Improve your IoT security posture using AWS

Introduction

IoT applications and devices can be diverse and are used across industries such as utilities, agriculture, manufacturing, mining, transportation and consumer electronics.  With the exponential growth of IoT devices and the increasing attack surface, it also means that IoT security needs to planned and designed into the solution from the ground up.  IoT solutions use many different types of hardware and software and you must consider security and privacy measures across all layers. Measures include device and user identity, authentication and authorization, data protection for data at rest and data in motion, and strategies for data attestation.

When you design an IoT solution, it’s important to understand the potential threats to the solution and add defense in depth with multiple security controls to identify, protect, detect and respond to threats. It’s important to design the solution from the start with security in mind because understanding how an unauthorized person might compromise a system helps make sure appropriate mitigations are in place.

In the ten security golden rules for industrial IoT solutions, AWS recommends starting with a risk assessment using this 7-step approach to access OT and IIoT cybersecurity risk. The greatest value of creating a threat model is during the design phase. When designing you have the greatest flexibility to make changes to eliminate threats.

The AWS IoT security baseline (AISB) approach is a set of security controls that create a minimum foundation for customers to build secure IoT solutions on AWS. The AISB approach discussed in this blog is designed for mitigating the most common security risks without requiring significant effort. As your connected device fleet grows and you implement more complex use cases, you can scale and build upon these controls based on your threat model. They form the basis of your security posture and are focused on securing device credentials, least privilege access control, enabling logging and visibility, auditing device policies and monitoring your environment.

AISB solution architecture & prerequisites

The AISB solution architecture shows an IoT/IIoT device sending data to AWS IoT Core. Data from the edge device is sent to AWS for data storage, processing, analytics, and visualization. Along with the telemetry data, the IoT/IIoT device can also be configured  to send security event information to AWS using AWS IoT Device Defender. This event information is combined with cloud-based events to identify security misconfigurations, detect anomalies in the device behavior and notify personnel to respond to security events.

Figure 1: Solution architecture

AWS IoT Device Defender enables you to audit device configurations, detect device anomalies, and receive alerts to help secure your IoT device fleet.

Amazon CloudWatch (CloudWatch) enables you to observe and monitor AWS resources and applications in the cloud and on-premises. When AWS IoT logging is enabled, AWS IoT Core sends event information to CloudWatch logs. Amazon CloudWatch Events is used to trigger an AWS Lambda function (Lambda) to identify device certificates that require rotation.

Amazon Simple Notification Service (Amazon SNS) is a managed service that is used by AWS IoT Device Defender to send out security alerts and notifications to authorized personnel when an audit fails or behavior anomalies are detected.

AWS CloudTrail (CloudTrail) monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Prerequisites

1.     AWS account
2.     A computer with the latest browser – like Firefox or Chrome
3.     Basic understanding of AWS IoT Core and AWS IoT Device Defender
4.     Configure a few devices to connect and send data to AWS IoT Core

AWS IoT security baseline (AISB) approach

The following security controls seek to establish a security baseline for IoT environments on AWS. These controls are proposed in addition to organizational guardrails which we recommend implementing in your AWS environment.

AISB#1 – Assign unique identities to each IoT/IIoT device

When a device connects to other devices or cloud services, it must establish trust by authenticating using principals such as X.509 certificates, security tokens, or other credentials. You can find available options for the IoT solution of your choice, and implement device registry and identity stores to associate devices, metadata and user permissions. The solution should enable each device (or Thing) to have a unique name (or ThingName) in the device registry, and it should ensure that each device has an associated unique identity principal, such as an X.509 certificate or security token.

Identity principals, such as certificates, should not be shared between devices. When multiple devices use the same certificate, this might indicate that a device has been compromised. Its identity might have been cloned to further compromise the system. Avoid hardcoding credentials and when appropriate, use hardware protected modules such as TPMs for storing credentials and performing authentication operations.
AISB uses AWS IoT Device Defender audit checks to indicate when IoT devices might not have unique identities.

