best practices for iot security in the cloud
TRANSCRIPT
![Page 1: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John RotachSoftware Development Engineer – AWS IoT
October 27, 2016
Best Practices for IoT Security in the Cloud
![Page 2: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/2.jpg)
All things around us are getting connected
![Page 3: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/3.jpg)
All things around us are getting connected
![Page 4: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/4.jpg)
Things will proliferate
2013 2015 2020
Vertical IndustryGeneric IndustryConsumerAutomotiveMany
Some
Lots
![Page 5: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/5.jpg)
Connected ≠ Smart
Internet 1985 IoT 2016
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
![Page 6: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/6.jpg)
In reality, it is even more complex
Layer Standards
Application HTTP, MQTT, AMQP, CoAP, XMPP
Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon
Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI
![Page 7: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/7.jpg)
But my data isn’t sensitive!
![Page 8: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/8.jpg)
Why do IoT at all?
Changes happen inthe realworld!
![Page 9: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/9.jpg)
The Risk
Changes happen inthe realworld!
Bad
![Page 10: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/10.jpg)
A Simple Goal
![Page 11: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/11.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
ThingsPeople
![Page 12: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/12.jpg)
The System
DynamoDB LambdaKinesis
![Page 13: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/13.jpg)
The System
DynamoDB LambdaKinesis
![Page 14: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/14.jpg)
The System
DynamoDB LambdaKinesis
![Page 15: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/15.jpg)
The System
DynamoDB LambdaKinesis
![Page 16: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/16.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
ThingsPeople
![Page 17: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/17.jpg)
Network Traffic Is Complex
04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags [P.], seq 1586864891:1586864913, ack 820274045, win 227, options [nop,nop,TS val 2390025928 ecr 577393885], length 22 0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2 0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d 0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8 0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200 0x0040: 0454 656d 703a 2038 3346
![Page 18: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/18.jpg)
Network Tools Are Up To It
MQ Telemetry Transport Protocol Publish Message 0011 0010 = Header Flags: 0x32 (Publish Message) 0011 .... = Message Type: Publish Message (3) .... 0... = DUP Flag: Not set .... .01. = QOS Level: Acknowledged deliver (1) .... ...0 = Retain: Not set Msg Len: 20 Topic: foo/bar Message Identifier: 1 Message: Temp: 83F
![Page 19: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/19.jpg)
Mutual Auth TLS
![Page 20: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/20.jpg)
Mutual Auth TLS
![Page 21: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/21.jpg)
Mutual Auth TLS
![Page 22: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/22.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
ThingsPeople
![Page 23: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/23.jpg)
What are Certs and Keys?
Certificate – Public identityPrivate Key – Private proofRoot CA – Validate
rootCA
![Page 24: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/24.jpg)
Elliptical Curve Cryptography (ECC)
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256
Elliptical curve logarithm vs RSA integer factorizationSmaller key sizes for same securityECDHE – key exchange algorithm (forward secrecy with ephemeral keys)ECDSA – signature algorithm with EC private keys (authentication)
![Page 25: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/25.jpg)
AWS-Generated Keypair
CreateKeysAndCertificate()
![Page 26: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/26.jpg)
Actual Commands
$ aws iot create-keys-and-certificate --set-as-active{ "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "keyPair": { "PublicKey": "-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----", "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----" }, "certificateId": "d7677b0…SNIP…026d9"}
![Page 27: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/27.jpg)
CreateKeysAndCertificate()
AWS-Generated Keypair
![Page 28: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/28.jpg)
Client Generated Keypair
CSR
![Page 29: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/29.jpg)
Certificate Signing Request
Dear Certificate Authority,I’d really like a certificate for %NAME%, as identified
by the keypair with public key %PUB_KEY%. If you could sign a certificate for me with those parameters, it’d be super spiffy.
