SlideShare une entreprise Scribd logo

Best Practices for IoT Security in the Cloud

Amazon Web Services
Amazon Web Services

This session will introduce best practices for IoT security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. As a result, you are able to scale and innovate, while maintaining a secure environment.

Présentations et discours publics
1  sur  33
© 20167 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Gavin Adams March,2017 Best Practices with AWS IoT Security
We’ll Cover Best Practices Related to... Overall AWS IoT Understanding risks Protecting communications Protecting the devices
All things around us are getting connected
AWS IoT DEVICE SDK Set of client libraries to connect, authenticate and exchange messages DEVICE GATEWAY Communicate with devices via MQTT and HTTP AUTHENTICATION AUTHORIZATION Secure with mutual authentication and encryption RULES ENGINE Transform messages based on rules and route to AWS Services AWS Services - - - - - 3P Services DEVICE SHADOW Persistent thing state during intermittent connections APPLICATIONS AWS IoT API DEVICE REGISTRY Identity and Management of your things
Security and Identity AUTHENTICATION Secure with mutual authentication and encryption
AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer applications & content Customers Security shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
Why focus on “things”?
The Risk I’m a thing pwn’d
Protecting Things
Protocol Support
AWS IoT Protocols MQTT over TLS MQTT over Web Sockets HTTPS Server Auth Cert Cert Cert Client Auth Cert AWS API Keys AWS API Keys Cert Confidentiality TLS TLS TLS Protocol MQTT Web Sockets MQTT HTTP/MQTT
AWS IoT Identities
Credentials Overview
Security and Identity Identity Principles Usage X.509 certificates Device identity IAM users, groups and roles Application layer access for HTTP or Websockets Amazon Cognito Identities API Access
Authentication
Security and Identity
Certificate management Certificate creation mechanism Pros Cons AWS IoT created certificate (including public/private keypair) Everything handled by AWS IoT Private key has to be transmitted between AWS IoT and customer AWS IoT created certificate (Certificate Signing Request(CSR) based) Certificate creation handled by AWS. AWS never has the private key. Customer has to create the public/private keypair and CSR. JiTR/BYOC (Bring Your Own Certificate) AWS never has the private key. Customer controls certificate creation Customer has to create a certificate for every device.
When is a certificate not a valid certificate t1 t2 • t1 is earlier than t2, (i.e. the server cert is in the future) • No realtime clock • No NTP update (chicken and egg) • Don’t valid the timestamp if you’ve never connected to the NTP Server • Don’t validate the timestamp if the device has been on the shelf for a long time
Authorization
Fine grained policies • Effect • Action • Principal • Substitution { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east- 1:123456789012:topic/${iot:Connection.Thing. ThingTypeName}/${iot:Connection.Thing.ThingN ame}" ] } ] }
Policy and certificates Device Policy Truck 1 Allow to connect and publish Truck 2 Allow to connect / publish / subscribe Truck 3 Allow to connect / publish /subscribe / unsubscribe
Policy actions • Connect • Publish • Subscribe • Unsubscribe • Receive
Encryption
History of TLS/SSL Evolution of Web Encryption Technologies 1995 SSL2.0 1996 SSL3.0 2006 TLS1.1 2008 TLS1.2 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Battle Against Vulnerabilities 1999 TLS1.0 2015 FREAK 2013 Planning of TLS1.3 starts
Greater Enforcement by Industry/Vendors Battle Against Vulnerabilities 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Industry Enforcement 2015 FREAK 2015/12 Indexing HTTPS Pages by Default 2016/04 PCI DSS v3.2 2016/07 Mandatory ATS 2016/08 HTTP Strict Transport Security (HSTS) 2017/06/30 Mandatory TLS1.2
TLS1.2 in AWS IoT • Client side certs should be at least • 2048 for RSA • P-256 and P-384 curves for ECC • Recommended cipher suites • ECDHE-ECDSA-AES128-GCM-SHA256 • ECDHE-RSA-AES128-GCM-SHA256 • 2048-bit primes for DH
Securing your thing
Certificates & keys • Securing private keys • Hardware based solutions • Securing certificates • Manufacturing • Install on boot
Identifying misbehavior • Pen-testing • Open ports • Manufacturing • In-service • On Thing agent • Vulnerability scanning • CIS • CVE • Telemetry
Thanks ! https://docs.aws.amazon.com/iot/latest/developerguide/iot- security-identity.html

