Key management in AWS IoT - AWS IoT Core

Key management in AWS IoT

All connections to AWS IoT are done using TLS, so no client-side encryption keys are necessary for the initial TLS connection.

Devices must authenticate using an X.509 certificate or an Amazon Cognito Identity. You can have AWS IoT generate a certificate for you, in which case it will generate a public/private key pair. If you are using the AWS IoT console you will be prompted to download the certificate and keys. If you are using the create-keys-and-certificate CLI command, the certificate and keys are returned by the CLI command. You are responsible for copying the certificate and private key onto your device and keeping it safe.

AWS IoT does not currently support customer-managed customer master keys (CMKs) from AWS Key Management Service (AWS KMS); however, Device Advisor and AWS IoT Wireless uses only a AWS KMS Owned Customer Master Key (AOCMK) to encrypt customer data.

Device Advisor

All data sent to Device Advisor when using the AWS APIs is encrypted at rest. Device Advisor encrypts all of your data at rest using AWS KMS customer master keys (CMKs) stored and managed in AWS Key Management Service. Device Advisor encrypts your data using AWS-owned customer master keys. For more information about AWS owned customer master keys, see AWS-owned CMKs.