Security best practices for AWS IoT RoboRunner - AWS IoT RoboRunner

Security best practices for AWS IoT RoboRunner

This section contains security best practices for AWS IoT RoboRunner. For additional information, see Ten security golden rules for IoT solutions.

Use encrypted communication modes for your servers

Choose a non-deprecated, encrypted message security mode when you configure your AWS IoT RoboRunner sources. This helps secure your industrial data as it moves from your AWS IoT RoboRunner servers to the gateway. For more information, see Data protection in AWS IoT RoboRunner.

Keep your components up to date

If you use the AWS IoT RoboRunner gateway to ingest data to the service, it's your responsibility to conīŦgure and maintain your gateway environment. This responsibility includes upgrading to the latest versions of the gateway system software, AWS IoT Greengrass software, and connectors.

Encrypt your gateway file system

Encrypt and secure your gateway so your industrial data is secure as it moves through the gateway. If your gateway has a hardware security module, you can configure AWS IoT Greengrass to secure your gateway. For more information, see Hardware security integration in the AWS IoT Greengrass Version 2 Developer Guide. Otherwise, consult the documentation for your operating system to learn how to encrypt and secure your file system.

Grant users minimum possible permissions

Follow the principle of least privilege by using the minimum set of access policy permissions for your console users. Keep the following best practices in mind.

  • When you create a portal, define a role that allows the minimum set of assets needed for that portal.

  • When you and your portal administrators create and share projects, use the minimum set of assets needed for that project.

  • When an identity no longer needs access to a portal or project, remove them from that resource.

  • If an identity is no longer applicable to your organization, delete the identity from your identity store.

The least principle best practice also applies to IAM roles. For more information, see Identity-based policy examples for AWS IoT RoboRunner.

Don't expose sensitive information

You should prevent the logging of credentials and other sensitive information, such as personally identifiable information (PII). We recommend that you implement the following safeguards, even though access to local logs on a gateway requires root privileges and access to CloudWatch logs requires IAM permissions.

  • Don't use sensitive information in names, descriptions, or properties of your resources.

  • Don't use sensitive information in gateway or source names.

  • Don't use sensitive information in names or descriptions of your portals, projects, or dashboards.

Follow AWS IoT Greengrass security best practices

Follow AWS IoT Greengrass security best practices for your gateway. For additional information, see Security best practices for AWS IoT Greengrass in the AWS IoT Greengrass Developer Guide.