devices that could disrupt 
operations or compromise data. 
4. Resource Management: Access control enables 
efficient resource management in IoT environments. 
It ensures that resources, such as computational 
power, network bandwidth, or storage, are allocated 
appropriately and used by authorized entities. By 
enforcing access control policies, organizations can 
prevent resource exhaustion, optimize resource 
utilization, and maintain system performance and 
reliability. 
5. Compliance: Access control is crucial for meeting 
regulatory compliance requirements. IoT systems 
often handle sensitive data subject to various 
regulations, such as data protection, privacy, and 
industry-specific standards. Implementing access 
control mechanisms allows organizations to enforce 
compliance with these regulations by defining and 
enforcing access policies that align with the applicable 
requirements. 
6. Risk Mitigation: Access control helps mitigate 
security risks and vulnerabilities in IoT deployments. 
By enforcing strong authentication, authorization, 
and access policies, organizations can reduce the 
attack surface and limit potential avenues for 
exploitation. This helps protect against unauthorized 
access, data breaches, denial-of-service attacks, and 
other security threats that can compromise the IoT 
ecosystem. 
7. Operational Efficiency: Access control mechanisms 
enhance operational efficiency in IoT environments. 
By defining and managing access rights and 
permissions, organizations can ensure that authorized 
entities have appropriate access to the necessary 
resources, data, or functionalities. This reduces the 
risk of unauthorized actions, streamlines operations, 
improves productivity, and simplifies system 
management. 
In summary, access control is essential in IoT 
environments to ensure security, privacy, device 
integrity, 
resource 
management, 
regulatory 
compliance, 
risk 
mitigation, 
and 
operational 
efficiency. By implementing robust access control 
mechanisms, organizations can establish a strong 
foundation for building secure and trustworthy IoT 
systems. 
3. Access Control Models: 
Access control models are frameworks that define 
how access to resources is granted or denied within a 
system. Here are three commonly used access control 
models: 
1. Discretionary Access Control (DAC): In DAC, 
access control decisions are based on the discretion of 
the resource owner. The resource owner has the 
authority to determine who can access their resources 
and what level of access they have. Access control 
lists (ACLs) or access control matrices are typically 
used to manage permissions. DAC is flexible but may 
lack 
centralized 
control 
and 
can 
lead to 
inconsistencies in access control across the system. 
2. Mandatory Access Control (MAC): MAC is a more 
rigid access control model where access decisions are 
based on system-defined security labels or levels. The 
system administrator assigns labels to resources and 
users, and access decisions are determined by 
comparing the labels of users and resources based on 
predefined rules and policies. MAC provides a high 
level of control and security but can be complex to 
implement and administer. 
3. Role-Based Access Control (RBAC): RBAC assigns 
roles to users based on their responsibilities within an 
organization. Access permissions are then associated 
with these roles, and users are granted access based on 
their assigned roles. RBAC simplifies access control 
management by grouping users into roles and 
managing permissions at the role level rather than 
individually for each user. It provides scalability, 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
1001 
easier administration, and improves consistency in 
access control. 
These access control models can be combined or 
extended to meet specific requirements in different 
systems. For example, Attribute-Based Access Control 
(ABAC) extends the access control decision-making 
process by considering various attributes associated 
with users, resources, and environmental conditions. 
It's important to note that the choice of access control 
model depends on the system's security requirements, 
the nature of the resources being protected, and the 
desired level of flexibility or control in access 
management. Different systems may employ different 
access control models or a combination of them to 
achieve an appropriate level of security and access 
management. 
3.1 Traditional Access Control Model -
The traditional access control model, also known as 
the non-discretionary access control model, is a basic 
form of access control that predates more advanced 
models like DAC, MAC, and RBAC. In this model, 
access control decisions are typically based on a user's 
identity or group membership, and access rights are 
defined by the system administrator. Here are the key 
characteristics of the traditional access control model: 
1. User Identity: Access control decisions are 
primarily based on the identity of the user requesting 
access to a resource. Each user is assigned a unique 
identifier (e.g., username or user ID), and access rights 
are granted or denied based on this identity. 
2. Access Rights: The system administrator defines 
access rights for users or groups of users. Access rights 
specify the actions that users can perform on specific 
resources, such as read, write, execute, or delete. 
3. Centralized Control: The system administrator has 
centralized control over access control decisions and 
the assignment of access rights. They determine 
which users or groups have access to specific 
resources and what level of access they possess. 
