Best Practices of IoT Security in the Cloud
-
Upload
amazon-web-services -
Category
Technology
-
view
365 -
download
2
Transcript of Best Practices of IoT Security in the Cloud
![Page 1: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
October 24, 2016
Best Practices for IoT
Security in the Cloud
![Page 2: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/2.jpg)
![Page 3: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/3.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IoT Security
![Page 4: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/4.jpg)
All things around us are getting connected
![Page 5: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/5.jpg)
All things around us are getting connected
![Page 6: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/6.jpg)
Things will proliferate
2013 2015 2020
Vertical Industry
Generic Industry
Consumer
AutomotiveMany
Some
Lots
![Page 7: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/7.jpg)
Connected ≠ Smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
![Page 8: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/8.jpg)
In reality, it is even more complex
Layer Standards
Application HTTP, MQTT, AMQP, CoAP, XMPP
Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon
Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI
![Page 9: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/9.jpg)
A Simple Goal
![Page 10: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/10.jpg)
But my data
isn’t sensitive!
![Page 11: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/11.jpg)
Why do IoT at all?
Changes
happen in
the real
world!
![Page 12: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/12.jpg)
The Risk
Changes
happen in
the real
world!
Bad
![Page 13: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/13.jpg)
The Risk
Changes
happen in
the real
world!
Bad
![Page 14: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/14.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 15: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/15.jpg)
The System
DynamoDB LambdaKinesis
![Page 16: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/16.jpg)
The System
DynamoDB LambdaKinesis
![Page 17: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/17.jpg)
The System
DynamoDB LambdaKinesis
![Page 18: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/18.jpg)
The System
DynamoDB LambdaKinesis
![Page 19: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/19.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 20: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/20.jpg)
Network Traffic Is Complex
04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags
[P.], seq 1586864891:1586864913, ack 820274045, win 227, options
[nop,nop,TS val 2390025928 ecr 577393885], length 22
0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2
0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d
0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8
0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200
0x0040: 0454 656d 703a 2038 3346
![Page 21: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/21.jpg)
Network Tools Are Up To It
MQ Telemetry Transport Protocol
Publish Message
0011 0010 = Header Flags: 0x32 (Publish Message)
0011 .... = Message Type: Publish Message (3)
.... 0... = DUP Flag: Not set
.... .01. = QOS Level: Acknowledged deliver (1)
.... ...0 = Retain: Not set
Msg Len: 20
Topic: foo/bar
Message Identifier: 1
Message: Temp: 83F
![Page 22: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/22.jpg)
Mutual Auth TLS
![Page 23: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/23.jpg)
Mutual Auth TLS
![Page 24: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/24.jpg)
Mutual Auth TLS
![Page 25: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/25.jpg)
Talking to Non-Things
DynamoDB LambdaKinesis
![Page 26: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/26.jpg)
AWS Auth + TLS
![Page 27: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/27.jpg)
One Service, Two Protocols
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
![Page 28: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/28.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 29: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/29.jpg)
Back To Certs and Keys
![Page 30: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/30.jpg)
AWS-Generated Keypair
![Page 31: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/31.jpg)
AWS-Generated Keypair
![Page 32: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/32.jpg)
AWS-Generated Keypair
![Page 33: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/33.jpg)
Actual Commands
$ aws iot create-keys-and-certificate --set-as-active
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"keyPair": {
"PublicKey":
"-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----",
"PrivateKey":
"-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----"
},
"certificateId":
"d7677b0…SNIP…026d9"
}
![Page 34: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/34.jpg)
AWS-Generated Keypair
![Page 35: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/35.jpg)
Client Generated Keypair
CSR
![Page 36: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/36.jpg)
Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the keypair with public key %PUB_KEY%. If you could sign
a certificate for me with those parameters, it’d be super
spiffy.
