Internet of Things (IoT) is taking the world by storm. Nearly every study indicates that the number of edge devices connected to an IoT platform will grow exponentially in the next few years. It’s our belief that over time, everything that can be connected to Internet will be. That’s “lots” of things. Protecting your IoT deployment is key to securing data and earning customer trust. In this talk, we walk through best practices for securing edge devices using native capabilities within AWS IoT and AWS IoT Device Defender.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing and Managing IoT
Devices at Scale
Aravind Kodandaramaiah
Solution Developer
Solutions Prototyping
S E C 3 6 7
Michael Weitzel
Solution Developer
Solutions Prototyping

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Managing devices at scale
Securing devices at scale
Best practices

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batch Fleet
Provisioning
Real-time
Fleet Index & Search
Fine Grained
Device Logging
& Monitoring
Over the
Air Updates
Maintain Fleet Health
AWS IoT Device Management

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Grouping and Searching for Devices
Organize devices
into logical
hierarchies
Search both the
Registry and
Device Shadow
Group Policies

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thing Groups

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Search Both Registry and Device Shadow

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Job Workflow Using AWS IoT Device Management
subscribe $aws/things/MyThing/jobs/notify
Call DescribeJobExecution API
Execute
Call UpdateJobExecution API
Job document
AWS cloud
AWS IoT
(Continued)
notify topic
accepted topic
rejected topic

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring Device Events
Monitor Devices Joining
Groups
Monitoring of
Device Updates
Monitor Device
Security Policies

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IoT Security Approach
Devices can be compromised; security is not point in
time.
• Detecting compromises
• Ensuring notifications and alerts are raised
• Constantly evolving systems to monitor threat landscape

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure
configurations
Detect
anomalies
Receive
alerts
Fix security
issues
AWS IoT Device Defender

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit Checks
Certificates Policies
Device
Connection
Account
Setting
Expiring
Certificates/CA
Certificates
Overly
permissive IoT
policies
Client ID
Collision
Logging not
enabled
Revoked
Certificates/CA
Certificates
Cognito IDs with
overly
permissive
access
Certificate
shared by
devices

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detect Abnormal Device Behavior
Security
profiles
Define behavior –
blacklist/whitelist
Define behavior –
thresholds
Monitor device
metrics

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Profiles -> Group

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Define Device Behavior
Metrics Threshold Blacklist/Whitelist
AWS Metrics • Message Rate (Sent and
Received)
• Message Size
• Authorization Failures
• Source IPs
Device Metrics • TCP Connections
• Open Ports (TCP/UDP)
• In/Outbound Packets
• In/Outbound Bytes
• Destination IPs (TCP)
• Open Ports (TCP/UDP)
• Destination IPs (TCP)

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Receive Alerts
Amazon CloudWatchAWS IoT
Console
Amazon SNS

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Investigate and Mitigate
Historical
information
Recommendation AWS IoT Device
Management –
Device Jobs
Contextual
information

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Best Practices
• JITR > JITP > Preload certs
• Do not share certificates. Ensure every THING has its own
certificate.
• Create fine grained IoT Policies to allow each THING to affect
its own data and not data of other THINGS.
• Enforce Schema on Telemetry data in rules engine/business
logic.
• Stolen, valid certificate & private key or SIGV4 credentials - Set
CloudWatch alarms to trigger on high levels of messages.
• Blacklist offending secrets to mitigate MQTT HTTPS Endpoint
layer 7 DDOS attacks.
• x.509 Certificate
• Use IoT Policies
• IAM Permissions
• IAM Roles
• Cognito for user federation

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Device Management Best Practices
• Device types & device groups
• Use jobs
• JITR
• Track overall AWS operational metrics
• AWS CloudTrail
• Amazon CloudWatch Logs, Metrics & Alarms

23. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IoT Policies
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:*:topic/private-topic/${iot:ClientId}",
"arn:*:topic/open-topic-space/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:*:topicfilter/private-topic/${iot:ClientId}/*"
}

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batch Fleet Provisioning – Parameters file
"Parameters": {
"ThingName": {
"Type": "String”
},
"SerialNumber": {
"Type": "String”
},
"Location": {
"Type": "String",
"Default": "WA“
},
"CSR": {
"Type": "String”
}
}

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batch Fleet Provisioning – Resources File
"Resources" : {
"thing" : {
"Type" : "AWS::IoT::Thing",
"Properties" : {
"ThingName" : {"Ref" :
"ThingName"},
"AttributePayload" : {
"version" : "v1",
"serialNumber" :
{"Ref" : "SerialNumber"}
},
"ThingTypeName" :
"lightBulb-versionA",
"ThingGroups" : ["v1-
lightbulbs", {"Ref" : "Location"}]
},
"certificate": {
"Type": "AWS::IoT::Certificate",
"Properties": {
"CertificateSigningRequest": {
"Ref": "CSR"
},
"Status": "ACTIVE"
}
}

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail – AWS IoT Integration
Provisioning Permissions
Federated Permissions
Registry Commands

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Logs
Monitor and alert
Centralized access
Archive
Alarm
Event (event-based)

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Cases for CloudWatch Logs
Track overall AWS operational
metrics
Integrate AWS IoT Logs with
AWS Partner solutions
Make logs actionable by alerting
on errors
Alarm
Event (event-based)

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rules Engine for IoT Operations
Invoke a Lambda function
Put object in an S3 bucket
Insert, update a
DynamoDB record
Publish to an SNS topic
or endpoint
Publish to an Amazon
Kinesis stream
Publish to Firehose
Republish to AWS IoT
Publish to Amazon ES
Capture a CloudWatch
metric or change an alarm
Write to SQS queue

32. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.