Security best practices in AWS IoT Core - AWS IoT Core

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Security best practices in AWS IoT Core

This section contains information about security best practices for AWS IoT Core. 有关更多信息,请参阅 IoT 解决方案的十大安全黄金规则

Protecting MQTT connections in AWS IoT

AWS IoT Core is a managed cloud service that makes it possible for connected devices to interact with cloud applications and other devices easily and securely. AWS IoT Core supports HTTP, WebSocket, and MQTT, a lightweight communication protocol specifically designed to tolerate intermittent connections. If you are connecting to AWS IoT using MQTT, each of your connections must be associated with an identifier known as a client ID. MQTT 客户端 ID 唯一地标识 MQTT 连接。If a new connection is established using a client ID that is already claimed for another connection, the AWS IoT message broker drops the old connection to allow the new connection. Client IDs must be unique within each AWS account and each AWS Region. This means that you don't need to enforce global uniqueness of client IDs outside of your AWS account or across Regions within your AWS account.

在设备队列上删除 MQTT 连接的影响和严重程度取决于许多因素。包括:

  • Your use case (for example, the data your devices send to AWS IoT, how much data, and the frequency that the data is sent).

  • 您的 MQTT 客户端配置(例如,自动重新连接设置、关联的退避计时以及使用 MQTT 持久性会话)。

  • 设备资源限制。

  • 断开连接的根本原因、其主动性和持久性。

To avoid client ID conflicts and their potential negative impacts, make sure that each device or mobile application has an AWS IoT or IAM policy that restricts which client IDs can be used for MQTT connections to the AWS IoT message broker. For example, you can use an IAM policy to prevent a device from unintentionally closing another device's connection by using a client ID that is already in use. 有关更多信息,请参阅 Authorization

All devices in your fleet must have credentials with privileges that authorize intended actions only, which include (but not limited to) AWS IoT MQTT actions such as publishing messages or subscribing to topics with specific scope and context. 具体的权限策略可能因您的使用案例而异。确定最能满足您的业务和安全要求的权限策略。

To simplify creation and management of permission policies, you can use AWS IoT Core policy variables and IAM policy variables. 策略变量可以放在策略中,并且在评估策略时,变量将由来自设备请求的值替换。使用策略变量,您可以创建单个策略以授予对多个设备的权限。You can identify the relevant policy variables for your use case based on your AWS IoT account configuration, authentication mechanism, and network protocol used in connecting to AWS IoT message broker. 但是,要编写最佳权限策略,应考虑使用案例和威胁模型的具体情况。

For example, if you registered your devices in the AWS IoT registry, you can use thing policy variables in AWS IoT policies to grant or deny permissions based on thing properties like thing names, thing types, and thing attribute values. The thing name is obtained from the client ID in the MQTT connect message sent when a thing connects to AWS IoT. The thing policy variables are replaced when a thing connects to AWS IoT over MQTT using TLS mutual authentication or MQTT over the WebSocket protocol using authenticated Amazon Cognito identities. You can use the AttachThingPrincipal API to attach certificates and authenticated Amazon Cognito identities to a thing. iot:Connection.Thing.ThingName is a useful thing policy variable to enforce client ID restrictions. The following example AWS IoT policy requires a registered thing's name to be used as the client ID for MQTT connections to the AWS IoT message broker:

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"iot:Connect", "Resource":[ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ] } ] }

If you want to identify ongoing client ID conflicts, you can enable and use CloudWatch Logs for AWS IoT. For every MQTT connection that the AWS IoT message broker disconnects due to client ID conflicts, a log record similar to the following is generated:

{ "timestamp": "2019-04-28 22:05:30.105", "logLevel": "ERROR", "traceId": "02a04a93-0b3a-b608-a27c-1ae8ebdb032a", "accountId": "123456789012", "status": "Failure", "eventType": "Disconnect", "protocol": "MQTT", "clientId": "clientId01", "principalId": "1670fcf6de55adc1930169142405c4a2493d9eb5487127cd0091ca0193a3d3f6", "sourceIp": "203.0.113.1", "sourcePort": 21335, "reason": "DUPLICATE_CLIENT_ID", "details": "A new connection was established with the same client ID" }

You can use a CloudWatch Logs filter such as {$.reason= "DUPLICATE_CLIENT_ID" } to search for instances of client ID conflicts or to set up CloudWatch metric filters and corresponding CloudWatch alarms for continuous monitoring and reporting.

