Overview of AWS IoT Greengrass Security - AWS IoT Greengrass

Overview of AWS IoT Greengrass Security

AWS IoT Greengrass uses X.509 certificates, AWS IoT policies, and IAM policies and roles to secure the applications that run on devices in your local Greengrass environment.

The following diagram shows the components of the AWS IoT Greengrass security model:

A - Greengrass service role

A customer-created IAM role assumed by AWS IoT Greengrass when accessing to your AWS resources from AWS IoT Core, AWS Lambda, and other AWS services. For more information, see Greengrass Service Role.

B - Core device certificate

An X.509 certificate used to authenticate a Greengrass core with AWS IoT Core and AWS IoT Greengrass. For more information, see Device Authentication and Authorization for AWS IoT Greengrass.

C - Device certificate

An X.509 certificate used to authenticate a Greengrass (connected) device with AWS IoT Core and AWS IoT Greengrass. For more information, see Device Authentication and Authorization for AWS IoT Greengrass.

D - Group role

A customer-created IAM role assumed by AWS IoT Greengrass when calling AWS services from a Greengrass core.

You use this role to specify access permissions that your user-defined Lambda functions and connectors need to access AWS services, such as DynamoDB. You also use it to allow AWS IoT Greengrass to export stream manager streams to AWS services and write to CloudWatch Logs. For more information, see Greengrass Group Role.

Note

AWS IoT Greengrass doesn't use the Lambda execution role that's specified in AWS Lambda for the cloud version of a Lambda function.

E - MQTT server certificate

The certificate used for Transport Layer Security (TLS) mutual authentication between a Greengrass core device and connected devices in the Greengrass group. The certificate is signed by the group CA certificate, which is stored in the AWS Cloud.

Device Connection Workflow

This section describes how Greengrass connected devices connect to the AWS IoT Greengrass service and Greengrass core devices. Greengrass connected devices are registered AWS IoT Core devices that are in the same Greengrass group as the core device.

  • A Greengrass core device uses its device certificate, private key, and the AWS IoT Core root CA certificate to connect to the AWS IoT Greengrass service.

  • The Greengrass core device downloads group membership information from the AWS IoT Greengrass service.

  • When a deployment is made to the Greengrass core device, the Device Certificate Manager (DCM) handles local server certificate management for the Greengrass core device.

  • A connected device connects to the AWS IoT Greengrass service using its device certificate, private key, and the AWS IoT Core root CA. After making the connection, the AWS IoT Core device uses the Greengrass Discovery Service to find the IP address of its Greengrass core device. The device also downloads the group CA certificate, which is used for TLS mutual authentication with the Greengrass core device.

  • A connected device attempts to connect to the Greengrass core device, passing its device certificate and client ID. If the client ID matches the thing name of the device and the certificate is valid (part of the Greengrass group), the connection is made. Otherwise, the connection is terminated.

Configuring AWS IoT Greengrass Security

To configure your Greengrass application's security

  1. Create an AWS IoT Core thing for your Greengrass core device.

  2. Generate a key pair and device certificate for your Greengrass core device.

  3. Create and attach an AWS IoT policy to the device certificate. The certificate and policy allow the Greengrass core device access to AWS IoT Core and AWS IoT Greengrass services. For more information, see Minimal AWS IoT policy for the Core Device.

    Note

    The use of thing policy variables (iot:Connection.Thing.*) in the AWS IoT policy for a core device is not supported. The core uses the same device certificate to make multiple connections to AWS IoT Core but the client ID in a connection might not be an exact match of the core thing name.

  4. Create a Greengrass service role. This IAM role authorizes AWS IoT Greengrass to access resources from other AWS services on your behalf. This allows AWS IoT Greengrass to perform essential tasks, such as retrieving AWS Lambda functions and managing device shadows.

    You can use the same service role across AWS Regions, but it must be associated with your AWS account in every AWS Region where you use AWS IoT Greengrass.

  5. (Optional) Create a Greengrass group role. This IAM role grants permission to Lambda functions and connectors running on a Greengrass core to call AWS services. For example, the Kinesis Firehose connector requires permission to write records to an Amazon Kinesis Data Firehose delivery stream.

    You can attach only one role to a Greengrass group.

  6. Create an AWS IoT Core thing for each device that connects to your Greengrass core.

    Note

    You can also use existing AWS IoT Core things and certificates.

  7. Create device certificates, key pairs, and AWS IoT policies for each device that connects to your Greengrass core.

AWS IoT Greengrass Core Security Principals

The Greengrass core uses the following security principals: AWS IoT client, local MQTT server, and local secrets manager. The configuration for these principals is stored in the crypto object in the config.json configuration file. For more information, see AWS IoT Greengrass Core Configuration File.

This configuration includes the path to the private key used by the principal component for authentication and encryption. AWS IoT Greengrass supports two modes of private key storage: hardware-based or file system-based (default). For more information about storing keys on hardware security modules, see Hardware Security Integration.

AWS IoT Client

The AWS IoT client (IoT client) manages communication over the internet between the Greengrass core and AWS IoT Core. AWS IoT Greengrass uses X.509 certificates with public and private keys for mutual authentication when establishing TLS connections for this communication. For more information, see X.509 Certificates and AWS IoT Core in the AWS IoT Core Developer Guide.

