Amazon Alexa Relies on AWS Private CA for Matter Certificates

Amazon Alexa was launched in 2014, and worldwide, there are over 300 million devices connected to Alexa, including Amazon Echo, Echo Dot, Echo Show, and numerous third-party devices. Amazon and other smart-device manufacturers realized that incompatibility between different smart-home environments can create confusion for customers and limit smart-home adoption. Matter was conceived as the solution to create a unified and delightful customer experience. “Matter is a new standard that helps smart-home devices work across different environments,” says Janak Chandarana, principal engineer at Amazon Alexa. “It creates a secure and reliable new standard that can be used across devices.”

For the Amazon Alexa team, ensuring its devices met the Matter standard was a top priority. However, it needed a way to generate and manage millions of private certificates so that multiple smart-home devices could securely communicate with each other. Searching for a certificate service provider that could provide the scale, reliability, and agility necessary to meet Matter standards for certificates, Amazon Alexa turned to AWS. “The AWS team understood our requirements,” says Chandarana. “In just a few months, the team delivered a solution that we can use to obtain security certificates that meet Matter requirements.”

AWS Private CA is a scalable and highly available service for issuing private certificates without the upfront investment and ongoing maintenance costs of operating a certificate authority. Amazon Alexa uses AWS Private CA to generate and manage private certificates for Matter smart-home devices, each of which requires its own unique identity. The solution helps developers access APIs to create and deploy private certificates programmatically, which are compliant with Matter standards. The Amazon Alexa team found it simple to integrate this solution into its smart-device environment. “AWS Private CA is intuitive, from the console to the APIs,” says Chandarana. “It is very hard to get anything wrong.”

To be compliant with Matter, smart-home devices must meet multiple security requirements, including being manufactured with a private key and device attestation certificate for identity. Most importantly, each device must have its own private certificate. Organizations use private certificates to keep connections secure on internal networks and establish a digital identity for devices, like computers, users, servers, virtual private networks, and smart-home devices (see Figure 1. Amazon Alexa’s architecture for generating Matter-compliant certificates). Using AWS Private CA, Amazon Alexa can issue individual certificates at scale without having to operate certain complex security-critical infrastructure; that infrastructure is instead managed by AWS. This frees developers to focus on internal security, application, and business requirements.

The cloud-based public key infrastructure (PKI) provides X.509 certificates to smart-home devices, delivering high availability and strong security. “There are APIs that you can use to configure your PKI, which saves time,” says Chandarana. “These operational tasks are automated by AWS Private CA, which we do not need to worry about.” With the automation of key tasks, Amazon Alexa can save time and reduce manual labor while meeting industry-unifying standards. Additionally, the team can access secure cloud PKI services using AWS Private CA with pay-as-you-go pricing, which helps limit its expenditures.

To comply with Matter, Amazon Alexa also needed to have a certificate signing service that is accessible from different regions. To accomplish this, the company deployed AWS Private CA in multiple AWS Regions, physical locations around the world where AWS clusters data centers. “In terms of trust, we wanted the certificates to have a single common root certificate but have a PKI distributed geographically across different Regions,” says Chandarana. “The AWS team helped us understand how to achieve these goals.”

On AWS, Amazon Alexa is meeting open, unifying standards for smart-home devices and furthering seamless, delightful experiences for customers. This solution will provide a way for multiple Amazon and third-party devices to communicate with each other on a local network using secure certificates issued by AWS Private CA.

AWS support was integral to the project’s success so that Amazon Alexa could deliver a solution where both new and existing devices meet the Matter standard. “While we are part of the same company and saw a seamless integration as a result, the AWS team delivers the same level of support for external customers,” says Chandarana. “AWS provides excellent guidance.”