AWS IoT Device Defender

Security management for IoT devices

AWS IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices. AWS IoT Device Defender continuously audits the security policies associated with your devices to make sure that they aren’t deviating from security best practices. A security policy is a set of technical controls that devices follow to help keep information secure when communicating with other devices and the cloud. AWS IoT Device Defender makes it easy to maintain and enforce security policies, such as ensuring device identity, authenticating and authorizing devices, and encrypting device data. AWS IoT Device Defender continuously audits the security policies on your devices against a set of predefined security best practices. AWS IoT Device Defender sends an alert if there are any gaps in your policies that might create a security risk, such as identity certificates being shared across multiple devices or a device with a revoked identity certificate trying to connect to AWS IoT Core.

AWS IoT Device Defender also lets you monitor devices for behavior that deviates from what you have defined as appropriate behavior for each device. Then, if something doesn’t look right, AWS IoT Device Defender sends out an alert so you can take action to remediate the issue.  For example, traffic spikes in outbound traffic might indicate that a device is participating in a DDoS attack.

AWS IoT Device Defender can send alerts to the AWS IoT Console, Amazon CloudWatch, and Amazon SNS. If you determine that you need to take an action based on an alert, you can use the AWS IoT Device Management service to take mitigating actions such as pushing security fixes.


Audit Device Configurations for Security Vulnerabilities

AWS IoT Device Defender audits the security policies associated with your devices against a set of defined IoT security best practices so you know exactly where you have security gaps. You can run audits on a continuous or ad-hoc basis. AWS IoT Device Defender comes with security best practices that you can select and run as part of the audit. For example, you can create an audit to check for identity certificates that are inactive, revoked, expiring, or pending transfer in less than 7 days. Audits make it possible for you to continuously monitor security policies as device configurations change.

Continuously Monitor Device Behavior to Identify Anomalies

AWS IoT Device Defender detects anomalies in device behavior that may indicate a compromised device by monitoring incoming device metrics and data and comparing them against expected device behavior that you define. For example, AWS IoT Device Defender lets you define how many ports are open on the device, who the device can talk to, where it is connecting from, and how much data it sends or receives. Then it monitors the device traffic and alerts you if something looks wrong, like traffic from devices to a known malicious IP or unauthorized endpoints.

Receive Alerts and Take Action

AWS IoT Device Defender publishes security alerts to the AWS IoT Console, Amazon CloudWatch, and Amazon SNS when a security policy audit fails or when behavior anomalies are detected so you can investigate and determine the root cause. For example, AWS IoT Device Defender can alert you when device identities haven’t been used for a long time or when device identities are accessing sensitive APIs. From the AWS IoT Device Defender console, you can also view recommended actions you can take to minimize the impact of security issues such as revoking permissions, rebooting a device, resetting factory defaults, or pushing security fixes to any of your connected devices. Then you can use the AWS IoT Device Management service to take the desired action.

How It Works

How it Works - AWS IoT Device Defender

Use Cases

Connected Home

Smart lighting, thermostats, and locks are targets for hackers because homeowners often use default passwords that come with their networks and home automation applications. You can use AWS IoT Device Defender to audit connection attempts to connected homes and if that data comes from an unauthorized endpoint, you will receive an alert. Then you can use AWS IoT Device Management to prevent connected home devices from using cloud resources.

Health and Fitness

Consumers and health care professionals are using connected wearable devices like fitness trackers, heart monitors, and smart watches to improve health. These devices are sometimes designed for ease of use rather than providing strong device security. AWS IoT Device Defender lets you pick from a list of security best practices and audits your wearables against these security best practices. For example, your audit will report overly permissive device policies like letting a wearable device access too many cloud resources or report when wearables have been idle for a long period of time.

Oil and Gas

IoT applications are used in the oil and gas industry to predict equipment failure, monitor exploration sites for seismic waves, and predict the output for particular drilling sites. Typically, SCADA systems are used to send and receive sensitive IoT data about environmental conditions, worker safety, and equipment health. SCADA systems last for ten to fifteen years and many were not built to meet current security standards, increasing the potential for this data to fall into the hands of competitors. You can use AWS IoT Device Defender to define safe behaviors for connected equipment, receive alerts when unexpected behavior occurs, and take steps to mitigate threats. For example, you can define a set of specific IP addresses that connected oil drilling rigs can access. If the rig attempts to upload data to an unauthorized IP address, you will be alerted. This not only prevents data from being lost or stolen, but it also helps support compliance with corporate data security policies.


Retailers are putting sensors and beacons in their stores to understand where customers are spending time and which goods they pick up and inspect. Retailers use this data to optimize the placement of goods to maximize sales while also providing a more efficient shopping experience. Using AWS IoT Device Defender, you can create behavior profiles for goods that specify their approved locations and communication patterns. Then AWS IoT Device Defender will monitor the policies and alert you if goods leave their approved location or communicate in unexpected ways.

Blog Posts & Articles

Get Started with AWS


Sign up for an AWS account

Instantly get access to the AWS Free Tier.

Learn with 10-minute Tutorials

Explore and learn with simple tutorials.

Start building with AWS

Begin building with step-by-step guides to help you launch your AWS project.

Learn more about AWS IoT Device Defender

Sign Up to Learn More
Have more questions?
Contact us