February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
-
Upload
amazon-web-services -
Category
Technology
-
view
3.654 -
download
4
Transcript of February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
![Page 1: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John Burry, AWS Principal Solutions Architect
February 25, 2016
Best Practices for IoT Security in the Cloud
![Page 2: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/2.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IoT Security
![Page 3: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/3.jpg)
All things around us are getting connected
![Page 4: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/4.jpg)
All things around us are getting connected
![Page 5: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/5.jpg)
Things will proliferate
2013 2015 2020
Vertical IndustryGeneric IndustryConsumerAutomotiveMany
Some
Lots
![Page 6: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/6.jpg)
Connected ≠ Smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
![Page 7: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/7.jpg)
In reality, it is even more complex
Layer Standards
Application HTTP, MQTT, AMQP, CoAP, XMPP
Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon
Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI
![Page 8: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/8.jpg)
A Simple Goal
![Page 9: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/9.jpg)
But my data isn’t sensitive!
![Page 10: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/10.jpg)
Why do IoT at all?
Changes happen inthe realworld!
![Page 11: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/11.jpg)
The Risk
Changes happen inthe realworld!
Bad
![Page 12: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/12.jpg)
The Risk
Changes happen inthe realworld!
Bad
![Page 13: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/13.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 14: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/14.jpg)
The System
DynamoDB LambdaKinesis
![Page 15: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/15.jpg)
The System
DynamoDB LambdaKinesis
![Page 16: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/16.jpg)
The System
DynamoDB LambdaKinesis
![Page 17: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/17.jpg)
The System
DynamoDB LambdaKinesis
![Page 18: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/18.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 19: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/19.jpg)
Network Traffic Is Complex
04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags [P.], seq 1586864891:1586864913, ack 820274045, win 227, options [nop,nop,TS val 2390025928 ecr 577393885], length 22 0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2 0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d 0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8 0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200 0x0040: 0454 656d 703a 2038 3346
![Page 20: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/20.jpg)
Network Tools Are Up To It
MQ Telemetry Transport Protocol Publish Message 0011 0010 = Header Flags: 0x32 (Publish Message) 0011 .... = Message Type: Publish Message (3) .... 0... = DUP Flag: Not set .... .01. = QOS Level: Acknowledged deliver (1) .... ...0 = Retain: Not set Msg Len: 20 Topic: foo/bar Message Identifier: 1 Message: Temp: 83F
![Page 21: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/21.jpg)
Mutual Auth TLS
![Page 22: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/22.jpg)
Mutual Auth TLS
![Page 23: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/23.jpg)
Mutual Auth TLS
![Page 24: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/24.jpg)
Talking to Non-Things
DynamoDB LambdaKinesis
![Page 25: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/25.jpg)
AWS Auth + TLS
![Page 26: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/26.jpg)
One Service, Two Protocols
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
![Page 27: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/27.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 28: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/28.jpg)
Back To Certs and Keys
![Page 29: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/29.jpg)
AWS-Generated Keypair
CreateKeysAndCertificate()
![Page 30: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/30.jpg)
AWS-Generated Keypair
CreateKeysAndCertificate()
![Page 31: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/31.jpg)
AWS-Generated Keypair
CreateKeysAndCertificate()
![Page 32: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/32.jpg)
Actual Commands
$ aws iot create-keys-and-certificate --set-as-active{ "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "keyPair": { "PublicKey": "-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----", "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----" }, "certificateId": "d7677b0…SNIP…026d9"}
![Page 33: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/33.jpg)
AWS-Generated Keypair
CreateKeysAndCertificate()
![Page 34: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/34.jpg)
Client Generated Keypair
CSR
![Page 35: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/35.jpg)
Certificate Signing Request
Dear Certificate Authority,I’d really like a certificate for %NAME%, as identified
by the keypair with public key %PUB_KEY%. If you could sign a certificate for me with those parameters, it’d be super spiffy.