Recommandé

Newt211 final project
Newt211 final projectNewt211 final project
Newt211 final project
BrianCooper73
 
(MBL205) New! Everything You Want to Know About AWS IoT
(MBL205) New! Everything You Want to Know About AWS IoT(MBL205) New! Everything You Want to Know About AWS IoT
(MBL205) New! Everything You Want to Know About AWS IoT
Amazon Web Services
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Amazon Web Services
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
Amazon Web Services
 
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
Amazon Web Services
 
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
Amazon Web Services Korea
 

Recommandé

Newt211 final project
Newt211 final projectNewt211 final project
Newt211 final project
BrianCooper73
 
(MBL205) New! Everything You Want to Know About AWS IoT
(MBL205) New! Everything You Want to Know About AWS IoT(MBL205) New! Everything You Want to Know About AWS IoT
(MBL205) New! Everything You Want to Know About AWS IoT
Amazon Web Services
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Amazon Web Services
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
(MBL313) NEW! AWS IoT: Understanding Hardware Kits, SDKs, & Protocols
Amazon Web Services
 
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
Amazon Web Services
 
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
AWS IoT 및 Mobile Hub 서비스 소개 (김일호) :: re:Invent re:Cap Webinar 2015
Amazon Web Services Korea
 
Cloud security
Cloud securityCloud security
Cloud security
François Boucher
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
AWS IoT 深入探討
AWS IoT 深入探討AWS IoT 深入探討
AWS IoT 深入探討
Amazon Web Services
 
Introduction to AWS IoT
Introduction to AWS IoTIntroduction to AWS IoT
Introduction to AWS IoT
Amazon Web Services
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
Overview of IoT Infrastructure and Connectivity at AWS
Overview of IoT Infrastructure and Connectivity at AWSOverview of IoT Infrastructure and Connectivity at AWS
Overview of IoT Infrastructure and Connectivity at AWS
Amazon Web Services
 
Intro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft LondonIntro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft London
Boaz Ziniman
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Aws iot
Aws iotAws iot
Aws iot
Ruqaiya Khanam
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
Essential Capabilities of an IoT Platform
Essential Capabilities of an IoT PlatformEssential Capabilities of an IoT Platform
Essential Capabilities of an IoT Platform
Amazon Web Services
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Edureka!
 
AWS IoT Webinar
AWS IoT WebinarAWS IoT Webinar
AWS IoT Webinar
Amazon Web Services
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
Amazon Web Services
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
Amazon Web Services
 
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Bloombase
 
IoT Apps with AWS IoT and Websockets
IoT Apps with AWS IoT and Websockets IoT Apps with AWS IoT and Websockets
IoT Apps with AWS IoT and Websockets
Amazon Web Services
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
James Strong
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws security
Amazon Web Services
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech Talks
Amazon Web Services
 
Srv204 Getting Started with AWS IoT
Srv204 Getting Started with AWS IoTSrv204 Getting Started with AWS IoT
Srv204 Getting Started with AWS IoT
Amazon Web Services
 

Contenu connexe

Tendances

How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 

Tendances (20)

Cloud security
Cloud securityCloud security
Cloud security
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
AWS IoT 深入探討
AWS IoT 深入探討AWS IoT 深入探討
AWS IoT 深入探討
 
Introduction to AWS IoT
Introduction to AWS IoTIntroduction to AWS IoT
Introduction to AWS IoT
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
Overview of IoT Infrastructure and Connectivity at AWS
Overview of IoT Infrastructure and Connectivity at AWSOverview of IoT Infrastructure and Connectivity at AWS
Overview of IoT Infrastructure and Connectivity at AWS
 
