Q. What is AWS IoT Device Defender?
AWS IoT Device Defender is a fully managed IoT security service that enables you to secure your IoT configurations on an ongoing basis. With AWS IoT Device Defender, you get tools to identify and respond to security issues. AWS IoT Device Defender audits your fleet to ensure it adheres to security best practices, continuously monitors your device fleets to detect any abnormal device behavior, alerts you about security issues as they arise, and recommends mitigation actions for these security issues.
Q. What are the key capabilities of AWS IoT Device Defender?
Audit AWS IoT Device Defender audits your device-related resources (such as X.509 certificates, IoT policies, and Client IDs) against AWS IoT security best practices (e.g., the principle of least privilege or unique identity per device). AWS IoT Device Defender reports configurations that are out of compliance with security best practices, such as multiple devices using the same identity, or overly permissive policies that can allow one device to read and update data for many other devices.
Detect AWS IoT Device Defender detects unusual device behavior that may be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core (e.g., the number of listening TCP ports on your devices or authorization failure counts). You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected.
Alerting AWS IoT Device Defender publishes alerts to the AWS IoT Console, Amazon CloudWatch, and Amazon SNS.
Mitigation AWS IoT Device Defender enables you to investigate issues by providing contextual and historical information about the device such as device metadata, device statistics, and historical alerts for the device. You can also use AWS IoT Device Management tools to perform mitigation steps such as revoking permissions, rebooting a device, resetting factory defaults, or pushing security fixes.
Q. How do customers secure devices today using AWS IoT and how does AWS IoT Device Defender help?
AWS IoT Core provides the security building blocks for you to securely connect devices to the cloud and to other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption at various levels of strictness based on your configurations. Following the AWS shared responsibility model, you own baselining security configurations regularly according to business requirements. However, human or systemic errors and authorized actors with bad intentions can introduce configurations with negative security impacts.
AWS IoT Device Defender helps you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. The continuous audit is essential as misconfigurations can happen at any point of time. Additionally, security configurations can be impacted by the passage of time and new threats are constantly emerging. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptanalysis methods.
AWS IoT Device Defender identifies opportunities to use AWS IoT security controls effectively. However, if security misconfigurations are not remediated or new attack vectors are disclosed publicly before devices are patched, the security of connected devices may be compromised. AWS IoT Device Defender complements preventative security controls in AWS IoT by helping you identify devices already compromised and initiating containment and corrective actions.
Q. Do I need to change device level code to use AWS IoT Device Defender?
No. You can audit your IoT configurations as well as monitor all cloud-side metrics with just a few clicks in the console. If you also want to monitor device-side metrics, you need to make some changes to your device code to publish device-side metrics to AWS IoT Device Defender. Reference implementation for a sample agent can be found here. AWS IoT Greengrass and Amazon FreeRTOS are fully integrated with AWS IoT Device Defender for both device-side and cloud-side metrics.
If your device platform has available specialized hardware that enables a trusted execution environment, we highly recommend implementing your device agent to run in a trusted environment. Consult your hardware security solution vendor for specific guidance on how to implement this type of design.
Q. How does AWS IoT Device Defender work?
AWS IoT Device Defender allows you to schedule audit tasks, monitor device activities, and receive notifications for audit violations and abnormal device behavior.
Audit tasks conduct assessments of your AWS IoT configurations. You can launch audit tasks on-demand or on a scheduled basis. To increase the accuracy of audit checks and minimize false positives, AWS IoT Device Defender incorporates the context of device interactions with AWS IoT Core.
AWS IoT Device Defender ingests and analyzes high-value security metrics collected from connected devices and their interactions with AWS IoT Core to continuously monitor device activities and detect abnormal device behavior. The metric data is continuously compared against user-provided security profiles. The collection and emittance of device metrics is optional. However, it is highly recommended. AWS IoT Device Defender provides reference implementation and documentation for device agents responsible to collect and emit the device-side metrics.
The results from scheduled audit tasks and any detected device activity abnormalities are published to the AWS IoT Console and are accessible through the AWS IoT Device Defender API. Additionally, you can configure AWS IoT Device Defender to send results to Amazon SNS topics for integration with security dashboards or triggering automated remediation workflows.
Q. Which AWS regions is AWS IoT Defender available in?
AWS IoT Device Defender is available in the following regions: Northern Virginia, Ohio, Oregon, Frankfurt, Ireland, London, Seoul, Singapore, Sydney, and Tokyo.
Q. When working with AWS IoT Device Defender, will I need to pay for AWS IoT Core Messages to report Detect metrics?
No, you will not need to pay for messages used to report device-side Detect metrics to AWS IoT Device Defender.
Q. When working with AWS IoT Device Defender, will I need to pay for AWS IoT Core Connectivity to report Detect metrics?
Yes, you will need to pay for connectivity if you connect with AWS IoT Core solely to report device-side Detect metrics to AWS IoT Device Defender. Please visit the AWS IoT Core pricing page for more information.
Q. How do I know the right values to set for the expected behavior of my devices in AWS IoT Device Defender?
Start by creating a security profile with restrictive behavior (e.g., low thresholds) and attach it to a ThingGroup for a representative set of devices. AWS IoT Device Defender will alert you with the metric datapoints emitted by the device for the behaviors that are violated. You can fine-tune the device behavior thresholds to match your use case.