AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions.
Learning Objectives:
• Common IoT Thing Management Issues
• Learn about AWS IoT Security and Access Control Mechanisms
• Build Secure interactions with the AWS Cloud
Who Should Attend:
• Technical Decision Makers, Developers, Makers
29. Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the keypair with public key %PUB_KEY%. If you could sign
a certificate for me with those parameters, it’d be super
spiffy.
Signed (Cryptographically),
- The holder of the private key
31. Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
...+++
e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]:ACME
Organizational Unit Name (eg, section) []:Makers
Common Name (eg, your name or your server's hostname) []:John Smith
Email Address []:jsmith@acme.com
54. Takeaways
• Structure topics for permissions
• Make policies as restrictive as possible
• Wildcards can simplify policy management
• Rules can help with fine-grained permissions
59. Policy for Cognito with IoT
Cognito authenticated user identity pool role policy:
{
"Effect": "Allow",
"Action": [ "iot:Connect", "iot:Publish",
"iot:Subscribe", "iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow" ],
"Resource": "*"
}
Specific policy for Joe IoT Cognito user:
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": "arn:aws:iot:…:thing/joe-sprinkler123"
}
60. Policy for Cognito with IoT
Cognito authenticated user identity pool role policy:
{
"Effect": "Allow",
"Action": [ "iot:Connect", "iot:Publish",
"iot:Subscribe", "iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow" ],
"Resource": "*"
}
Specific policy for Joe IoT Cognito user:
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": "arn:aws:iot:…:thing/joe-sprinkler123"
}
Amazon
Cognito
61. Policy for Cognito with IoT
Cognito authenticated user identity pool role policy:
{
"Effect": "Allow",
"Action": [ "iot:Connect", "iot:Publish",
"iot:Subscribe", "iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow" ],
"Resource": "*"
}
Specific policy for Joe IoT Cognito user:
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": "arn:aws:iot:…:thing/joe-sprinkler123"
}
AWS IoT
62. Overall Cognito “pairing” workflow
1. Create a Cognito identity pool
2. Customer signs in using mobile app
3. Associate their user with their devices
4. Create a scope-down policy in IoT for their user
5. Attach that policy to their Cognito user in IoT
63. Overall Cognito “pairing” workflow
1. Create a Cognito identity pool
2. Customer signs in using mobile app
3. Associate their user with their devices
4. Create a scope-down policy in IoT for their user
5. Attach that policy to their Cognito user in IoT
Important: These steps apply to authenticated Cognito users only.
(NOT to unauthenticated!)
64. Managing fine-grained permissions
• One user may need permissions to many things
• "arn:aws:iot:…:thing/sprinkler123abc"
• "arn:aws:iot:…:thing/sprinkler456def"
• …
• Listing each is tedious
65. Best practice: Thing name prefixing
• Prefix thing name with logical owner
• sensor123abc -> joe-sensor123abc
• Aspen policy supports wildcards
• "arn:aws:iot:…:thing/sensor123abc"
• "arn:aws:iot:…:thing/sensor123abc"
• "arn:aws:iot:…:thing/sensor456def"
• …
• "arn:aws:iot:…:thing/joe-*"
66. Takeaways
• Application access is done through IAM roles/policies
• Cognito enables secure human control over IoT devices
• IoT scope-down policy supports fine-grained control
• Naming conventions simplify policy management