Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things

2,400 views

Published on

AWS IoT is a new managed service that enables Internet-connected things (sensors, actuators, devices, and applications) to easily and securely interact with each other and the cloud. This talk will introduce the security and access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure.

Published in: Technology

(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Eric Brandwine October 8, 2015 MBL311 Securely Thinging Across the Internet With AWS
  2. 2. All things around us are getting connected
  3. 3. All things around us are getting connected
  4. 4. Things will proliferate 2013 2015 2020 Vertical Industry Generic Industry Consumer Automotive Many Some Lots
  5. 5. Connected ≠ Smart Internet 1985 IoT 2015 Gopher HTTP FTP MQTT NNTP CoAP Telnet XMPP Archie AQMP
  6. 6. In reality, it is even more complex Layer Standards Application HTTP, MQTT, AMQP, CoAP, XMPP Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI
  7. 7. A Simple Goal
  8. 8. But my data isn’t sensitive!
  9. 9. Why do IoT at all? Changes happen in the real world!
  10. 10. The Risk Changes happen in the real world! Bad
  11. 11. The Risk Changes happen in the real world! Bad
  12. 12. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  13. 13. The System Amazon DynamoDB AWS Lambda Amazon Kinesis
  14. 14. The System DynamoDB LambdaAmazon Kinesis
  15. 15. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  16. 16. Talking to Things DynamoDB LambdaAmazon Kinesis
  17. 17. Network Traffic Is Complex 04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags [P.], seq 1586864891:1586864913, ack 820274045, win 227, options [nop,nop,TS val 2390025928 ecr 577393885], length 22 0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2 0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d 0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8 0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200 0x0040: 0454 656d 703a 2038 3346
  18. 18. Network Tools Are Up To It MQ Telemetry Transport Protocol Publish Message 0011 0010 = Header Flags: 0x32 (Publish Message) 0011 .... = Message Type: Publish Message (3) .... 0... = DUP Flag: Not set .... .01. = QOS Level: Acknowledged deliver (1) .... ...0 = Retain: Not set Msg Len: 20 Topic: foo/bar Message Identifier: 1 Message: Temp: 83F
  19. 19. Mutual Auth TLS
  20. 20. Talking to Non-Things DynamoDB LambdaAmazon Kinesis
  21. 21. AWS Auth + TLS
  22. 22. One Service, Two Protocols MQTT + Mutual Auth TLS AWS Auth + HTTPS Server Auth TLS + Cert TLS + Cert Client Auth TLS + Cert AWS API Keys Confidentiality TLS TLS Protocol MQTT HTTP
  23. 23. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  24. 24. Back To Certs and Keys
  25. 25. AWS-Generated Keypair
  26. 26. Actual Commands $ aws iot create-keys-and-certificate --set-as-active { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "keyPair": { "PublicKey": "-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----", "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----" }, "certificateId": "d7677b0…SNIP…026d9" }
  27. 27. AWS-Generated Keypair
  28. 28. Client Generated Keypair CSR
  29. 29. Certificate Signing Request Dear Certificate Authority, I’d really like a certificate for %NAME%, as identified by the key pair with public key %PUB_KEY%. If you could sign a certificate for me with those parameters, it’d be super spiffy. Signed (Cryptographically), - The holder of the private key
  30. 30. Client Generated Keypair CSR
  31. 31. Actual Commands $ openssl genrsa –out ThingKeypair.pem 2048 Generating RSA private key, 2048 bit long modulus ....+++ ...+++ e is 65537 (0x10001) $ openssl req -new –key ThingKeypair.pem –out Thing.csr ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:NY Locality Name (eg, city) [Default City]:New York Organization Name (eg, company) [Default Company Ltd]:ACME Organizational Unit Name (eg, section) []:Makers Common Name (eg, your name or your server's hostname) []:John Smith Email Address []:jsmith@acme.com
  32. 32. Actual Commands $ aws iot create-certificate-from-csr --certificate-signing-request file://Thing.csr --set-as-active { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "certificateId": "b5a396e…SNIP…400877b" }
  33. 33. Private Key Protection – Test & Dev $ openssl genrsa -out ThingKeypair.pem 2048 Generating RSA private key, 2048 bit long modulus ......................+++ .................................+++ e is 65537 (0x10001) $ ls -l ThingKeypair.pem -rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem $ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem -r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
  34. 34. Private Key Protection – Software Threats chroot SELinux OTP Fuses
  35. 35. Private Key Protection – Hardware Threats TPMs Smartcards Locks and Boxes FIPS-style hardware
  36. 36. Identity Revocation $ aws iot list-certificates { "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "ACTIVE", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443070900.491, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ] }
  37. 37. Identity Revocation $ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED $ aws iot list-certificates { "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "REVOKED", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443192020.792, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ] }