4. Lack of Granularity: The traditional access control 
model often lacks granularity in access control 
decisions. Access rights are typically assigned on a 
per-user or per-group basis, without considering the 
specific attributes or characteristics of the user or 
resource. 
5. Limited Flexibility: The model offers limited 
flexibility in dynamically adjusting access control 
decisions. Access rights are typically static and remain 
unchanged 
until 
modified 
by 
the 
system 
administrator. 
6. Security Risks: As access control decisions are 
primarily based on user identity, this model can be 
susceptible to security risks such as unauthorized 
access if user identities are compromised. 
The traditional access control model is relatively 
simple and straightforward to implement but may not 
provide the fine-grained control and flexibility 
required in more complex systems. It is commonly 
used in small-scale or legacy systems where a basic 
level of access control is sufficient, and centralized 
control is preferred. However, in more modern and 
sophisticated environments, other access control 
models like DAC, MAC, or RBAC are often employed 
to provide enhanced security, flexibility, and 
scalability. 
3.2 Limitations of Traditional Models in IoT - 
The traditional access control models, such as 
discretionary access control (DAC), mandatory access 
control (MAC), and role-based access control (RBAC), 
have certain limitations when applied to IoT (Internet 
of Things) environments. Here are some key 
limitations: 
1. Scalability: Traditional access control models may 
struggle to scale effectively in IoT deployments due to 
the large number of devices, users, and resources 
involved. IoT systems often consist of a massive 
number of interconnected devices, making it 

International Journal of Scientific Research in Science and Technology (www.ijsrst.com) | Volume 10 | Issue 3 
Pragya Bharti et al Int J Sci Res Sci & Technol. May-June-2023, 10 (3) : 995-1009 
1002 
challenging to manage access control policies 
individually for each device or user. 
2. Dynamic and Heterogeneous Environment: IoT 
environments are highly dynamic, with devices 
joining and leaving the network frequently. 
Traditional access control models typically rely on 
static access control decisions that do not adapt well 
to dynamic changes. Additionally, IoT ecosystems 
often involve diverse devices and technologies, 
making it difficult to enforce consistent access control 
policies across the entire system. 
3. Resource Constraints: Many IoT devices have 
limited computational power, memory, and energy 
resources. Traditional access control models may 
introduce overhead in terms of processing and storage 
requirements, which can be impractical for resource-
constrained IoT devices. 
4. Attribute-Based Access Control (ABAC) Gap: 
Traditional access control models often lack the fine-
grained and context-aware access control capabilities 
required in IoT. ABAC, which considers various 
attributes associated with users, devices, and 
environmental conditions, is better suited to handle 
complex access control scenarios in IoT. Traditional 
models may struggle to adequately handle attributes 
such as device capabilities, location, or environmental 
context. 
5. Privacy and Data Sensitivity: IoT systems generate 
and handle vast amounts of sensitive data, including 
personal and private information. Traditional access 
control models may not provide sufficient granularity 
or privacy-aware access control mechanisms to 
protect sensitive data in IoT deployments. IoT-specific 
privacy regulations, such as General Data Protection 
Regulation (GDPR), further emphasize the need for 
advanced access control mechanisms. 
6. Interoperability Challenges: IoT ecosystems often 
involve devices and platforms from different 
manufacturers and vendors. Traditional access control 
models may lack interoperability standards and 
mechanisms, making it difficult to enforce consistent 
access control policies across heterogeneous IoT 
systems. 
7. Cybersecurity Risks: IoT devices are susceptible to 
various 
security 
threats 
and 
vulnerabilities. 
Traditional access control models may not provide 
adequate protection against emerging IoT-specific 
threats, such as device spoofing, data tampering, or 
unauthorized access to critical IoT resources. 
To address these limitations, newer access control 
models and frameworks specifically designed for IoT, 
such as Attribute-Based Access Control (ABAC) or 
Context-Based Access Control (CBAC), are being 
developed. These models take into account the unique 
characteristics and requirements of IoT environments, 
providing more adaptive, scalable, and context-aware 
access control mechanisms. 
3.3 Introduction to Attribute –Based Access Control 
(ABAC) – 
Attribute-Based Access Control (ABAC) is an access 
control model that grants or denies access to resources 
based on the attributes associated with the subjects 
(users or devices), objects (resources), and the 
environment. In ABAC, access control decisions are 
made by evaluating the attributes rather than relying 
solely on user identities or roles. It provides a more 
flexible and dynamic approach to access control,