3. Provision IoT devices and systems with unique identities and credentials
Provision IoT devices and systems with unique identities and credentials. Apply authentication and access control mechanisms at each system interface.
Strong identity controls are key to operational excellence. However, IoT implementation considerations around physical control of devices range widely. Therefore, not only is it important to ensure devices receive unique identities and credentials, but also that those credentials are appropriately protected on the device, and monitoring and automated remediation plans are put in place when there’s deviation from expected standards.
-
Assign unique identities to IoT devices such as X.509 certificates to each device. Monitor that the identity does not change on devices or that certificates are not reused.
-
Create mechanisms to facilitate the generation, distribution, rotation, and revocation of credentials.
-
When appropriate, use hardware-protected modules such as TPMs for storing credentials and performing authentication operations.
-
Avoid hardcoding credentials or storing secrets that are not unique to the device on IoT devices.
Supporting AWS resources
AWS provides the following assets, services, and capabilities to help you identify, sort, and secure your IoT assets:
-
Device manufacturing and provisioning with X.509 certificates in AWS IoT Core
– Goes over various mechanisms to securely provision identities to your IoT devices. -
AWS Certificate Manager
Private Certificate Authority – For provisioning your own certificates. -
Amazon Cognito – A service that provides authentication, authorization, and user management for your web and mobile apps.
-
AWS Identity and Access Management
(IAM) – A service that enables you to manage access to AWS services and resources securely. -
Device authentication and authorization for AWS IoT Greengrass
-
AWS Secrets Manager
– A service that can be used to securely store and manage secrets in the cloud and encrypts the secrets using AWS Key Management Service (AWS KMS). -
AWS KMS
– Allows you to easily create and control the keys used for cryptographic operations in the cloud.