Key management in AWS IoT

All connections to AWS IoT are done using TLS, so no client-side encryption keys are necessary for the initial TLS connection.

Devices must authenticate using an X.509 certificate or an Amazon Cognito Identity. You can have AWS IoT generate a certificate for you, in which case it will generate a public/private key pair. If you are using the AWS IoT console you will be prompted to download the certificate and keys. If you are using the create-keys-and-certificate CLI command, the certificate and keys are returned by the CLI command. You are responsible for copying the certificate and private key onto your device and keeping it safe.

AWS IoT does not currently support customer-managed AWS KMS keys (KMS keys) from AWS Key Management Service (AWS KMS); however, Device Advisor and AWS IoT Wireless use only an AWS owned key to encrypt customer data.

Device Advisor

All data sent to Device Advisor when using the AWS APIs is encrypted at rest. Device Advisor encrypts all of your data at rest using KMS keys stored and managed in AWS Key Management Service. Device Advisor encrypts your data using AWS owned keys. For more information about AWS owned keys, see AWS owned keys.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data encryption

Identity and access management