Signed (Cryptographically),
- The holder of the private key
![Page 36: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/36.jpg)
Client Generated Keypair
CSR
![Page 37: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/37.jpg)
Client Generated Keypair
CSR
CreateCertificateFromCSR(CSR))
![Page 38: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/38.jpg)
Client Generated Keypair
CSR
CreateCertificateFromCSR(CSR))
![Page 39: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/39.jpg)
Client Generated Keypair
CreateCertificateFromCSR(CSR)
![Page 40: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/40.jpg)
Client Generated Keypair
CreateCertificateFromCSR(CSR)
![Page 41: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/41.jpg)
Client Generated Keypair
CreateCertificateFromCSR(CSR)
![Page 42: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/42.jpg)
Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048Generating RSA private key, 2048 bit long modulus....+++...+++e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr-----Country Name (2 letter code) [XX]:USState or Province Name (full name) []:NYLocality Name (eg, city) [Default City]:New YorkOrganization Name (eg, company) [Default Company Ltd]:ACMEOrganizational Unit Name (eg, section) []:MakersCommon Name (eg, your name or your server's hostname) []:John SmithEmail Address []:[email protected]
![Page 43: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/43.jpg)
Actual Commands
$ aws iot create-certificate-from-csr \ --certificate-signing-request file://Thing.csr \ --set-as-active{ "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "certificateId": "b5a396e…SNIP…400877b"}
![Page 44: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/44.jpg)
Private Key Protection – Test & Dev
$ openssl genrsa -out ThingKeypair.pem 2048Generating RSA private key, 2048 bit long modulus......................+++.................................+++e is 65537 (0x10001)
$ ls -l ThingKeypair.pem-rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
$ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem-r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
![Page 45: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/45.jpg)
Private Key Protection – Software Threats
chrootSELinuxOTP Fuses
![Page 46: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/46.jpg)
Private Key Protection – Hardware Threats
TPMsSmartcardsLocks and BoxesFIPS-style hardware
![Page 47: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/47.jpg)
Identity Revocation
$ aws iot list-certificates{ "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "ACTIVE", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443070900.491, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ]}
![Page 48: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/48.jpg)
Identity Revocation
$ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED
$ aws iot list-certificates{ "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "REVOKED", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443192020.792, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ]}
![Page 49: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/49.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 50: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/50.jpg)
Managing Things
DynamoDB LambdaKinesis
![Page 51: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/51.jpg)
Managing Things
DynamoDB LambdaKinesis
{ "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ]}
![Page 52: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/52.jpg)
Managing Things
DynamoDB LambdaKinesis
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ]}
![Page 53: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/53.jpg)
Identity Federation
DynamoDB LambdaKinesis
![Page 54: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/54.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 55: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/55.jpg)
Data Access Control – AWS APIs
DynamoDB LambdaKinesis
![Page 56: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/56.jpg)
Data Access Control – AWS APIs
DynamoDB LambdaKinesis
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:GetThingShadow" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:thing/MyThing"] }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] } ]}
![Page 57: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/57.jpg)
Mobile Users as Things
DynamoDB LambdaKinesis
![Page 58: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/58.jpg)
Mobile Users as Things
DynamoDB LambdaKinesis
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:GetThingShadow" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: thing/${cognito-identity.amazonaws.com:aud}"] }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things/ ${cognito-identity.amazonaws.com:aud}/shadow/update"] } ]}
![Page 59: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/59.jpg)
Data Access Control - MQTT
DynamoDB LambdaKinesis
![Page 60: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/60.jpg)
Data Access Control - MQTT
DynamoDB LambdaKinesis
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ]}
![Page 61: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/61.jpg)
Actual Commands$ cat MyThingPolicy.json{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ]}
![Page 62: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/62.jpg)
