© 20167 Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Andrew Kiggins

Feb 2017

AWS IoTSecurity

Today’s Webinar

IoT overview

The risks

Protecting communications

Protecting the devices

All things around us are getting connected

AWS IoT

DEVICE SDKSet of client libraries to

connect, authenticate and

exchange messages

DEVICE GATEWAYCommunicate with devices via

MQTT and HTTP

AUTHENTICATION

AUTHORIZATIONSecure with mutual

authentication and encryption

RULES ENGINETransform messages

based on rules and

route to AWS Services

AWS Services

- - - - -

3P Services

DEVICE SHADOWPersistent thing state

during intermittent

connections

APPLICATIONS

AWS IoT API

DEVICE REGISTRYIdentity and Management of

your things

Security and Identity

AUTHENTICATIONSecure with mutual

authentication and encryption

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer applications & content

Cu

sto

mer

s

Security shared responsibility

Customers are

responsible for

their security IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

The Risk

I’m a thing

pwn’d

Protocol Support

AWS IoT Protocols

MQTT over

TLS

MQTT over

Web Sockets

HTTPS

Server Auth Cert Cert Cert

Client Auth Cert AWS API Keys AWS API Keys

Cert

Confidentiality TLS TLS TLS

Protocol MQTT Web Sockets

MQTT

HTTP/MQTT

AWS IoT Identities

Credentials Overview

Security and Identity

Identity Principles Usage

X.509 certificates Device identity

IAM users, groups and roles Application layer access for

HTTP or Websockets

Amazon Cognito Identities API Access

Authentication

Security and Identity

Certificate management

Certificate creation

mechanism

Pros Cons

AWS IoT created certificate

(including public/private

keypair)

Everything handled by AWS

IoT

Private key has to be

transmitted between AWS

IoT and customer

AWS IoT created certificate

(Certificate Signing

Request(CSR) based)

Certificate creation handled

by AWS. AWS never has the

private key.

Customer has to create the

public/private keypair and

CSR.

JiTR/BYOC (Bring Your Own

Certificate)

AWS never has the private

key. Customer controls

certificate creation

Customer has to create a

certificate for every device.

When is a certificate not a valid certificate

t1

t2

• t1 is earlier than t2, (i.e. the server cert is in the future)

• No realtime clock

• No NTP update (chicken and egg)

• Don’t valid the timestamp if you’ve never connected to the NTP Server

• Don’t validate the timestamp if the device has been on the shelf for a long time

Authorization

Fine grained policies

• Effect

• Action

• Principal

• Substitution

{

"Version":"2012-10-17",

"Statement":[

{

"Effect":"Allow",

"Action":[

"iot:Publish"

],

"Resource":[

"arn:aws:iot:us-east-

1:123456789012:topic/${iot:Connection.Thing.

ThingTypeName}/${iot:Connection.Thing.ThingN

ame}"

]

}

]

}

Policy and certificates

Device Policy

Truck 1 Allow to connect and publish

Truck 2 Allow to connect / publish /

subscribe

Truck 3 Allow to connect / publish

/subscribe / unsubscribe

Policy actions

• Connect

• Publish

• Subscribe

• Unsubscribe

• Receive

Encryption

History of TLS/SSL

Evolution of Web Encryption Technologies

1995

SSL2.0

1996

SSL3.0

2006

TLS1.1

2008

TLS1.2

2014/09

POODLE

2011

BEAST

2014/04

Heartbleed

2016/03

DROWN

Battle Against Vulnerabilities

1999

TLS1.0

2015

FREAK

2013

Planning of

TLS1.3 starts

Greater Enforcement by Industry/Vendors

Battle Against Vulnerabilities

2014/09

POODLE

2011

BEAST

2014/04

Heartbleed

2016/03

DROWN

Industry Enforcement

2015

FREAK

2015/12

Indexing

HTTPS Pages

by Default

2016/04

PCI DSS v3.2

2016/07

Mandatory

ATS

2016/08

HTTP Strict

Transport

Security (HSTS)

2017/06/30

Mandatory

TLS1.2

TLS1.2 in AWS IoT

• Client side certs should be at least

• 2048 for RSA

• P-256 and P-384 curves for ECC

• Recommended cipher suites

• ECDHE-ECDSA-AES128-GCM-SHA256

• ECDHE-RSA-AES128-GCM-SHA256

• 2048-bit primes for DH

Securing your thing

Certificates & keys

• Securing private keys

• Hardware based solutions

• Securing certificates

• Manufacturing

• Install on boot

Identifying misbehavior

• Pen-testing

• Open ports

• Manufacturing

• In-service

• On Thing agent

• Vulnerability scanning

• CIS

• CVE

• Telemetry

Thanks !

https://docs.aws.amazon.com/iot/latest/developerguide/iot-

security-identity.html