AWS IoT is a new managed service that enables Internet-connected things (sensors, actuators, devices, and applications) to easily and securely interact with each other and the cloud. This talk will introduce the security and access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eric Brandwine
October 8, 2015
MBL311
Securely Thinging Across
the Internet With AWS

2. All things around us are getting connected

3. All things around us are getting connected

4. Things will proliferate
2013 2015 2020
Vertical Industry
Generic Industry
Consumer
Automotive
Many
Some
Lots

5. Connected ≠ Smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP

6. In reality, it is even more complex
Layer Standards
Application HTTP, MQTT, AMQP, CoAP, XMPP
Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon
Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI

7. A Simple Goal

9. But my data
isn’t sensitive!

10. Why do IoT at all?
Changes
happen in
the real
world!

11. The Risk
Changes
happen in
the real
world!
Bad

12. The Risk
Changes
happen in
the real
world!
Bad

13. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

14. The System
Amazon
DynamoDB
AWS
Lambda
Amazon
Kinesis

15. The System
DynamoDB LambdaAmazon
Kinesis

16. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

17. Talking to Things
DynamoDB LambdaAmazon
Kinesis

18. Network Traffic Is Complex
04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags
[P.], seq 1586864891:1586864913, ack 820274045, win 227, options
[nop,nop,TS val 2390025928 ecr 577393885], length 22
0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2
0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d
0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8
0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200
0x0040: 0454 656d 703a 2038 3346

19. Network Tools Are Up To It
MQ Telemetry Transport Protocol
Publish Message
0011 0010 = Header Flags: 0x32 (Publish Message)
0011 .... = Message Type: Publish Message (3)
.... 0... = DUP Flag: Not set
.... .01. = QOS Level: Acknowledged deliver (1)
.... ...0 = Retain: Not set
Msg Len: 20
Topic: foo/bar
Message Identifier: 1
Message: Temp: 83F

20. Mutual Auth TLS

21. Talking to Non-Things
DynamoDB LambdaAmazon
Kinesis

22. AWS Auth + TLS

23. One Service, Two Protocols
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP

24. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

25. Back To Certs and Keys

26. AWS-Generated Keypair

27. Actual Commands
$ aws iot create-keys-and-certificate --set-as-active
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"keyPair": {
"PublicKey":
"-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----",
"PrivateKey":
"-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----"
},
"certificateId":
"d7677b0…SNIP…026d9"
}

28. AWS-Generated Keypair

29. Client Generated Keypair
CSR

30. Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the key pair with public key %PUB_KEY%. If you could
sign a certificate for me with those parameters, it’d be
super spiffy.
Signed (Cryptographically),
- The holder of the private key

31. Client Generated Keypair
CSR

32. Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
...+++
e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]:ACME
Organizational Unit Name (eg, section) []:Makers
Common Name (eg, your name or your server's hostname) []:John Smith
Email Address []:jsmith@acme.com

33. Actual Commands
$ aws iot create-certificate-from-csr
--certificate-signing-request file://Thing.csr
--set-as-active
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"certificateId":
"b5a396e…SNIP…400877b"
}

34. Private Key Protection – Test & Dev
$ openssl genrsa -out ThingKeypair.pem 2048
Generating RSA private key, 2048 bit long modulus
......................+++
.................................+++
e is 65537 (0x10001)
$ ls -l ThingKeypair.pem
-rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
$ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem
-r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem

35. Private Key Protection – Software Threats
chroot
SELinux
OTP Fuses

36. Private Key Protection – Hardware Threats
TPMs
Smartcards
Locks and Boxes
FIPS-style hardware

37. Identity Revocation
$ aws iot list-certificates
{
"certificateDescriptions": [
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"status": "ACTIVE",
"certificateId":
"d7677b0…SNIP…026d9"
"lastModifiedDate": 1443070900.491,
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"ownedBy": "123456972007",
"creationDate": 1443070900.491
}
]
}

38. Identity Revocation
$ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED
$ aws iot list-certificates
{
"certificateDescriptions": [
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"status": "REVOKED",
"certificateId":
"d7677b0…SNIP…026d9"
"lastModifiedDate": 1443192020.792,
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"ownedBy": "123456972007",
"creationDate": 1443070900.491
}
]
}

39. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

40. Managing Things
DynamoDB LambdaAmazon
Kinesis
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”ManageCerts",
"Action": [
"iot:DescribeCertificate",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:ListCertificates”
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”ManageCerts",
"Action": [
"iot:CreateCertificateAndKeys",
"iot:CreateCertificateFromCsr",
"iot:DescribeCertificate",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:ListCertificates”
],
"Effect": "Allow",
"Resource": "*"
}
]
}

41. Managing Things
DynamoDB LambdaAmazon
Kinesis
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RevokeOneThing",
"Action": [
"iot:UpdateCertificate"
],
"Effect": "Allow",
"Resource":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.42.54"
}
}
}
]
}

