Understand how AWS IoT things use IoT certificates and IoT policies for secure device message transmission to the AWS IoT Broker via the MQTT protocol.
- [Instructor] Amazon has released a new set of services to help you design encryption for IoT device data. The IoT objects in the Amazon ecosystem are really built as a separate unit from the rest of the securable objects. So, when we go, in a minute, to the IoT console, you'll see not only how the devices are represented as things, or AWS IoT things, but importantly, to secure the information that's coming between the device and the Amazon ecosystem, you use certificates, but you'll use certificates specifically designed for securing IoT device data and they're separate than the certificates that we saw in earlier sections that are issued through the Certificate Manager or KMS.
These certificates are designed to work with policies that have been specifically designed to support IoT actions and these actions are associated to the way messages are sent in the IoT ecosystem, generally with the MQTT protocol. It's important to note that all of these IoT objects operate outside of the other AWS security services that we've looked at to date in this course. So, the policies are IoT policies rather than IAM policies, the certificates are IoT certificates rather than Certificate Manager certificates, and so on and so forth.
So, let's take a look in the console. So, I'm going to type IoT and I'm going to click Get Started. So, inside of here, I'm going to go ahead and say Manage and I'm going to click Register a thing, which is a logical representation for a physical IoT device. I'm going to call it my-cool-iot-device and click Create thing.
Now, under Secure in the IoT console, you'll see I have two sections. I have Policies and CAs, and it tells me I don't have any certificates yet, so I'm going to create a certificate. There's three ways I can create a certificate for an IoT device that's going to communicate with the Amazon ecosystem. The first way is to click the One-click certificate creation and that's going to generate a certificate, public key, and private key using the AWS IoT certificate authority.
Alternately, I could create a certificate with my own certificate signing request based on a private key that I upload, or I could simply register a CA, a certificate authority certificate, and use my own certificate for one or many devices. I'm going to click the first one, which is Create certificate, and you can see that it tells me here that in order for my IoT device to communicate, I'm going to need to download the following components.
The certificate for the thing, the public key, and the private key, and notice the file names, .pem and .key and .key. It also tells me that I'm going to need to download a root CA for AWS IoT from Symantec. I'm going to go ahead and click Activate and then I'm going to click Attach a policy. So, the certificate is the authentication for the device, the policy is the authorization.
That means the policy sets what activities the device can do when it communicates with the AWS IoT broker. I'm going to click Create a new policy, I'm going to call it demo, and then I'm going to add statements. Notice the statements start with IoT and then colon and then a verb, and they have to do with the way messages are sent. So, if I start typing IoT, you can see that I have my various verbs. Now, in a production situation, you want to restrict this to the least privilege, but for this demo, I'm just going to use star, which means all activities.
And now I'm going to associate this with a resource, Amazon resource name, and on the topic, I'm going to replace this with a demo topic, and I'm going to click Allow, and I'm going to add a statement. And then I'm going to click Create. So, now I have a policy and if I click into the policy, I can see the policy statement, and then I click the link for certificates and I need to associate a certificate with this policy in order to give an IoT thing the permissions that are associated on the policy, so I'm going to click on Actions.
Actually, I'm going to go back to Certificates here and under Certificates and Policies, I'm going to click on Actions and I'm going to click Attach policy, and then I'm going to select demo and click Attach. So, now what I've done is, I've attached this policy to the certificate. The next step I need to do is to click on Things and I have no things attached to the certificate. Then I'm going to click Attach thing and I'm going to select my logical representation of my physical device and click Attach.
So, now within the Amazon ecosystem, I've set up a certificate path for this particular thing. Now, of course, in the real world, what you would need to do is you need to download the keys and physically put the private key on the storage location of the device that you wish to connect so that that device could authenticate by being able to send that information as part of the communication. But in terms of the Amazon configuration for certificates in IoT, this is the process that you need to take.
Now, in addition to using the console, of course, you can use the API or you can use the CLI and that's what you do typically when you're in a production situation. This is just to give a conceptual understanding.
- Core AWS security design concepts
- Designing using a data flow diagram
- Using negative use cases
- Working with IAM user and role objects
- Design concepts for encryption
- Design encryption with AWS Key Management Service
- Third-party data security tools
- Designing for disaster recovery services