More Related Content Similar to Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing and Managing IoT
Devices at Scale
Aravind Kodandaramaiah
Solution Developer
Solutions Prototyping
S E C 3 6 7
Michael Weitzel
Solution Developer
Solutions Prototyping
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Managing devices at scale
Securing devices at scale
Best practices
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batch Fleet
Provisioning
Real-time
Fleet Index & Search
Fine Grained
Device Logging
& Monitoring
Over the
Air Updates
Maintain Fleet Health
AWS IoT Device Management
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Grouping and Searching for Devices
Organize devices
into logical
hierarchies
Search both the
Registry and
Device Shadow
Group Policies
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thing Groups
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Search Both Registry and Device Shadow
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Job Workflow Using AWS IoT Device Management
subscribe $aws/things/MyThing/jobs/notify
Call DescribeJobExecution API
Execute
Call UpdateJobExecution API
Job document
AWS cloud
AWS IoT
(Continued)
notify topic
accepted topic
rejected topic
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring Device Events
Monitor Devices Joining
Groups
Monitoring of
Device Updates
Monitor Device
Security Policies
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IoT Security Approach
Devices can be compromised; security is not point in
time.
• Detecting compromises
• Ensuring notifications and alerts are raised
• Constantly evolving systems to monitor threat landscape
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure
configurations
Detect
anomalies
Receive
alerts
Fix security
issues
AWS IoT Device Defender
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit Checks
Certificates Policies
Device
Connection
Account
Setting
Expiring
Certificates/CA
Certificates
Overly
permissive IoT
policies
Client ID
Collision
Logging not
enabled
Revoked
Certificates/CA
Certificates
Cognito IDs with
overly
permissive
access
Certificate
shared by
devices
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detect Abnormal Device Behavior
Security
profiles
Define behavior –
blacklist/whitelist
Define behavior –
thresholds
Monitor device
metrics
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Profiles -> Group
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Define Device Behavior
Metrics Threshold Blacklist/Whitelist
AWS Metrics • Message Rate (Sent and
Received)
• Message Size
• Authorization Failures
• Source IPs
Device Metrics • TCP Connections
• Open Ports (TCP/UDP)
• In/Outbound Packets
• In/Outbound Bytes
• Destination IPs (TCP)
• Open Ports (TCP/UDP)
• Destination IPs (TCP)
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Receive Alerts
Amazon CloudWatchAWS IoT
Console
Amazon SNS
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Investigate and Mitigate
Historical
information
Recommendation AWS IoT Device
Management –
Device Jobs
Contextual
information
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Best Practices
• JITR > JITP > Preload certs
• Do not share certificates. Ensure every THING has its own
certificate.
• Create fine grained IoT Policies to allow each THING to affect
its own data and not data of other THINGS.
• Enforce Schema on Telemetry data in rules engine/business
logic.
• Stolen, valid certificate & private key or SIGV4 credentials - Set
CloudWatch alarms to trigger on high levels of messages.
• Blacklist offending secrets to mitigate MQTT HTTPS Endpoint
layer 7 DDOS attacks.
• x.509 Certificate
• Use IoT Policies
• IAM Permissions
• IAM Roles
• Cognito for user federation
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Device Management Best Practices
• Device types & device groups
• Use jobs
• JITR
• Track overall AWS operational metrics
• AWS CloudTrail
• Amazon CloudWatch Logs, Metrics & Alarms
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IoT Policies
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:*:topic/private-topic/${iot:ClientId}",
"arn:*:topic/open-topic-space/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:*:topicfilter/private-topic/${iot:ClientId}/*"
}
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batch Fleet Provisioning – Parameters file
"Parameters": {
"ThingName": {
"Type": "String”
},
"SerialNumber": {
"Type": "String”
},
"Location": {
"Type": "String",
"Default": "WA“
},
"CSR": {
"Type": "String”
}
}
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batch Fleet Provisioning – Resources File
"Resources" : {
"thing" : {
"Type" : "AWS::IoT::Thing",
"Properties" : {
"ThingName" : {"Ref" :
"ThingName"},
"AttributePayload" : {
"version" : "v1",
"serialNumber" :
{"Ref" : "SerialNumber"}
},
"ThingTypeName" :
"lightBulb-versionA",
"ThingGroups" : ["v1-
lightbulbs", {"Ref" : "Location"}]
},
"certificate": {
"Type": "AWS::IoT::Certificate",
"Properties": {
"CertificateSigningRequest": {
"Ref": "CSR"
},
"Status": "ACTIVE"
}
}
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail – AWS IoT Integration
Provisioning Permissions
Federated Permissions
Registry Commands
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Logs
Monitor and alert
Centralized access
Archive
Alarm
Event (event-based)
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Cases for CloudWatch Logs
Track overall AWS operational
metrics
Integrate AWS IoT Logs with
AWS Partner solutions
Make logs actionable by alerting
on errors
Alarm
Event (event-based)
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules Engine for IoT Operations
Invoke a Lambda function
Put object in an S3 bucket
Insert, update a
DynamoDB record
Publish to an SNS topic
or endpoint
Publish to an Amazon
Kinesis stream
Publish to Firehose
Republish to AWS IoT
Publish to Amazon ES
Capture a CloudWatch
metric or change an alarm
Write to SQS queue
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.