Best Practice 3.1 - Implement authentication and authorization for users accessing IoT resources - IoT Lens Checklist

Best Practice 3.1 - Implement authentication and authorization for users accessing IoT resources

It enables end users with secure access to connected IoT devices and equipment via different channels such as web or mobile devices. Without valid authentication and authorization, devices can be subjected to compromises or malicious attempts.

Recommendation 3.1.1 - Implement an identity store to authenticate users of your IoT application

Implement an identity and access management solution for end users. This solution should allow end users with temporary, role-based credentials to access the connected devices. For example, you can use a service like Amazon Cognito to create user pools for authentication. Or, you can use Amazon Cognito integration with SAML or OAuth2.0 compliant identity providers for authentication as well. If you host your own identity store, use AWS IoT custom authorizers to validate tokens (such as JWT, SAML, etc.) for authenticating users.

Recommendation 3.1.2 - Enable users to be authorized with least privileged access

Authorization is the process of granting permissions to an authenticated identity. You grant permissions to your end users in AWS IoT Core using data plane and control plane IAM policies through the Identity broker. Control plane API allows you to perform administrative tasks like creating or updating certificates, things, rules, and so on. Data plane API allows you send data to and receive data from AWS IoT Core. For example, If you are using Amazon Cognito, use federated identities for user authentication. If you are using a different Identity broker than Amazon Cognito, use AWS IoT custom authorizers to invoke lambda functions that will create the required IAM policies.

Recommendation 3.1.3 – Adopt least privilege when assigning user permissions

Adopt the least privilege principle and assign only the minimum required permissions to user roles. For example, with Amazon Cognito this can be achieved, by setting up role-based access through IAM policies for authenticated (think of consumers, admins) and unauthenticated users. Consumers or unauthenticated users should not be allowed to run destructive actions against IoT services, such as detaching policies, deleting CA, or deleting certificate.