AISB#2 – Assign least privilege access to devices

Permissions (or policies) allow an authenticated identity to perform various control and data plane operations against the IoT Broker. For example: creating devices or certificates via the control plane, and connecting, publishing, or subscribing via the data plane.

AISB uses AWS IAM Access Analyzer to provide a way to generate least privilege permissions for IAM roles based on CloudTrail activity. This can be useful for trimming down permissions for an AWS IoT Greengrass token exchange role or any other IAM role part of your IoT architecture.

In addition, AISB uses AWS IoT Device Defender audit checks to provide an indication that policies might not be following least privilege.

AISB#3 – Collect and analyze logs to identify security events

Your device logs and metrics play a critical role in monitoring security behavior of your IoT application. The way you configure your operations, and how anomalies are surfaced in your system will determine how quickly you can react to a security issue. By configuring your IoT logs and metrics appropriately, you can proactively mitigate potential security issues in your IoT application.

AISB configures AWS IoT Core Logging for “ERROR”.

AISB#4 – Enable auditing to check for misconfigurations

Audit checks are necessary to determine that device remain configured with required best practices throughout its lifecycle. For instance, it’s necessary to audit devices regularly on basic checks such as logging, shared certificates and unique device ID’s.

An AWS IoT Device Defender audit looks at account and device related settings and policies to facilitate security measures are in place. An audit can help you detect any drifts from security best practices or access policies.

For example, multiple devices using the same identity, or overly permissive policies that allow one device to read and update data for many other devices. You can run audits as needed (on-demand audits) or schedule them to be run periodically (scheduled audits).

An AWS IoT Device Defender audit runs a set of predefined checks for common IoT security best practices and device vulnerabilities. Examples of predefined checks include policies that grant permission to read or update data on multiple devices, devices that share an identity (X.509 certificate), or certificates that are expiring or have been revoked but are still active.

AISB configures an AWS IoT Device Defender Daily Audit.

AISB#5 – Detect security events by monitoring device behavior

Create a model to detect events from security vulnerabilities or device compromises. You can detect events based on configured rules or machine learning (ML) models. For example, create a security profile in AWS IoT Device Defender that detects unusual device behavior which may be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core. You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected.

When you use machine learning Detect (ML Detect), the feature sets device behaviors automatically with machine learning to monitor device activities. ML Detect can create security profiles, that use ML models trained on historical device data, which can be assigned to a specific group of devices or to an entire fleet. AWS IoT Device Defender then identifies anomalies and triggers alarms using the ML models. You will need to use AWS IoT Device Client for IoT devices and AWS IoT Device Defender component for devices running AWS IoT Greengrass V2 for device side metrics.

AISB configures an AWS IoT Device Defender ML Detect.

AISB#6 – Implement configurable device certificate rotation

As explained earlier, X509 certificates helps to establish the identity of devices and encrypts the traffic from the edge to cloud. Thus, planning the lifecycle management of device certificates is essential. Enable auditing and monitoring for compromise or expiration of your device certificates. Determine how frequently you need to rotate device certificates, audit cloud or device-related configurations and permissions to ensure that security measures are in place.

For example, use AWS IoT Device Defender to monitor the health of the device certificates and different configurations across your fleet. AWS IoT Device Defender can work in conjunction with AWS IoT Jobs to help enable rotating the expired or compromised certificates.

X.509 certificates generated by AWS IoT Core expire at midnight UTC on December 31, 2049. Customers in such cases would want to rotate the certificates as per their own rotation requirements usually one year or three years.

AISB creates a Lambda function that runs every 30 days and identifies certificates that should be rotated as per customer’s rotation requirements. An Amazon SNS notification is then sent to an email alias for taking appropriate action.