Signed (Cryptographically),
- The holder of the private key
![Page 37: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/37.jpg)
Client Generated Keypair
CSR
![Page 38: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/38.jpg)
Client Generated Keypair
CSR
![Page 39: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/39.jpg)
Client Generated Keypair
CSR
![Page 40: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/40.jpg)
Client Generated Keypair
![Page 41: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/41.jpg)
Client Generated Keypair
![Page 42: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/42.jpg)
Client Generated Keypair
![Page 43: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/43.jpg)
Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
...+++
e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]:ACME
Organizational Unit Name (eg, section) []:Makers
Common Name (eg, your name or your server's hostname) []:John Smith
Email Address []:[email protected]
![Page 44: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/44.jpg)
Actual Commands
$ aws iot create-certificate-from-csr \
--certificate-signing-request file://Thing.csr \
--set-as-active
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"certificateId":
"b5a396e…SNIP…400877b"
}
![Page 45: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/45.jpg)
Private Key Protection – Test & Dev
$ openssl genrsa -out ThingKeypair.pem 2048
Generating RSA private key, 2048 bit long modulus
......................+++
.................................+++
e is 65537 (0x10001)
$ ls -l ThingKeypair.pem
-rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
$ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem
-r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
![Page 46: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/46.jpg)
Private Key Protection – Software Threats
chroot
SELinux
OTP Fuses
![Page 47: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/47.jpg)
Private Key Protection – Hardware Threats
TPMs
Smartcards
Locks and Boxes
FIPS-style hardware
![Page 48: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/48.jpg)
Identity Revocation
$ aws iot list-certificates
{
"certificateDescriptions": [
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"status": "ACTIVE",
"certificateId":
"d7677b0…SNIP…026d9"
"lastModifiedDate": 1443070900.491,
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"ownedBy": "123456972007",
"creationDate": 1443070900.491
}
]
}
![Page 49: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/49.jpg)
Identity Revocation
$ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED
$ aws iot list-certificates
{
"certificateDescriptions": [
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"status": "REVOKED",
"certificateId":
"d7677b0…SNIP…026d9"
"lastModifiedDate": 1443192020.792,
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"ownedBy": "123456972007",
"creationDate": 1443070900.491
}
]
}
![Page 50: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/50.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 51: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/51.jpg)
Managing Things
DynamoDB LambdaKinesis
![Page 52: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/52.jpg)
Managing Things
DynamoDB LambdaKinesis
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”ManageCerts",
"Action": [
"iot:CreateCertificateAndKeys",
"iot:CreateCertificateFromCsr",
"iot:DescribeCertificate",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:ListCertificates”
],
"Effect": "Allow",
"Resource": "*"
}
]
}
![Page 53: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/53.jpg)
Managing Things
DynamoDB LambdaKinesis
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RevokeOneThing",
"Action": [
"iot:UpdateCertificate"
],
"Effect": "Allow",
"Resource":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.42.54"
}
}
}
]
}
![Page 54: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/54.jpg)
Identity Federation
DynamoDB LambdaKinesis
![Page 55: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/55.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 56: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/56.jpg)
Data Access Control – AWS APIs
DynamoDB LambdaKinesis
![Page 57: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/57.jpg)
Data Access Control – AWS APIs
DynamoDB LambdaKinesis
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:GetThingShadow" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:thing/MyThing"]
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[ "arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}
]
}
![Page 58: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/58.jpg)
Mobile Users as Things
DynamoDB LambdaKinesis
![Page 59: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/59.jpg)
Mobile Users as Things
DynamoDB LambdaKinesis
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:GetThingShadow" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
thing/${cognito-identity.amazonaws.com:aud}"]
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things/
${cognito-identity.amazonaws.com:aud}/shadow/update"]
}
]
}
![Page 60: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/60.jpg)
Data Access Control - MQTT
DynamoDB LambdaKinesis
![Page 61: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/61.jpg)
Data Access Control - MQTT
DynamoDB LambdaKinesis
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}, {
"Effect":"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/MyThing/shadow/*"
]
}
]
}
![Page 62: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/62.jpg)
Actual Commands$ cat MyThingPolicy.json
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":["arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}, {
"Effect":"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":["arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/MyThing/shadow/*"