Actual Commands$ aws iot create-policy\ --policy-name MyThingPolicy\ --policy-document file://MyThingPolicy.json{ "policyName": "MyThingPolicy", "policyArn": "arn:aws:iot:us-east-1:123456972007:policy/MyThingPolicy", "policyDocument": "...SNIP...", "policyVersionId": "1"}
$ aws iot attach-principal-policy\ --principal "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b”\ --policy-name "MyThingPolicy"
![Page 63: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/63.jpg)
Protocol Convergence
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Identification AWS ARNs AWS ARNs
Authorization AWS Policy AWS Policy
![Page 64: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/64.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 65: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/65.jpg)
Rules and Services
DynamoDB LambdaKinesis
![Page 66: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/66.jpg)
Actual Commands$ cat ThingRoleTrustPolicy.json { "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"iot.amazonaws.com" }, "Action":"sts:AssumeRole" } ]}
![Page 67: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/67.jpg)
Actual Commands$ aws iam create-role\ --role-name thing-actions-role\ --assume-role-policy-document file://ThingRoleTrustPolicy.json{ "Role": { "AssumeRolePolicyDocument": …SNIP… "RoleId": "AROAIQ4HBGG7V7F27E32K", "CreateDate": "2015-09-27T16:29:56.438Z", "RoleName": "thing-actions-role", "Path": "/", "Arn": "arn:aws:iam::123456972007:role/thing-actions-role" }}
![Page 68: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/68.jpg)
Actual Commands$ cat ThingRolePolicy.json{ "Version": "2012-10-17", "Statement": [ { "Sid": "DDBAccess", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:us-east-1:123456972007:table/MyThingTable" }, ]}
![Page 69: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/69.jpg)
Actual Commands$ aws iam create-policy\ --policy-name thing-role-policy\ --policy-document file://ThingRolePolicy.json
{ "Policy": { "PolicyName": "thing-role-policy", "CreateDate": "2015-09-27T16:32:17.998Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ANPAINCEAOD5EEXOLZWAI", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456972007:policy/thing-role-policy", "UpdateDate": "2015-09-27T16:32:17.998Z" }}
$ aws iam attach-role-policy\ --role-name "thing-actions-role"\ --policy-arn "arn:aws:iam::123456972007:policy/thing-role-policy"
![Page 70: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/70.jpg)
Building AWS Things
![Page 71: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/71.jpg)
Industrial ExampleManufacturer End UserVendor
Key Pair
Certificate
App
![Page 72: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/72.jpg)
Key Pair
Certificate
App
Industrial ExampleManufacturer End UserVendor
CreateCertificateFromCSR(CSR)
![Page 73: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/73.jpg)
Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 74: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/74.jpg)
Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 75: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/75.jpg)
Consumer Example
![Page 76: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/76.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer Vendor
![Page 77: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/77.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer VendorCreateKeysAndCertificate()
![Page 78: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/78.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 79: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/79.jpg)
Claiming a Thing
service.awsthermostat.com
![Page 80: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/80.jpg)
Claiming a Thing
service.awsthermostat.com
hell
o()
![Page 81: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/81.jpg)
Claiming a Thing
service.awsthermostat.com
hell
o()
CognitoLogin
![Page 82: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/82.jpg)
Claiming a Thing
service.awsthermostat.com
hell
o()
CognitoLogin
![Page 83: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/83.jpg)
Claiming a Thing
service.awsthermostat.com
hell
o()
CognitoLogin
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things /%COGNITO_ID%/shadow/update" ] }, "Effect:"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topicfilter/$aws /things/%COGNITO_ID%/shadow/*" ] } ]}
![Page 84: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/84.jpg)
Using a Thing
{ "Version": "2012-10-17", "Statement": [{ "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/update" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/*" ] }]}
![Page 85: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/85.jpg)
Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor
![Page 86: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/86.jpg)
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
![Page 87: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/87.jpg)
Two Secure Protocols
![Page 88: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/88.jpg)
Bootstrapping Identity
CreateKeysAndCertificate()
CSR
CreateCertificateFromCSR(CSR)
![Page 89: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/89.jpg)
Flexible, Consistent Access Control
DynamoDB LambdaKinesis
![Page 90: February 2016 Webinar Series - Best Practices for IoT Security in the Cloud](https://reader035.fdocuments.net/reader035/viewer/2022081605/587125911a28abe4448b6073/html5/thumbnails/90.jpg)
Thank you!