Best Practice 6.1 – Perform certificate lifecycle management - IoT Lens Checklist

Best Practice 6.1 – Perform certificate lifecycle management

A certificate lifecycle includes different phases such as creation, activation, rotation, revocation or expiry. An automated workflow can be put in place to identify certificates that needs attention, along with remediation actions.

Recommendation 6.1.1 – Document your plan for managing certificates

As explained earlier, X509 certificates helps to establish the identity of devices and encrypts the traffic from the edge to cloud. Thus, planning the lifecycle management of device certificates is essential. Enable auditing and monitoring for compromise or expiration of your device certificates. Determine how frequently you need to rotate device certificates, audit cloud or device-related configurations and permissions to ensure that security measures are in place. For example, use AWS IoT Device Defender to monitor the health of the device certificates and different configurations across your fleet. AWS IoT device defender can work in conjunction with AWS IoT Jobs to help enable rotate the expired or compromised certificates.

Recommendation 6.1.2 – Use certificates signed by your trusted intermediate CA for on-boarding devices

As a best practice, the root CA needs to be locked and protected to secure the chain of trust. The device certificates should be generated from an intermediate CA. So define a process to programmatically manage intermediate CA certificates as well. For example, enable AWS IoT Device Defender Audit to report on your intermediate CAs that are revoked but device certificates are still active or if the CA certificate quality is low. You can thereafter use a security automation workflow using mitigation actions in Device defender to resolve the issues.

Recommendation 6.1.3 – Secure provisioning claims private keys and disable the certificate in case of misuse and record the event for further investigation

  • Monitor provisioning claims for private keys at all times, including on the device.

  • For example:

    • Use AWS IoT CloudWatch metrics and logs to monitor for indications of misuse. If you detect misuse, disable the provisioning claim certificate so it cannot be used for device provisioning.

    • Use AWS IoT Device Defender to identify security issues and deviations from best practices.

  • For more:

    • https://docs.aws.amazon.com/iot/latest/developerguide/vulnerability-analysis-and-management.html

    • https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/