AWS Greengrass
User Guide

Security in AWS Greengrass

The multiple layers of security in AWS Greengrass ensures the integrity of your local device and the protection of your AWS account data.

All devices in an AWS Greengrass group are also AWS IoT things. In AWS IoT, certificates are issued to individual devices. AWS Greengrass uses this foundation and adds security management on top of it. Every AWS Greengrass group has its own group role and IAM policies that manage access by group members to AWS services. AWS Greengrass groups also have a root certification authority (CA) that ensures secure local connections between your AWS Greengrass core and the other devices in the group. The group role and its policies are managed in the cloud. A group's root CA can be rotated without deployment from the cloud.

When a device and AWS Greengrass core attempt to connect, each must present a certificate before a connection can be established. After the connection is made, devices use the MQTT protocol to communicate within a local group. The AWS Greengrass core software provides an additional layer of structure and security using subscriptions.

Subscriptions are single-direction communication links between a source of MQTT messages and a recipient of those messages, known as a target. The constrained nature of the subscriptions prevents unintended communication from devices. Communication to other AWS services is authorized using a group's IAM role and policies and is made over HTTPS.

Finally, AWS Greengrass also uses a service role with a managed policy — one per AWS account — to enable AWS Greengrass to access and update data in other AWS services it relies on, like AWS IoT and AWS Lambda. After this role is applied (before your first deployment), it does not need to be reapplied.