AISB#7 – Ensure alerting on a behavior violation

AWS IoT Device Defender publishes alarms to the AWS IoT Console, Amazon CloudWatch, and Amazon SNS. Enable alarming or notifications when the device behavior is anomalous based on configured rules or ML models. For example, AWS IoT Device Defender will alert you with the metric datapoint reported by the device when an ML model flags the datapoint as anomalous.

AISB generates email-based Amazon SNS alerts on AWS IoT Device Defender security events.

OPTIONAL AISB controls

AISB#8 – Deliver AWS CloudTrail logs to a protected Amazon S3 bucket

Actions taken by users, roles, and services in your AWS account are recorded as events in AWS CloudTrail. CloudTrail is enabled by default, and in the CloudTrail console, you can access 90 days of event history information. To view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure, see Viewing events with CloudTrail Event history. To retain CloudTrail history beyond 90 days with additional data, you create a new trail that delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket for all event types. When you create a trail in the CloudTrail console, you create a multi-region trail.

AISB#9 – Enable and respond to Amazon GuardDuty notifications

Amazon GuardDuty (GuardDuty) is a threat-detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts, workloads, and data. When it detects unexpected and potentially malicious activity, GuardDuty delivers detailed security findings for visibility and remediation. GuardDuty can detect threats such as cryptocurrency mining activity, access from Tor clients and relays, unexpected behavior, and compromised IAM credentials. Enable GuardDuty and respond to findings to stop potentially malicious or unauthorized behavior in your AWS environment. For more information about findings in GuardDuty, see Finding types.

You can use Amazon CloudWatch Events to set up automated notifications when GuardDuty creates a finding or the finding changes. First, you set up an Amazon SNS topic and add endpoints, or email addresses, to the topic. Then, you set up a CloudWatch event for GuardDuty findings, and the event rule notifies the endpoints in the Amazon SNS topic.

AISB#10 – Fetch device side logs for diagnostics when needed

One additional consideration is when an alert does get triggered, customers might need to fetch device-side logs for diagnostics and thus might want to have an appropriate Job configured to take action. After investigating device logs, and gaining a better understanding of your risks, you may want to consider configuring a remote operation using AWS IoT Jobs to improve your IoT solution security posture. If you don’t already have a device agent, consider using AWS IoT Device Client which is needed for AWS IoT Jobs.

AISB#11 – Monitor security metrics which are unique to your devices.

By default, AWS IoT Device Defender enables you to monitor 17 network-related device metrics. But what happens if you need to monitor metrics that are unique to your device fleet or use case? You can use AWS IoT Device Defender custom metrics to monitor security metrics specific to your device fleet and IoT application.

AISB Solution Deployment

You will need to deploy the solution once in each AWS Region where you are running an IoT/IIoT workload.

To deploy the solution

1. Download the latest solution code from GitHub.
2. Choose Launch Stack to launch the AWS CloudFormation (CloudFormation) console and launch the downloaded template.
3. Go to the AWS IoT Core console and set up an Amazon SNS alert notification parameter for the audit report. To do this, in the left navigation pane of the console, under Defend, choose Settings, and then choose Edit to edit the Amazon SNS alert. The SNS topic is created by the solution stack and named iot-defender-report-notification.

Conclusion

AWS IoT security baselines help you strengthen security through improved tooling, tracking, and security features. They also provide you a consistent experience when securing your environment. In this blog post, we demonstrated how to use the AISB approach to create a security baseline for your IoT environment. If you need AWS experts to help you plan, build, or optimize your infrastructure and implement security controls, contact AWS Professional Services or AWS Security Competency Partners.

Learn more

• AWS IoT Device Defender at https://aws.amazon.com/iot-device-defender
• AWS IoT Device Defender custom metrics documentation at https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-custom-metrics.html

About the authors

Prateek Prakash is a Senior IoT Architect with AWS Professional Service based in London, U.K. He helps AWS Customers achieve their business outcomes by architecting and building modern application platforms using AWS IoT and related services.

Ryan Dsouza is a Principal Solutions Architect for IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has over 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, and OT/IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.