Signed (Cryptographically),
- The holder of the private key
![Page 30: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/30.jpg)
Client Generated Keypair
CSR
CreateCertificateFromCSR(CSR)
![Page 31: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/31.jpg)
Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048Generating RSA private key, 2048 bit long modulus....+++...+++e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr-----Country Name (2 letter code) [XX]:USState or Province Name (full name) []:NYLocality Name (eg, city) [Default City]:New YorkOrganization Name (eg, company) [Default Company Ltd]:ACMEOrganizational Unit Name (eg, section) []:MakersCommon Name (eg, your name or your server's hostname) []:John SmithEmail Address []:[email protected]
![Page 32: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/32.jpg)
Actual Commands
$ aws iot create-certificate-from-csr \ --certificate-signing-request file://Thing.csr \ --set-as-active{ "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "certificateId": "b5a396e…SNIP…400877b"}
![Page 33: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/33.jpg)
Register your own Certificate Authority
GetVerificationCode()
![Page 34: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/34.jpg)
Register your own Certificate Authority
CSR
RegisterCACertificate(CSR)
![Page 35: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/35.jpg)
Provisioning your own certificates
RegisterCe
rtificate(
Cert)
CSR
![Page 36: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/36.jpg)
Provisioning your own certificates
![Page 37: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/37.jpg)
Just-in-time registration
RegisterCe
rtificate(
Cert)
![Page 38: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/38.jpg)
Just-in-time registration
CONNECT
AWSLambda
NewDevice(Certificate)
AttachPolicy()ActivateCertificate()CreateThing()UpdateShadow()
DISCONNECT
![Page 39: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/39.jpg)
Enhanced Security from Device to Cloud
![Page 40: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/40.jpg)
Private Key Protection – Test & Dev
$ openssl genrsa -out ThingKeypair.pem 2048Generating RSA private key, 2048 bit long modulus......................+++.................................+++e is 65537 (0x10001)
$ ls -l ThingKeypair.pem-rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
$ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem-r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
![Page 41: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/41.jpg)
Private Key Protection
SoftwarechrootSELinux
HardwareTPMsSmartcardsOTP FusesFIPS-style hardware
![Page 42: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/42.jpg)
Identity Revocation
$ aws iot list-certificates{ "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "ACTIVE", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443070900.491, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ]}
![Page 43: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/43.jpg)
Identity Revocation
$ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED
$ aws iot list-certificates{ "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "REVOKED", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443192020.792, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ]}
![Page 44: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/44.jpg)
Takeaways
• Many provisioning methods
• Each device gets its own certificate
• Use a certificate authority for offline provisioning
![Page 45: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/45.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
ThingsPeople
![Page 46: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/46.jpg)
Policy actions
• Connect• Publish• Subscribe• Unsubscribe• Receive
![Page 47: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/47.jpg)
Connect policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"arn:aws:iot:us-east-1:123456972007: client/MY-THING-NAME" } ]}
![Page 48: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/48.jpg)
Connect policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"arn:aws:iot:us-east-1:123456972007: client/MY-THING-NAME_*" } ]} MY-THING-NAME_Application1
MY-THING-NAME_Application2
MY-THING-NAME_Application3
![Page 49: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/49.jpg)
Publish policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update" } ]}
![Page 50: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/50.jpg)
Even finer control
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update" } ]}
Allows updating the entire shadow
![Page 51: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/51.jpg)
Even finer control
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/actions/MyThing/open" } ]}
Use a different topic
![Page 52: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/52.jpg)
Even finer control
AWS IoT
Direct publishing to shadow
![Page 53: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/53.jpg)
Even finer control
AWS IoT
Use a rule to update specific shadow fields
![Page 54: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/54.jpg)
Takeaways
• Structure topics for permissions
• Make policies as restrictive as possible
• Wildcards can simplify policy management
• Rules can help with fine-grained permissions
![Page 55: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/55.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
ThingsPeople
![Page 56: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/56.jpg)
Applications
DynamoDB LambdaKinesis
![Page 57: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/57.jpg)
IAM Role policy{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ]}
![Page 58: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/58.jpg)
Mobile
DynamoDB LambdaKinesis
AMAZONCOGNITO
![Page 59: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/59.jpg)
Policy for Cognito with IoTCognito authenticated user identity pool role policy:{ "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*"}
Specific policy for Joe IoT Cognito user:{ "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123"}
![Page 60: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/60.jpg)
Policy for Cognito with IoTCognito authenticated user identity pool role policy:{ "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*"}
Specific policy for Joe IoT Cognito user:{ "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123"}
AmazonCognito
![Page 61: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/61.jpg)
Policy for Cognito with IoTCognito authenticated user identity pool role policy:{ "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*"}
Specific policy for Joe IoT Cognito user:{ "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123"}
AWS IoT
![Page 62: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/62.jpg)
Overall Cognito “pairing” workflow
1. Create a Cognito identity pool2. Customer signs in using mobile app3. Associate their user with their devices4. Create a scope-down policy in IoT for their user5. Attach that policy to their Cognito user in IoT
![Page 63: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/63.jpg)
Overall Cognito “pairing” workflow
1. Create a Cognito identity pool2. Customer signs in using mobile app3. Associate their user with their devices4. Create a scope-down policy in IoT for their user5. Attach that policy to their Cognito user in IoT
Important: These steps apply to authenticated Cognito users only. (NOT to unauthenticated!)
![Page 64: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/64.jpg)
Managing fine-grained permissions
• One user may need permissions to many things• "arn:aws:iot:…:thing/sprinkler123abc"• "arn:aws:iot:…:thing/sprinkler456def"• …
• Listing each is tedious
![Page 65: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/65.jpg)
Best practice: Thing name prefixing
• Prefix thing name with logical owner• sensor123abc -> joe-sensor123abc
• Aspen policy supports wildcards• "arn:aws:iot:…:thing/sensor123abc"• "arn:aws:iot:…:thing/sensor123abc"• "arn:aws:iot:…:thing/sensor456def"• …• "arn:aws:iot:…:thing/joe-*"
![Page 66: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/66.jpg)
Takeaways
• Application access is done through IAM roles/policies
• Cognito enables secure human control over IoT devices
• IoT scope-down policy supports fine-grained control
• Naming conventions simplify policy management
![Page 67: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/67.jpg)
Demo
Creating Certificates - 1-click - CSR
Just In Time Registration
![Page 68: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/68.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
ThingsPeople
![Page 69: Best Practices for IoT Security in the Cloud](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5871255a1a28abe4448b5fbb/html5/thumbnails/69.jpg)
Thank you!
John Rotach@rotach
AWS IoT: https://aws.amazon.com/iot/
Documentation: https://aws.amazon.com/documentation/iot/
AWS Forums: https://forums.aws.amazon.com/forum.jspa?forumID=210