]
}
]
}
![Page 63: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/63.jpg)
Actual Commands
$ aws iot create-policy\
--policy-name MyThingPolicy\
--policy-document file://MyThingPolicy.json
{
"policyName": "MyThingPolicy",
"policyArn": "arn:aws:iot:us-east-1:123456972007:policy/MyThingPolicy",
"policyDocument": "...SNIP...",
"policyVersionId": "1"
}
$ aws iot attach-principal-policy\
--principal "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b”\
--policy-name "MyThingPolicy"
![Page 64: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/64.jpg)
Protocol Convergence
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Identification AWS ARNs AWS ARNs
Authorization AWS Policy AWS Policy
![Page 65: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/65.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 66: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/66.jpg)
Rules and Services
DynamoDB LambdaKinesis
![Page 67: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/67.jpg)
Actual Commands$ cat ThingRoleTrustPolicy.json
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"iot.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
![Page 68: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/68.jpg)
Actual Commands$ aws iam create-role\
--role-name thing-actions-role\
--assume-role-policy-document file://ThingRoleTrustPolicy.json
{
"Role": {
"AssumeRolePolicyDocument": …SNIP…
"RoleId": "AROAIQ4HBGG7V7F27E32K",
"CreateDate": "2015-09-27T16:29:56.438Z",
"RoleName": "thing-actions-role",
"Path": "/",
"Arn": "arn:aws:iam::123456972007:role/thing-actions-role"
}
}
![Page 69: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/69.jpg)
Actual Commands$ cat ThingRolePolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DDBAccess",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-east-1:123456972007:table/MyThingTable"
},
]
}
![Page 70: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/70.jpg)
Actual Commands$ aws iam create-policy\
--policy-name thing-role-policy\
--policy-document file://ThingRolePolicy.json
{
"Policy": {
"PolicyName": "thing-role-policy",
"CreateDate": "2015-09-27T16:32:17.998Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ANPAINCEAOD5EEXOLZWAI",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::123456972007:policy/thing-role-policy",
"UpdateDate": "2015-09-27T16:32:17.998Z"
}
}
$ aws iam attach-role-policy\
--role-name "thing-actions-role"\
--policy-arn "arn:aws:iam::123456972007:policy/thing-role-policy"
![Page 71: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/71.jpg)
Building AWS Things
![Page 72: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/72.jpg)
Industrial Example
Manufacturer End UserVendor
Key Pair
Certificate
App
![Page 73: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/73.jpg)
Key Pair
Certificate
App
Industrial Example
Manufacturer End UserVendor
![Page 74: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/74.jpg)
Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 75: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/75.jpg)
Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 76: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/76.jpg)
Consumer Example
![Page 77: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/77.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer Vendor
![Page 78: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/78.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer Vendor
![Page 79: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/79.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 80: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/80.jpg)
Claiming a Thing
service.awsthermostat.com
![Page 81: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/81.jpg)
Claiming a Thing
service.awsthermostat.com
![Page 82: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/82.jpg)
Claiming a Thing
service.awsthermostat.com
![Page 83: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/83.jpg)
Claiming a Thing
service.awsthermostat.com
![Page 84: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/84.jpg)
Claiming a Thing
service.awsthermostat.com
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:topic/$aws/things
/%COGNITO_ID%/shadow/update"
]
},
"Effect:"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:topicfilter/$aws
/things/%COGNITO_ID%/shadow/*"
]
}
]
}
![Page 85: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/85.jpg)
Using a Thing
{
"Version": "2012-10-17",
"Statement": [{
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect": "Allow",
"Action": [ "iot:Publish" ],
"Resource": [
"arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/update"
]
}, {
"Effect": "Allow",
"Action": [ "iot:Subscribe", "iot:Receive" ],
"Resource": [
"arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/*"
]
}]
}
![Page 86: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/86.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 87: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/87.jpg)
Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access
![Page 88: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/88.jpg)
Two Secure Protocols
![Page 89: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/89.jpg)
Bootstrapping Identity
CSR
![Page 90: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/90.jpg)
Flexible, Consistent Access Control
DynamoDB LambdaKinesis
![Page 91: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/91.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All attendees will receive a special giveaway gift!
Please join us for the
AWS DevDay Networking Reception
5:00 - 6:30 PM
JW Grand Foyer
![Page 92: Best Practices of IoT Security in the Cloud](https://reader031.fdocuments.net/reader031/viewer/2022030317/586fc7341a28aba24c8b5fc9/html5/thumbnails/92.jpg)
Thank you!