42. Identity Federation
DynamoDB LambdaAmazon
Kinesis

43. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

44. Data Access Control – AWS APIs
DynamoDB LambdaAmazon
Kinesis
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:GetThingShadow" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:thing/MyThing"]
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[ "arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}
]
}

45. Mobile Users as Things
DynamoDB LambdaAmazon
Kinesis
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:GetThingShadow" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
thing/${cognito-identity.amazonaws.com:aud}"]
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things/
${cognito-identity.amazonaws.com:aud}/shadow/update"]
}
]
}

46. DynamoDB LambdaAmazon
Kinesis
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}, {
"Effect":"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/MyThing/shadow/*"
]
}
]
}
Data Access Control - MQTT
{
"Version": "2012-10-17",
"Statement": [{
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect": "Allow",
"Action": ["iot:Connect", "iot:Publish"],
"Resource": [
"arn:aws:iot:us-east-1:123456972007:topic/foo/bar",
"arn:aws:iot:us-east-1:123456972007:topic/foo/baz"
]
}]
}

47. Actual Commands
$ cat MyThingPolicy.json
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":["arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}, {
"Effect":"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":["arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/MyThing/shadow/*"
]
}
]
}

48. Actual Commands
$ aws iot create-policy
--policy-name MyThingPolicy
--policy-document file://MyThingPolicy.json
{
"policyName": "MyThingPolicy",
"policyArn": "arn:aws:iot:us-east-1:123456972007:policy/MyThingPolicy",
"policyDocument": "...SNIP...",
"policyVersionId": "1"
}
$ aws iot attach-principal-policy
--principal "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b”
--policy-name "MyThingPolicy"

49. Protocol Convergence
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Identification AWS ARNs AWS ARNs
Authorization AWS Policy AWS Policy

50. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

51. Rules and Services
DynamoDB LambdaAmazon
Kinesis

52. Actual Commands
$ cat ThingRoleTrustPolicy.json
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"iot.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}

53. Actual Commands
$ aws iam create-role
--role-name thing-actions-role
--assume-role-policy-document file://ThingRoleTrustPolicy.json
{
"Role": {
"AssumeRolePolicyDocument": …SNIP…
"RoleId": "AROAIQ4HBGG7V7F27E32K",
"CreateDate": "2015-09-27T16:29:56.438Z",
"RoleName": "thing-actions-role",
"Path": "/",
"Arn": "arn:aws:iam::123456972007:role/thing-actions-role"
}
}

54. Actual Commands
$ cat ThingRolePolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DDBAccess",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-east-1:123456972007:table/MyThingTable"
},
]
}

55. Actual Commands
$ aws iam create-policy
--policy-name thing-role-policy
--policy-document file://ThingRolePolicy.json
{
"Policy": {
"PolicyName": "thing-role-policy",
"CreateDate": "2015-09-27T16:32:17.998Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ANPAINCEAOD5EEXOLZWAI",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::123456972007:policy/thing-role-policy",
"UpdateDate": "2015-09-27T16:32:17.998Z"
}
}
$ aws iam attach-role-policy
--role-name "thing-actions-role"
--policy-arn "arn:aws:iam::123456972007:policy/thing-role-policy"

56. Building AWS Things

57. Industrial Example
Manufacturer End UserVendor
Key Pair
Certificate
App

58. Key Pair
Certificate
App
Industrial Example
Manufacturer End UserVendor

59. Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor

60. Consumer Example

61. Consumer Example
Key Pair
Certificate
App
Manufacturer Vendor

62. Consumer Example
Key Pair
Certificate
App
Manufacturer Vendor

63. Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor

64. Claiming a Thing
service.awsthermostat.com
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:topic/$aws/things
/%COGNITO_ID%/shadow/update"
]
},
"Effect:"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:topicfilter/$aws
/things/%COGNITO_ID%/shadow/*"
]
}
]
}

65. Using a Thing
{
"Version": "2012-10-17",
"Statement": [{
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect": "Allow",
"Action": [ "iot:Publish" ],
"Resource": [
"arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/update"
]
}, {
"Effect": "Allow",
"Action": [ "iot:Subscribe", "iot:Receive" ],
"Resource": [
"arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/*"
]
}]
}

66. Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor

67. Requirements
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorization for:
Thing Management
Pub/Sub Data Access
AWS Service Access

68. Two Secure Protocols

69. Bootstrapping Identity
CSR

70. Flexible, Consistent Access Control
DynamoDB LambdaAmazon
Kinesis

71. You don’t want to miss these deep dive sessions
MBL312 Rules and Shadow - Palazzo A 2:45 PM
MBL313 Devices SDK and Kits - Palazzo A 4:15 PM
MBL303 Mobile Devices and IoT - Delfino 4005 4:15 PM
MBL203 Devices in Motion - Delfino 4005 Friday 10:15 AM
MBL305 IoT Data and Analytics - Delfino 4005 Friday 11:30

72. Thank you!

73. Remember to complete
your evaluations!