6 – Manage device certificate lifecycles

How do you manage device certificates, including installation, validation, revocation, and rotation? To protect and encrypt data in transit from an IoT device to the cloud, most IoT broker supports TLS-based mutual authentication using X.509 certificates. Device makers must provision a unique identity, including a unique private key and X.509 certificate, into each device. Certificates are long-lived credentials and managed using a customer-owned Certificate Authority (CA), a third party CA or AWS IoT CA. Any hosted CA chosen must provide you the ability to validate, activate, deactivate, and rotate certificates.

Follow the best practices and check if your workload is well-architected.

	ID	Priority	Best Practice
☐	BP 6.1	Required	Perform certificate lifecycle management

For more details, see the following links and information.

• AWS IoT Device Defender: Audit

• AWS IoT Device Defender: Detect

• The Internet of Things on AWS – Official Blog: Announcing Mitigation Actions for AWS IoT Device Defender

• The Internet of Things on AWS – Automating Security Remediation Using AWS IoT Device Defender

• The Internet of Things on AWS – Detect anomalies on connected devices using AWS IoT Device Defender

• The Internet of Things on AWS – Using Device Time to Validate AWS IoT Server Certificates

• AWS re:Invent 2019: Designing secure IoT solutions from the edge to cloud

• Manage Security of Your IoT Devices with AWS IoT Device Defender - AWS Online Tech Talks