Grant minimum possible permissions Don't hardcode credentials in Greengrass components Don't log sensitive information Keep your device clock in sync Cipher Suite Recommendations See also

Security best practices for AWS IoT Greengrass

This topic contains security best practices for AWS IoT Greengrass.

Grant minimum possible permissions

Follow the principle of least privilege for your components by running them as unprivileged users. Components should not run as root unless it is absolutely necessary.

Use the minimum set of permissions in IAM roles. Limit the use of the * wildcard for the Action and Resource properties in your IAM policies. Instead, declare a finite set of actions and resources when possible. For more information about least privilege and other policy best practices, see Policy best practices.

The least privilege best practice also applies to AWS IoT policies you attach to your Greengrass core.

Don't hardcode credentials in Greengrass components

Don't hardcode credentials in your user-defined Greengrass components. To better protect your credentials:

To interact with AWS services, define permissions for specific actions and resources in the Greengrass core device service role.
Use the secret manager component to store your credentials. Or, if the function uses the AWS SDK, use credentials from the default credential provider chain.

Don't log sensitive information

You should prevent the logging of credentials and other personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a core device requires root privileges and access to CloudWatch Logs requires IAM permissions.

Don't use sensitive information in MQTT topic paths.
Don't use sensitive information in device (thing) names, types, and attributes in the AWS IoT Core registry.
Don't log sensitive information in your user-defined Greengrass components or Lambda functions.
Don't use sensitive information in the names and IDs of Greengrass resources:
- Core devices
- Components
- Deployments
- Loggers

Keep your device clock in sync

It's important to have an accurate time on your device. X.509 certificates have an expiry date and time. The clock on your device is used to verify that a server certificate is still valid. Device clocks can drift over time or batteries can get discharged.

For more information, see the Keep your device's clock in sync best practice in the AWS IoT Core Developer Guide.

Cipher Suite Recommendations

Greengrass default selects the latest TLS Cipher Suites available on the device. Consider disabling the use of legacy cipher suites on the device. For example, CBC cipher suites.

For more information, see the Java Cryptography Configuration.