View
1.042
Download
0
Category
Preview:
Citation preview
© 20167 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins
Feb 2017
AWS IoTSecurity
Today’s Webinar
IoT overview
The risks
Protecting communications
Protecting the devices
All things around us are getting connected
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and
exchange messages
DEVICE GATEWAYCommunicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORIZATIONSecure with mutual
authentication and encryption
RULES ENGINETransform messages
based on rules and
route to AWS Services
AWS Services
- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent
connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRYIdentity and Management of
your things
Security and Identity
AUTHENTICATIONSecure with mutual
authentication and encryption
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Cu
sto
mer
s
Security shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
The Risk
I’m a thing
pwn’d
Protocol Support
AWS IoT Protocols
MQTT over
TLS
MQTT over
Web Sockets
HTTPS
Server Auth Cert Cert Cert
Client Auth Cert AWS API Keys AWS API Keys
Cert
Confidentiality TLS TLS TLS
Protocol MQTT Web Sockets
MQTT
HTTP/MQTT
AWS IoT Identities
Credentials Overview
Security and Identity
Identity Principles Usage
X.509 certificates Device identity
IAM users, groups and roles Application layer access for
HTTP or Websockets
Amazon Cognito Identities API Access
Authentication
Security and Identity
Certificate management
Certificate creation
mechanism
Pros Cons
AWS IoT created certificate
(including public/private
keypair)
Everything handled by AWS
IoT
Private key has to be
transmitted between AWS
IoT and customer
AWS IoT created certificate
(Certificate Signing
Request(CSR) based)
Certificate creation handled
by AWS. AWS never has the
private key.
Customer has to create the
public/private keypair and
CSR.
JiTR/BYOC (Bring Your Own
Certificate)
AWS never has the private
key. Customer controls
certificate creation
Customer has to create a
certificate for every device.
When is a certificate not a valid certificate
t1
t2
• t1 is earlier than t2, (i.e. the server cert is in the future)
• No realtime clock
• No NTP update (chicken and egg)
• Don’t valid the timestamp if you’ve never connected to the NTP Server
• Don’t validate the timestamp if the device has been on the shelf for a long time
Authorization
Fine grained policies
• Effect
• Action
• Principal
• Substitution
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"iot:Publish"
],
"Resource":[
"arn:aws:iot:us-east-
1:123456789012:topic/${iot:Connection.Thing.
ThingTypeName}/${iot:Connection.Thing.ThingN
ame}"
]
}
]
}
Policy and certificates
Device Policy
Truck 1 Allow to connect and publish
Truck 2 Allow to connect / publish /
subscribe
Truck 3 Allow to connect / publish
/subscribe / unsubscribe
Policy actions
• Connect
• Publish
• Subscribe
• Unsubscribe
• Receive
Encryption
History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Battle Against Vulnerabilities
1999
TLS1.0
2015
FREAK
2013
Planning of
TLS1.3 starts
Greater Enforcement by Industry/Vendors
Battle Against Vulnerabilities
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Industry Enforcement
2015
FREAK
2015/12
Indexing
HTTPS Pages
by Default
2016/04
PCI DSS v3.2
2016/07
Mandatory
ATS
2016/08
HTTP Strict
Transport
Security (HSTS)
2017/06/30
Mandatory
TLS1.2
TLS1.2 in AWS IoT
• Client side certs should be at least
• 2048 for RSA
• P-256 and P-384 curves for ECC
• Recommended cipher suites
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• 2048-bit primes for DH
Securing your thing
Certificates & keys
• Securing private keys
• Hardware based solutions
• Securing certificates
• Manufacturing
• Install on boot
Identifying misbehavior
• Pen-testing
• Open ports
• Manufacturing
• In-service
• On Thing agent
• Vulnerability scanning
• CIS
• CVE
• Telemetry
Thanks !
https://docs.aws.amazon.com/iot/latest/developerguide/iot-
security-identity.html
Recommended