AWS IoT Device Defender Features

AWS IoT Device Defender is a fully managed service for auditing and monitoring devices connected to AWS IoT. It assesses the cloud configuration of your IoT device fleet, provides ongoing monitoring of device activities via rule-based and ML-based Detect capabilities, triggers an alarm when an audit violation or behavior anomaly is identified, and enables you to address issues quickly with built-in mitigation actions.


AWS IoT Device Defender audits your device-related resources (such as X.509 certificates, IoT policies, and Client IDs) against AWS IoT security best practices (for example, the principle of least privilege or unique identity per device). AWS IoT Device Defender reports configurations that are out of compliance with security best practices, such as multiple devices using the same identity, or overly permissive policies that can allow one device to read and update data for many other devices.

How to get started with Audit for AWS IoT Device Defender (6:04)

Rules Detect

AWS IoT Device Defender detects unusual device behaviors that may be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core (e.g., the number of listening TCP ports on your devices or authorization failure counts). You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behavior (rules) and alerts you if an anomaly is detected.

ML Detect

AWS IoT Device Defender monitors and identifies anomalous datapoints for six cloud-side metrics (e.g., authorization failure counts, message sent counts) and seven device-side metrics (e.g., packets out, listening TCP port counts) with machine learning (ML) models and triggers an alarm if an anomaly is detected. AWS IoT Device Defender removes the need to define accurate behaviors of your devices and automatically sets them with ML models using your device data from a trailing 14-day period. It then retrains the models each day (as long as it has sufficient amount of data to retrain on) to refresh the expected device behaviors based on the latest trailing 14 days. ML Detect makes getting started with monitoring easy.

How to Get Started with ML Detect for AWS IoT Device Defender (9:50)

Mitigation Actions

AWS IoT Device Defender enables you to use built-in mitigation actions to perform steps on Audit and Detect alarms such as adding things to a thing group, replacing default policy version and updating device certificate.


AWS IoT Device Defender publishes alarms to the AWS IoT console, AWS IoT Device Defender API, Amazon CloudWatch, and Amazon SNS if you configured SNS topics to receive Device Defender alarms.

Metrics Integration

With AWS IoT Device Defender ListMetricValues API, you can visualize device-side, cloud-side and custom metrics from connected devices through an open API and easily integrate these metrics into any of your custom dashboards to get a complete overview of your deployments. Visualization of the data is also visible and integrated into Fleet Hub for AWS IoT Device Management.

Learn more about AWS IoT Device Defender pricing

Visit the pricing page
Ready to get started?
Sign up
Have more questions?
Contact us