  38. 38. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  39. 39. Managing Things DynamoDB LambdaAmazon Kinesis { "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ] }
  40. 40. Managing Things DynamoDB LambdaAmazon Kinesis { "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ] }
  41. 41. Identity Federation DynamoDB LambdaAmazon Kinesis
  42. 42. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  43. 43. Data Access Control – AWS APIs DynamoDB LambdaAmazon Kinesis { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:GetThingShadow" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:thing/MyThing"] }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] } ] }
  44. 44. Mobile Users as Things DynamoDB LambdaAmazon Kinesis { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:GetThingShadow" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: thing/${cognito-identity.amazonaws.com:aud}"] }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things/ ${cognito-identity.amazonaws.com:aud}/shadow/update"] } ] }
  45. 45. DynamoDB LambdaAmazon Kinesis { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] } Data Access Control - MQTT { "Version": "2012-10-17", "Statement": [{ "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect": "Allow", "Action": ["iot:Connect", "iot:Publish"], "Resource": [ "arn:aws:iot:us-east-1:123456972007:topic/foo/bar", "arn:aws:iot:us-east-1:123456972007:topic/foo/baz" ] }] }
  46. 46. Actual Commands $ cat MyThingPolicy.json { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }
  47. 47. Actual Commands $ aws iot create-policy --policy-name MyThingPolicy --policy-document file://MyThingPolicy.json { "policyName": "MyThingPolicy", "policyArn": "arn:aws:iot:us-east-1:123456972007:policy/MyThingPolicy", "policyDocument": "...SNIP...", "policyVersionId": "1" } $ aws iot attach-principal-policy --principal "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b” --policy-name "MyThingPolicy"
  48. 48. Protocol Convergence MQTT + Mutual Auth TLS AWS Auth + HTTPS Server Auth TLS + Cert TLS + Cert Client Auth TLS + Cert AWS API Keys Confidentiality TLS TLS Protocol MQTT HTTP Identification AWS ARNs AWS ARNs Authorization AWS Policy AWS Policy
  49. 49. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  50. 50. Rules and Services DynamoDB LambdaAmazon Kinesis
  51. 51. Actual Commands $ cat ThingRoleTrustPolicy.json { "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"iot.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
  52. 52. Actual Commands $ aws iam create-role --role-name thing-actions-role --assume-role-policy-document file://ThingRoleTrustPolicy.json { "Role": { "AssumeRolePolicyDocument": …SNIP… "RoleId": "AROAIQ4HBGG7V7F27E32K", "CreateDate": "2015-09-27T16:29:56.438Z", "RoleName": "thing-actions-role", "Path": "/", "Arn": "arn:aws:iam::123456972007:role/thing-actions-role" } }
  53. 53. Actual Commands $ cat ThingRolePolicy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "DDBAccess", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:us-east-1:123456972007:table/MyThingTable" }, ] }
  54. 54. Actual Commands $ aws iam create-policy --policy-name thing-role-policy --policy-document file://ThingRolePolicy.json { "Policy": { "PolicyName": "thing-role-policy", "CreateDate": "2015-09-27T16:32:17.998Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ANPAINCEAOD5EEXOLZWAI", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456972007:policy/thing-role-policy", "UpdateDate": "2015-09-27T16:32:17.998Z" } } $ aws iam attach-role-policy --role-name "thing-actions-role" --policy-arn "arn:aws:iam::123456972007:policy/thing-role-policy"
  55. 55. Building AWS Things
  56. 56. Industrial Example Manufacturer End UserVendor Key Pair Certificate App
  57. 57. Key Pair Certificate App Industrial Example Manufacturer End UserVendor
  58. 58. Industrial Example Key Pair Certificate App Manufacturer End UserVendor
  59. 59. Consumer Example
  60. 60. Consumer Example Key Pair Certificate App Manufacturer Vendor
  61. 61. Consumer Example Key Pair Certificate App Manufacturer Vendor
  62. 62. Consumer Example Key Pair Certificate App Manufacturer End UserVendor
  63. 63. Claiming a Thing service.awsthermostat.com { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things /%COGNITO_ID%/shadow/update" ] }, "Effect:"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topicfilter/$aws /things/%COGNITO_ID%/shadow/*" ] } ] }
  64. 64. Using a Thing { "Version": "2012-10-17", "Statement": [{ "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/update" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/*" ] }] }
  65. 65. Consumer Example Key Pair Certificate App Manufacturer End UserVendor
  66. 66. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Thing Management Pub/Sub Data Access AWS Service Access
  67. 67. Two Secure Protocols
  68. 68. Bootstrapping Identity CSR
  69. 69. Flexible, Consistent Access Control DynamoDB LambdaAmazon Kinesis
  70. 70. You don’t want to miss these deep dive sessions MBL312 Rules and Shadow - Palazzo A 2:45 PM MBL313 Devices SDK and Kits - Palazzo A 4:15 PM MBL303 Mobile Devices and IoT - Delfino 4005 4:15 PM MBL203 Devices in Motion - Delfino 4005 Friday 10:15 AM MBL305 IoT Data and Analytics - Delfino 4005 Friday 11:30
  71. 71. Thank you!
  72. 72. Remember to complete your evaluations!

×