This session will introduce best practices for IoT security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. As a result, you are able to scale and innovate, while maintaining a secure environment.
4. AWS IoT
DEVICE SDK
Set of client libraries to
connect, authenticate and
exchange messages
DEVICE GATEWAY
Communicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORIZATION
Secure with mutual
authentication and encryption
RULES ENGINE
Transform messages
based on rules and
route to AWS Services
AWS Services
- - - - -
3P Services
DEVICE SHADOW
Persistent thing state
during intermittent
connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRY
Identity and Management of
your things
6. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Customers
Security shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
17. Security and Identity
Identity Principles Usage
X.509 certificates Device identity
IAM users, groups and roles Application layer access for
HTTP or Websockets
Amazon Cognito Identities API Access
20. Certificate management
Certificate creation
mechanism
Pros Cons
AWS IoT created certificate
(including public/private
keypair)
Everything handled by AWS
IoT
Private key has to be
transmitted between AWS
IoT and customer
AWS IoT created certificate
(Certificate Signing
Request(CSR) based)
Certificate creation handled
by AWS. AWS never has the
private key.
Customer has to create the
public/private keypair and
CSR.
JiTR/BYOC (Bring Your Own
Certificate)
AWS never has the private
key. Customer controls
certificate creation
Customer has to create a
certificate for every device.
21. When is a certificate not a valid certificate
t1
t2
• t1 is earlier than t2, (i.e. the server cert is in the future)
• No realtime clock
• No NTP update (chicken and egg)
• Don’t valid the timestamp if you’ve never connected to the NTP Server
• Don’t validate the timestamp if the device has been on the shelf for a long time
27. History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Battle Against Vulnerabilities
1999
TLS1.0
2015
FREAK
2013
Planning of
TLS1.3 starts
28. Greater Enforcement by Industry/Vendors
Battle Against Vulnerabilities
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Industry Enforcement
2015
FREAK
2015/12
Indexing
HTTPS Pages
by Default
2016/04
PCI DSS v3.2
2016/07
Mandatory
ATS
2016/08
HTTP Strict
Transport
Security (HSTS)
2017/06/30
Mandatory
TLS1.2
29. TLS1.2 in AWS IoT
• Client side certs should be at least
• 2048 for RSA
• P-256 and P-384 curves for ECC
• Recommended cipher suites
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• 2048-bit primes for DH