Best Practice 25.4 – Use data-driven auditing metrics to detect if any of your IoT devices might have been broadly accessed

Monitor and detect the abnormal usage patterns and possible misuse of devices and automate the quarantine steps. Programmatic methods to detect and quarantine devices from interacting with cloud resources enable teams to operate a fleet in a scalable way while minimizing a dependency on active human monitoring.

Recommendation 25.4.1 – Validate and secure the manufacturer-provided list of allowed devices

• Validate the list of devices that the manufacturer shared to ensure it has not been tampered with. Ensure that the list is encrypted, securely stored, and can only be accessed by necessary services and users. Even if the list changes, keep the original list securely stored.

Recommendation 25.4.2 – Use monitoring and logging services to detect anomalous behavior

• Once you detect the compromised device, run programmatic actions to quarantine it.

  • Disable the certificate for further investigation and revoke the certificate to prevent the device from any future use.

• Example:

  • Use AWS IoT CloudWatch metrics and logs to monitor for indications of misuse. If you detect misuse, quarantine the device so it does not impact the rest of the platform.

  • Use AWS IoT Device Defender to identify security issues and deviations from best practices.

• For more:

  • AWS IoT Core - Activate or deactivate a client

  • AWS IoT Core - Security best practices in AWS IoT

  • AWS IoT Core - Vulnerability analysis and management in AWS IoT Cored