The IoT client supports RSA and EC certificates and keys. The certificate and private key path are specified for the IoTCertificate principal in config.json.

MQTT Server

The local MQTT server manages communication over the local network between the Greengrass core and other Greengrass devices in the group. AWS IoT Greengrass uses X.509 certificates with public and private keys for mutual authentication when establishing TLS connections for this communication.

By default, AWS IoT Greengrass generates an RSA private key for you. To configure the core to use a different private key, you must provide the key path for the MQTTServerCertificate principal in config.json. You are responsible for rotating a customer-provided key.

Private Key Support
RSA Key EC Key
Key type Supported Supported
Key parameters Minimum 2048-bit length NIST P-256 or NIST P-384 curve
Disk format PKCS#1, PKCS#8 SECG1, PKCS#8
Minimum GGC version
  • Use default RSA key: 1.0

  • Specify an RSA key: 1.7

  • Specify an EC key: 1.9

The configuration of the private key determines related processes. For the list of cipher suites that the Greengrass core supports as a server, see TLS Cipher Suites Support.

If no private key is specified (default)
  • AWS IoT Greengrass rotates the key based on your rotation settings.

  • The core generates an RSA key, which is used to generate the certificate.

  • The MQTT server certificate has an RSA public key and an SHA-256 RSA signature.

If an RSA private key is specified (requires GGC v1.7 or later)
  • You are responsible for rotating the key.

  • The core uses the specified key to generate the certificate.

  • The RSA key must have a minimum length of 2048 bits.

  • The MQTT server certificate has an RSA public key and an SHA-256 RSA signature.

If an EC private key is specified (requires GGC v1.9 or later)
  • You are responsible for rotating the key.

  • The core uses the specified key to generate the certificate.

  • The EC private key must use an NIST P-256 or NIST P-384 curve.

  • The MQTT server certificate has an EC public key and an SHA-256 RSA signature.

    The MQTT server certificate presented by the core has an SHA-256 RSA signature, regardless of the key type. For this reason, clients must support SHA-256 RSA certificate validation to establish a secure connection with the core.

Secrets Manager

The local secrets manager securely manages local copies of secrets that you create in AWS Secrets Manager. It uses a private key to secure the data key that's used to encrypt the secrets. For more information, see Deploy Secrets to the AWS IoT Greengrass Core.

By default, the IoT client private key is used, but you can specify a different private key for the SecretsManager principal in config.json. Only the RSA key type is supported. For more information, see Specify the Private Key for Secret Encryption.

Note

Currently, AWS IoT Greengrass supports only the PKCS#1 v1.5 padding mechanism for encryption and decryption of local secrets when using hardware-based private keys. If you're following vendor-provided instructions to manually generate hardware-based private keys, make sure to choose PKCS#1 v1.5. AWS IoT Greengrass doesn't support Optimal Asymmetric Encryption Padding (OAEP).

Private Key Support
RSA Key EC Key
Key type Supported Not supported
Key parameters Minimum 2048-bit length Not applicable
Disk format PKCS#1, PKCS#8 Not applicable
Minimum GGC version 1.7 Not applicable

Managed Subscriptions in the MQTT Messaging Workflow

AWS IoT Greengrass uses a subscription table to define how MQTT messages can be exchanged between devices, functions, and connectors in a Greengrass group, and with AWS IoT Core or the local shadow service. Each subscription specifies a source, target, and MQTT topic (or subject) over which messages are sent or received. AWS IoT Greengrass allows messages to be sent from a source to a target only if a corresponding subscription is defined.

A subscription defines the message flow in one direction only, from the source to the target. To support two-way message exchange, you must create two subscriptions, one for each direction.

TLS Cipher Suites Support

AWS IoT Greengrass uses the AWS IoT Core transport security model to encrypt communication with the cloud by using TLS cipher suites. In addition, AWS IoT Greengrass data is encrypted when at rest (in the cloud). For more information about AWS IoT Core transport security and supported cipher suites, see Transport Security in the AWS IoT Core Developer Guide.

Supported Cipher Suites for Local Network Communication

As opposed to AWS IoT Core, the AWS IoT Greengrass core supports the following local network TLS cipher suites for certificate-signing algorithms. All of these cipher suites are supported when private keys are stored on the file system. A subset are supported when the core is configured to use hardware security modules (HSM). For more information, see AWS IoT Greengrass Core Security Principals and Hardware Security Integration. The table also includes the minimum version of AWS IoT Greengrass Core software required for support.

Cipher HSM Support Minimum GGC Version
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Supported 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Supported 1.0
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Supported 1.0
TLS_RSA_WITH_AES_128_CBC_SHA Not supported 1.0
TLS_RSA_WITH_AES_128_GCM_SHA256 Not supported 1.0
TLS_RSA_WITH_AES_256_CBC_SHA Not supported 1.0
TLS_RSA_WITH_AES_256_GCM_SHA384 Not supported 1.0
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Supported 1.9
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Supported 1.9
TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Supported 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Supported 1.0
TLS_RSA_WITH_AES_128_CBC_SHA Not supported 1.0
TLS_RSA_WITH_AES_256_CBC_SHA Not supported 1.0
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Supported 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Supported 1.0
TLS_RSA_WITH_AES_128_CBC_SHA Not supported 1.0
TLS_RSA_WITH_AES_256_CBC_SHA Not supported 1.0