best practices of iot security in the cloud

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

October 24, 2016

Best Practices for IoT

Security in the Cloud


AWS IoT Security

All things around us are getting connected

Things will proliferate

2013 2015 2020

Vertical Industry

Generic Industry

Consumer

AutomotiveMany

Some

Lots

Connected ≠ Smart

Internet 1985 IoT 2015

Gopher HTTP

FTP MQTT

NNTP CoAP

Telnet XMPP

Archie AQMP

In reality, it is even more complex

Layer Standards

Application HTTP, MQTT, AMQP, CoAP, XMPP

Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon

Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI

A Simple Goal

But my data

isn’t sensitive!

Why do IoT at all?

Changes

happen in

the real

world!

The Risk

Changes

happen in

the real

world!

Bad

Requirements

Secure Communications with Things

Strong Thing Identity

Fine-grained Authorization for:

Thing Management

Pub/Sub Data Access

AWS Service Access

The System

DynamoDB LambdaKinesis

Requirements




Thing Management

Pub/Sub Data Access

AWS Service Access

Network Traffic Is Complex

04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags

[P.], seq 1586864891:1586864913, ack 820274045, win 227, options

[nop,nop,TS val 2390025928 ecr 577393885], length 22

0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2

0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d

0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8

0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200

0x0040: 0454 656d 703a 2038 3346

Network Tools Are Up To It

MQ Telemetry Transport Protocol

Publish Message

0011 0010 = Header Flags: 0x32 (Publish Message)

0011 .... = Message Type: Publish Message (3)

.... 0... = DUP Flag: Not set

.... .01. = QOS Level: Acknowledged deliver (1)

.... ...0 = Retain: Not set

Msg Len: 20

Topic: foo/bar

Message Identifier: 1

Message: Temp: 83F

Mutual Auth TLS

Talking to Non-Things


AWS Auth + TLS

One Service, Two Protocols

MQTT + Mutual Auth TLS AWS Auth + HTTPS

Server Auth TLS + Cert TLS + Cert

Client Auth TLS + Cert AWS API Keys

Confidentiality TLS TLS

Protocol MQTT HTTP

Requirements




Thing Management

Pub/Sub Data Access

AWS Service Access

Back To Certs and Keys

AWS-Generated Keypair

Actual Commands

$ aws iot create-keys-and-certificate --set-as-active

{

"certificateArn":

"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",

"certificatePem":

"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",

"keyPair": {

"PublicKey":

"-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----",

"PrivateKey":

"-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----"

},

"certificateId":

"d7677b0…SNIP…026d9"

}

AWS-Generated Keypair

Client Generated Keypair

CSR

Certificate Signing Request

Dear Certificate Authority,

I’d really like a certificate for %NAME%, as identified by

the keypair with public key %PUB_KEY%. If you could sign

a certificate for me with those parameters, it’d be super

spiffy.

Signed (Cryptographically),

- The holder of the private key


CSR

Actual Commands

$ openssl genrsa –out ThingKeypair.pem 2048

Generating RSA private key, 2048 bit long modulus

....+++

...+++

e is 65537 (0x10001)

$ openssl req -new –key ThingKeypair.pem –out Thing.csr

-----

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:NY

Locality Name (eg, city) [Default City]:New York

Organization Name (eg, company) [Default Company Ltd]:ACME

Organizational Unit Name (eg, section) []:Makers

Common Name (eg, your name or your server's hostname) []:John Smith

Email Address []:[email protected]

Actual Commands

$ aws iot create-certificate-from-csr \

--certificate-signing-request file://Thing.csr \

--set-as-active

{

"certificateArn":

"arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b",

"certificatePem":


"certificateId":

"b5a396e…SNIP…400877b"

}

Private Key Protection – Test & Dev

$ openssl genrsa -out ThingKeypair.pem 2048

Generating RSA private key, 2048 bit long modulus

......................+++

.................................+++

e is 65537 (0x10001)

$ ls -l ThingKeypair.pem

-rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem

$ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem

-r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem

Private Key Protection – Software Threats

chroot

SELinux

OTP Fuses

Private Key Protection – Hardware Threats

TPMs

Smartcards

Locks and Boxes

FIPS-style hardware

Identity Revocation

$ aws iot list-certificates

{

"certificateDescriptions": [

{

"certificateArn":


"status": "ACTIVE",

"certificateId":

"d7677b0…SNIP…026d9"

"lastModifiedDate": 1443070900.491,

"certificatePem":


"ownedBy": "123456972007",

"creationDate": 1443070900.491

}

]

}

Identity Revocation

$ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED

$ aws iot list-certificates

{

"certificateDescriptions": [

{

"certificateArn":


"status": "REVOKED",

"certificateId":

"d7677b0…SNIP…026d9"

"lastModifiedDate": 1443192020.792,

"certificatePem":


"ownedBy": "123456972007",

"creationDate": 1443070900.491

}

]

}

Requirements




Thing Management

Pub/Sub Data Access

AWS Service Access

Managing Things


Managing Things


{

"Version": "2012-10-17",

"Statement": [

{

"Sid": ”ManageCerts",

"Action": [

"iot:CreateCertificateAndKeys",

"iot:CreateCertificateFromCsr",

"iot:DescribeCertificate",

"iot:UpdateCertificate",

"iot:DeleteCertificate",

"iot:ListCertificates”

],

"Effect": "Allow",

"Resource": "*"

}

]

}

Managing Things


{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "RevokeOneThing",

"Action": [

"iot:UpdateCertificate"

],

"Effect": "Allow",

"Resource":


"Condition": {

"IpAddress": {

"aws:SourceIp": "192.168.42.54"

}

}

}

]

}

Identity Federation


Requirements




Thing Management

Pub/Sub Data Access

AWS Service Access

Data Access Control – AWS APIs


Data Access Control – AWS APIs


{

"Version":"2012-10-17",

"Statement":[ {

"Effect":"Allow",

"Action":[ "iot:Connect" ],

"Resource":"*"

}, {

"Effect":"Allow",

"Action":[ "iot:GetThingShadow" ],

"Resource":[

"arn:aws:iot:us-east-1:123456972007:thing/MyThing"]

}, {

"Effect":"Allow",

"Action":[ "iot:Publish" ],

"Resource":[ "arn:aws:iot:us-east-1:123456972007:

topic/$aws/things/MyThing/shadow/update"]

}

]

}

Mobile Users as Things


Mobile Users as Things


{

"Version":"2012-10-17",

"Statement":[ {

"Effect":"Allow",


"Resource":"*"

}, {

"Effect":"Allow",

"Action":[ "iot:GetThingShadow" ],

"Resource":[

"arn:aws:iot:us-east-1:123456972007:

thing/${cognito-identity.amazonaws.com:aud}"]

}, {

"Effect":"Allow",


"Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things/

${cognito-identity.amazonaws.com:aud}/shadow/update"]

}

]

}

Data Access Control - MQTT


Data Access Control - MQTT


{

"Version":"2012-10-17",

"Statement":[ {

"Effect":"Allow",


"Resource":"*"

}, {

"Effect":"Allow",


"Resource":[



}, {

"Effect":"Allow",

"Action":[ "iot:Subscribe", "iot:Receive" ],

"Resource":[


topicfilter/$aws/things/MyThing/shadow/*"

]

}

]

}

Actual Commands$ cat MyThingPolicy.json

{

"Version":"2012-10-17",

"Statement":[ {

"Effect":"Allow",


"Resource":"*"

}, {

"Effect":"Allow",


"Resource":["arn:aws:iot:us-east-1:123456972007:


}, {

"Effect":"Allow",


"Resource":["arn:aws:iot:us-east-1:123456972007:

topicfilter/$aws/things/MyThing/shadow/*"

]

}

]

}

Actual Commands

$ aws iot create-policy\

--policy-name MyThingPolicy\

--policy-document file://MyThingPolicy.json

{

"policyName": "MyThingPolicy",

"policyArn": "arn:aws:iot:us-east-1:123456972007:policy/MyThingPolicy",

"policyDocument": "...SNIP...",

"policyVersionId": "1"