Intro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft LondonIntro to AWS IoT - Pop-up Loft London
Intro to AWS IoT - Pop-up Loft London
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Aws iot
Aws iotAws iot
Aws iot
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
 
Essential Capabilities of an IoT Platform
Essential Capabilities of an IoT PlatformEssential Capabilities of an IoT Platform
Essential Capabilities of an IoT Platform
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
 
AWS IoT Webinar
AWS IoT WebinarAWS IoT Webinar
AWS IoT Webinar
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
 
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
 
IoT Apps with AWS IoT and Websockets
IoT Apps with AWS IoT and Websockets IoT Apps with AWS IoT and Websockets
IoT Apps with AWS IoT and Websockets
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws security
 

Similaire à Best Practices for IoT Security in the Cloud

3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures
Amazon Web Services
 
AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...
AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...
AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...
Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 
Introducing AWS IoT - Interfacing with the Physical World - Technical 101
Introducing AWS IoT - Interfacing with the Physical World - Technical 101Introducing AWS IoT - Interfacing with the Physical World - Technical 101
Introducing AWS IoT - Interfacing with the Physical World - Technical 101
Amazon Web Services
 
Connecting the Unconnected: IoT Made Simple
Connecting the Unconnected: IoT Made SimpleConnecting the Unconnected: IoT Made Simple
Connecting the Unconnected: IoT Made Simple
Danilo Poccia
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 

Similaire à Best Practices for IoT Security in the Cloud (20)

Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech Talks
 
Srv204 Getting Started with AWS IoT
Srv204 Getting Started with AWS IoTSrv204 Getting Started with AWS IoT
Srv204 Getting Started with AWS IoT
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 
3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptx
 
Internet der Ingenieure - reale und virtuelle Welten verschmelzen - AWS IoT W...
Internet der Ingenieure - reale und virtuelle Welten verschmelzen - AWS IoT W...Internet der Ingenieure - reale und virtuelle Welten verschmelzen - AWS IoT W...
Internet der Ingenieure - reale und virtuelle Welten verschmelzen - AWS IoT W...
 
Reply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedReply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT Advanced
 
AWS IoT - Best of re:Invent Tel Aviv
AWS IoT - Best of re:Invent Tel AvivAWS IoT - Best of re:Invent Tel Aviv
AWS IoT - Best of re:Invent Tel Aviv
 
AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...
AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...
AWS re:Invent 2016: Understanding IoT Data: How to Leverage Amazon Kinesis in...
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Introducing AWS IoT - Interfacing with the Physical World - Technical 101
Introducing AWS IoT - Interfacing with the Physical World - Technical 101Introducing AWS IoT - Interfacing with the Physical World - Technical 101
Introducing AWS IoT - Interfacing with the Physical World - Technical 101
 
Serverless Data Processing on AWS - Level 300
Serverless Data Processing on AWS - Level 300Serverless Data Processing on AWS - Level 300
Serverless Data Processing on AWS - Level 300
 
Connecting the Unconnected: IoT Made Simple
Connecting the Unconnected: IoT Made SimpleConnecting the Unconnected: IoT Made Simple
Connecting the Unconnected: IoT Made Simple
 
AWS IoT Security Best Practices
AWS IoT Security Best PracticesAWS IoT Security Best Practices
AWS IoT Security Best Practices
 
How to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech Talks
How to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech TalksHow to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech Talks
How to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech Talks
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security Overview
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security Overview
 
Security & Compliance in the cloud - Pop-up Loft Tel Aviv
Security & Compliance in the cloud - Pop-up Loft Tel AvivSecurity & Compliance in the cloud - Pop-up Loft Tel Aviv
Security & Compliance in the cloud - Pop-up Loft Tel Aviv
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Dernier

No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 

Dernier (20)

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 

Best Practices for IoT Security in the Cloud

  • 1. © 20167 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Gavin Adams March,2017 Best Practices with AWS IoT Security
  • 2. We’ll Cover Best Practices Related to... Overall AWS IoT Understanding risks Protecting communications Protecting the devices
  • 3. All things around us are getting connected
  • 4. AWS IoT DEVICE SDK Set of client libraries to connect, authenticate and exchange messages DEVICE GATEWAY Communicate with devices via MQTT and HTTP AUTHENTICATION AUTHORIZATION Secure with mutual authentication and encryption RULES ENGINE Transform messages based on rules and route to AWS Services AWS Services - - - - - 3P Services DEVICE SHADOW Persistent thing state during intermittent connections APPLICATIONS AWS IoT API DEVICE REGISTRY Identity and Management of your things
  • 5. Security and Identity AUTHENTICATION Secure with mutual authentication and encryption
  • 6. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer applications & content Customers Security shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  • 7. Why focus on “things”?
  • 8. The Risk I’m a thing pwn’d
  • 9.
  • 10.
  • 11.
  • 14. AWS IoT Protocols MQTT over TLS MQTT over Web Sockets HTTPS Server Auth Cert Cert Cert Client Auth Cert AWS API Keys AWS API Keys Cert Confidentiality TLS TLS TLS Protocol MQTT Web Sockets MQTT HTTP/MQTT
  • 17. Security and Identity Identity Principles Usage X.509 certificates Device identity IAM users, groups and roles Application layer access for HTTP or Websockets Amazon Cognito Identities API Access
  • 20. Certificate management Certificate creation mechanism Pros Cons AWS IoT created certificate (including public/private keypair) Everything handled by AWS IoT Private key has to be transmitted between AWS IoT and customer AWS IoT created certificate (Certificate Signing Request(CSR) based) Certificate creation handled by AWS. AWS never has the private key. Customer has to create the public/private keypair and CSR. JiTR/BYOC (Bring Your Own Certificate) AWS never has the private key. Customer controls certificate creation Customer has to create a certificate for every device.
  • 21. When is a certificate not a valid certificate t1 t2 • t1 is earlier than t2, (i.e. the server cert is in the future) • No realtime clock • No NTP update (chicken and egg) • Don’t valid the timestamp if you’ve never connected to the NTP Server • Don’t validate the timestamp if the device has been on the shelf for a long time
  • 23. Fine grained policies • Effect • Action • Principal • Substitution { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east- 1:123456789012:topic/${iot:Connection.Thing. ThingTypeName}/${iot:Connection.Thing.ThingN ame}" ] } ] }
  • 24. Policy and certificates Device Policy Truck 1 Allow to connect and publish Truck 2 Allow to connect / publish / subscribe Truck 3 Allow to connect / publish /subscribe / unsubscribe
  • 25. Policy actions • Connect • Publish • Subscribe • Unsubscribe • Receive
  • 27. History of TLS/SSL Evolution of Web Encryption Technologies 1995 SSL2.0 1996 SSL3.0 2006 TLS1.1 2008 TLS1.2 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Battle Against Vulnerabilities 1999 TLS1.0 2015 FREAK 2013 Planning of TLS1.3 starts
  • 28. Greater Enforcement by Industry/Vendors Battle Against Vulnerabilities 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Industry Enforcement 2015 FREAK 2015/12 Indexing HTTPS Pages by Default 2016/04 PCI DSS v3.2 2016/07 Mandatory ATS 2016/08 HTTP Strict Transport Security (HSTS) 2017/06/30 Mandatory TLS1.2
  • 29. TLS1.2 in AWS IoT • Client side certs should be at least • 2048 for RSA • P-256 and P-384 curves for ECC • Recommended cipher suites • ECDHE-ECDSA-AES128-GCM-SHA256 • ECDHE-RSA-AES128-GCM-SHA256 • 2048-bit primes for DH
  • 31. Certificates & keys • Securing private keys • Hardware based solutions • Securing certificates • Manufacturing • Install on boot
  • 32. Identifying misbehavior • Pen-testing • Open ports • Manufacturing • In-service • On Thing agent • Vulnerability scanning • CIS • CVE • Telemetry