Security best practices for AWS IoT SiteWise - AWS IoT SiteWise

Security best practices for AWS IoT SiteWise

This topic contains security best practices for AWS IoT SiteWise.

Use authentication credentials on your OPC-UA servers

Require authentication credentials to connect to your OPC-UA servers. Consult the documentation for your servers to do so. Then, to allow your gateway to connect to your OPC-UA servers, add server authentication secrets to your gateway. For more information, see Configuring source authentication.

Use encrypted communication modes for your OPC-UA servers

Choose a non-deprecated, encrypted message security mode when you configure your OPC-UA sources for your gateway. This helps secure your industrial data as it moves from your OPC-UA servers to the gateway. For more information, see Data in transit over the local network and Configuring data sources.

Keep your components up to date

If you use AWS IoT SiteWise gateways to ingest data to the service, it's your responsibility to conīŦgure and maintain your gateway's environment. This responsibility includes upgrading to the latest versions of the gateway's system software, AWS IoT Greengrass software, and connectors.

Note

The AWS IoT SiteWise Edge connector stores secrets on your file system. These secrets control who can view the data cached within your gateway. It's strongly recommended that you turn on disk or file-system encryption for the system running your gateway.

Encrypt your gateway's file system

Encrypt and secure your gateway, so your industrial data is secure as it moves through the gateway. If your gateway has a hardware security module, you can configure AWS IoT Greengrass to secure your gateway. For more information, see Hardware security integration in the AWS IoT Greengrass Version 1 Developer Guide. Otherwise, consult the documentation for your operating system to learn how to encrypt and secure your file system.

Secure access to your edge configuration

Don't share your edge console application password or your SiteWise Monitor application password. Don't put this password in places where anyone can see them. Implement a healthy password rotation policy by configuring an appropriate expiration for your password.

Grant SiteWise Monitor users minimum possible permissions

Follow the principle of least privilege by using the minimum set of access policy permissions for your portal users.

  • When you create a portal, define a role that allows the minimum set of assets needed for that portal. For more information, see Using service roles for AWS IoT SiteWise Monitor.

  • When you and your portal administrators create and share projects, use the minimum set of assets needed for that project.

  • When an identity no longer needs access to a portal or project, remove them from that resource. If that identity is no longer applicable to your organization, delete that identity from your identity store.

The least principle best practice also applies to IAM roles. For more information, see Policy best practices.

Don't expose sensitive information

You should prevent the logging of credentials and other sensitive information, such as personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a gateway requires root privileges and access to CloudWatch Logs requires IAM permissions.

  • Don't use sensitive information in names, descriptions, or properties of your assets or models.

  • Don't use sensitive information in gateway or source names.

  • Don't use sensitive information in names or descriptions of your portals, projects, or dashboards.

Follow AWS IoT Greengrass security best practices

Follow AWS IoT Greengrass security best practices for your gateway. For more information, see Security best practices in the AWS IoT Greengrass Version 1 Developer Guide.

See also