Best Practice 4.2 – Alert when on security events, misconfiguration, and behavior violations are detected - IoT Lens Checklist

Best Practice 4.2 – Alert when on security events, misconfiguration, and behavior violations are detected

Audit the configuration of your devices and detect and alert when a device behavior differs from the expected behavior. It provides visibility into operational data that can indicate potential security issues active in the device fleet.

Recommendation 4.2.1 – Enable metrics to detect security events from the data plane

Create a threat model to detect events from security vulnerabilities or device compromises. You can detect events based on configured rules or Machine Learning (ML) models. For example, create a security profile in AWS IoT Device Defender, that detects unusual device behavior that may be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core. You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected. When you use ML Detect, the feature sets device behaviors automatically with machine learning to monitor device activities.

Recommendation 4.2.2 – Enable auditing to check misconfigurations

Enable auditing to check for misconfigurations on a regular basis. Audit your device-related resources such as X.509 certificates, permissions, and Client IDs. Additionally, check configurations that are out of compliance with security best practices, such as multiple devices using the same identity, or overly permissive policies that can allow one device to read and update data for many other devices.

Recommendation 4.2.3 – Ensure alerting on a behavior violation

Enable alarming or notifications when the device behavior is anomalous based on configured rules or ML models. For example, AWS IoT Device Defender will alert you with the metric datapoint reported by the device when an ML model flags the datapoint as anomalous. This removes the need for you to define accurate behaviors of your devices and helps you get started with monitoring more quickly and easily.