Developer Guide

Security and Identity for AWS IoT

Each connected device must have a credential to access the message broker or the Thing Shadows service. All traffic to and from AWS IoT must be encrypted over Transport Layer Security (TLS). Device credentials must be kept safe in order to send data securely to the message broker. After data reaches the message broker, AWS cloud security mechanisms protect data as it moves between AWS IoT and other devices or AWS services.

Security and Identity Overview
  • You are responsible for managing device credentials (X.509 certificates, AWS credentials) on your devices and policies in AWS IoT. You are responsible for assigning unique identities to each device and managing the permissions for a device or group of devices.

  • Devices connect using your choice of identity (X.509 certificates, IAM users and groups, or Amazon Cognito identities) over a secure connection according to the AWS IoT connection model.

  • The AWS IoT message broker authenticates and authorizes all actions in your account. The message broker is responsible for authenticating your devices, securely ingesting device data, and adhering to the access permissions you place on devices using policies.

  • The AWS IoT rules engine forwards device data to other devices and other AWS services according to rules you define. It is responsible for leveraging AWS access management systems to securely transfer data to its final destination.

Transport Security

The AWS IoT message broker and Thing Shadows service encrypt all communication with TLS. TLS is used to ensure the confidentiality of the application protocols (MQTT, HTTP) supported by AWS IoT. TLS is available in a number of programming languages and operating systems.

For MQTT, TLS encrypts the connection between the device and the broker. TLS client authentication is used by AWS IoT to identify devices. For HTTP, TLS encrypts the connection between the device and the broker. Authentication is delegated to AWS Signature Version 4.

TLS Cipher Suite Support

AWS IoT supports the following cipher suites:

  • ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-RSA-AES128-GCM-SHA256 (recommended)











  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA​