AWS IoT Security and Identity

Each connected device must have a credential to access the message broker or the Thing Shadows service. All traffic to and from AWS IoT must be encrypted over Transport Layer Security (TLS). Device credentials must be kept safe in order to send data securely to the message broker. After data reaches the message broker, AWS cloud security mechanisms protect data as it moves between AWS IoT and other devices or AWS services.

  • You are responsible for managing device credentials (X.509 certificates, AWS credentials) on your devices and policies in AWS IoT. You are responsible for assigning unique identities to each device and managing the permissions for a device or group of devices.

  • Devices connect using your choice of identity (X.509 certificates, IAM users and groups, or Amazon Cognito identities) over a secure connection according to the AWS IoT connection model.

  • The AWS IoT message broker authenticates and authorizes all actions in your account. The message broker is responsible for authenticating your devices, securely ingesting device data, and adhering to the access permissions you place on devices using policies.

  • The AWS IoT rules engine forwards device data to other devices and other AWS services according to rules you define. It is responsible for leveraging AWS access management systems to securely transfer data to its final destination.

TLS Cipher Suite Support

AWS IoT supports the following cipher suites:

  • ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-RSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA​

Authentication

AWS IoT supports three types of identity principals for authentication:

  • X.509 certificates

    AWS IoT supports the following certificate-signing algorithms:

    • SHA256WITHRSA

    • SHA384WITHRSA

    • SHA384WITHRSA

    • SHA512WITHRSA

    • RSASSAPSS

    • DSA_WITH_SHA256

    • ECDSA-WITH-SHA256

    • ECDSA-WITH-SHA384

    • ECDSA-WITH-SHA512

  • IAM users, groups, and roles

  • Amazon Cognito identities

If you use HTTP, use IAM (users, groups, roles) or Amazon Cognito identities. If you use MQTT, use X.509 certificates.

Certificates provide stronger client authentication over other schemes, such as user name and password or bearer tokens, because the secret key never leaves the device.

To use AWS IoT certificates, clients must support all of the following in their TLS implementation:

  • TLS 1.2.

  • SHA-256 RSA certificate signature validation.

  • One of the cipher suites from the TLS cipher suite support section.

Use your own certificate

use own certificate in AWS IoT

Authorization

See more here:authorization in AWS

results matching ""

    No results matching ""