You can use AWS IoT Device Defender to identify overly permissive AWS IoT and IAM policies. AWS IoT Device Defender also provides an audit check that notifies you if multiple devices in your fleet are connecting to the AWS IoT message broker using the same client ID.

You can use AWS IoT Device Advisor to validate that your devices can reliably connect to AWS IoT Core and follow security best practices.

另请参阅

使设备的时钟保持同步

请务必确保您的设备上有准确的时间。X.509 证书具有到期日期和时间。设备上的时钟用于验证服务器证书是否仍有效。如果您要构建商用 IoT 设备,请记住,您的产品在出售前可能会存放较长时间。在此期间,实时时钟可能会出现偏移误差,并且电池可能会放电,因此在工厂设置时间是不够的。

对于大多数系统,这意味着设备的软件必须包含网络时间协议 (NTP) 客户端。The device should wait until it synchronizes with an NTP server before it tries to connect to AWS IoT Core. 如果无法做到这一点,系统将为用户提供一种设置设备时间的方法,以便后续连接成功。

After the device synchronizes with an NTP server, it can open a connection with AWS IoT Core. 允许的时钟偏移量取决于您尝试通过此连接执行的操作。

验证服务器证书

The first thing a device does to interact with AWS IoT is to open a secure connection. When you connect your device to AWS IoT, ensure that you're talking to AWS IoT and not another server impersonating AWS IoT. Each of the AWS IoT servers is provisioned with a certificate issued for the iot.amazonaws.com domain. This certificate was issued to AWS IoT by a trusted certificate authority that verified our identity and ownership of the domain.

One of the first things AWS IoT Core does when a device connects is send the device a server certificate. 设备可以验证它们是否希望连接到 iot.amazonaws.com,并验证位于该连接一端的服务器是否拥有来自该域的受信任颁发机构的证书。

TLS 证书采用 X.509 格式,并包含各种信息,例如组织的名称、位置、域名和有效期。有效期被指定为一对时间值(分别名为 notBeforenotAfter)。Services like AWS IoT Core use limited validity periods (for example, one year) for their server certificates and begin serving new ones before the old ones expire.

每个设备使用一个身份

每个客户端使用一个身份。设备通常使用 X.509 客户端证书。Web and mobile applications use Amazon Cognito Identity. 这使您能够对设备应用细化权限。

For example, you have an application that consists of a mobile phone device that receives status updates from two different smart home objects – a light bulb and a thermostat. 灯泡发送电池电量的状态,恒温器发送报告温度的消息。

AWS IoT authenticates devices individually and treats each connection individually. 您可以使用授权策略应用精细访问控制。您可以为恒温器定义一个策略,该策略允许恒温器发布到主题空间的策略。您可以为灯泡定义一个单独策略,该策略允许灯泡发布到不同的主题空间。最后,您可以为移动应用程序定义一个策略,该策略只允许它连接到和订阅恒温器和灯泡的主题以接收来自这些设备的消息。

应用最小权限原则,并尽可能缩小每个设备的权限范围。All devices or users should have an AWS IoT policy in AWS IoT that only allows it to connect with a known client ID, and to publish and subscribe to an identified and fixed set of topics.

使用即时预配置

Manually creating and provisioning each device can be time consuming. AWS IoT provides a way to define a template to provision devices when they first connect to AWS IoT. 有关更多信息,请参阅 即时预置

Permissions to run AWS IoT Device Advisor tests

The policy template below shows the minimum permissions and IAM entity required to run AWS IoT Device Advisor test cases. You will need to replace your-device-role-arn with the device role ARN you create under the prerequisites.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "your-device-role-arn", "Condition": { "StringEquals": { "iam:PassedToService": "iotdeviceadvisor.amazonaws.com" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "iot:Connect", "logs:DescribeLogStreams", "iot:DescribeThing", "iot:DescribeCertificate", "logs:CreateLogGroup", "logs:PutLogEvents", "iot:DescribeEndpoint", "execute-api:Invoke*", "logs:CreateLogStream", "iot:ListPrincipalPolicies", "iot:ListThingPrincipals", "iot:ListThings", "iot:Publish", "iot:ListCertificates", "iot:ListAttachedPolicies", "iot:UpdateThingShadow", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "iotdeviceadvisor:*", "Resource": "*" } ] }