}

$ aws iot attach-principal-policy\

--principal "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b”\

--policy-name "MyThingPolicy"

Protocol Convergence

MQTT + Mutual Auth TLS AWS Auth + HTTPS

Server Auth TLS + Cert TLS + Cert

Client Auth TLS + Cert AWS API Keys

Confidentiality TLS TLS

Protocol MQTT HTTP

Identification AWS ARNs AWS ARNs

Authorization AWS Policy AWS Policy

Requirements




Thing Management

Pub/Sub Data Access

AWS Service Access

Rules and Services


Actual Commands$ cat ThingRoleTrustPolicy.json

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"",

"Effect":"Allow",

"Principal":{

"Service":"iot.amazonaws.com"

},

"Action":"sts:AssumeRole"

}

]

}

Actual Commands$ aws iam create-role\

--role-name thing-actions-role\

--assume-role-policy-document file://ThingRoleTrustPolicy.json

{

"Role": {

"AssumeRolePolicyDocument": …SNIP…

"RoleId": "AROAIQ4HBGG7V7F27E32K",

"CreateDate": "2015-09-27T16:29:56.438Z",

"RoleName": "thing-actions-role",

"Path": "/",

"Arn": "arn:aws:iam::123456972007:role/thing-actions-role"

}

}

Actual Commands$ cat ThingRolePolicy.json

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "DDBAccess",

"Action": [

"dynamodb:PutItem",

"dynamodb:UpdateItem"

],

"Effect": "Allow",

"Resource": "arn:aws:dynamodb:us-east-1:123456972007:table/MyThingTable"

},

]

}

Actual Commands$ aws iam create-policy\

--policy-name thing-role-policy\

--policy-document file://ThingRolePolicy.json

{

"Policy": {

"PolicyName": "thing-role-policy",

"CreateDate": "2015-09-27T16:32:17.998Z",

"AttachmentCount": 0,

"IsAttachable": true,

"PolicyId": "ANPAINCEAOD5EEXOLZWAI",

"DefaultVersionId": "v1",

"Path": "/",

"Arn": "arn:aws:iam::123456972007:policy/thing-role-policy",

"UpdateDate": "2015-09-27T16:32:17.998Z"

}

}

$ aws iam attach-role-policy\

--role-name "thing-actions-role"\

--policy-arn "arn:aws:iam::123456972007:policy/thing-role-policy"

Building AWS Things

Industrial Example

Manufacturer End UserVendor

Key Pair

Certificate

App

Key Pair

Certificate

App

Industrial Example


Industrial Example

Key Pair

Certificate

App


Consumer Example

Consumer Example

Key Pair

Certificate

App

Manufacturer Vendor

Consumer Example

Key Pair

Certificate

App


Claiming a Thing

service.awsthermostat.com

Claiming a Thing

service.awsthermostat.com

{

"Version":"2012-10-17",

"Statement":[ {

"Effect":"Allow",


"Resource":"*"

}, {

"Effect":"Allow",


"Resource":[

"arn:aws:iot:us-east-1:123456972007:topic/$aws/things

/%COGNITO_ID%/shadow/update"

]

},

"Effect:"Allow",


"Resource":[

"arn:aws:iot:us-east-1:123456972007:topicfilter/$aws

/things/%COGNITO_ID%/shadow/*"

]

}

]

}

Using a Thing

{

"Version": "2012-10-17",

"Statement": [{

"Effect":"Allow",


"Resource":"*"

}, {

"Effect": "Allow",

"Action": [ "iot:Publish" ],

"Resource": [


topic/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/update"

]

}, {

"Effect": "Allow",

"Action": [ "iot:Subscribe", "iot:Receive" ],

"Resource": [


topicfilter/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/*"

]

}]

}

Consumer Example

Key Pair

Certificate

App


Requirements




Thing Management

Pub/Sub Data Access

AWS Service Access

Two Secure Protocols

Bootstrapping Identity

CSR

Flexible, Consistent Access Control



All attendees will receive a special giveaway gift!

Please join us for the

AWS DevDay Networking Reception

5:00 - 6:30 PM

JW Grand Foyer

Thank you!

best practices of iot security in the cloud

Technology