Lesson 

1  of  7
Designing a secure solution

When you design an IoT solution, you must address four key areas of security: types of
devices, potential threats, how to handle compromised devices, and understand the
business impact should different device types be compromised. In this section, you will
explore the design principles around a well-architected security framework, discuss the
AWS IoT device qualification program, and introduce Amazon FreeRTOS.

The goal of every IoT solution is to create an infrastructure that will enable ease of use,
flexibility, automated patching, and security. Security should be built into the fabric of
each layer of your design. To determine the potential security issues and how to address
them for each layer, here are some important questions to ask:

What types of devices are you deploying at the edge? You could be deploying:

 Structural automation devices, such as cameras, sprinkler systems, or thermostats.

 Industrial IoT devices, such as sensors to detect oil spills, mechanical failures,
temperature readings, or GPS tracking. 
 Medical devices or wearable health monitoring devices.
 Tags used to monitor and track items used for patient care or vials of medicine in a
freezer.

Identify all the different types of devices in your IoT solution. Plan how to update firmware and
software. List the device physical locations and how you will track and update existing and
newly deployed devices. Understand and track how they behave, and plan to audit their behavior
to identify when they deviate from their normal behavioral patterns.

Types of IoT security issues:

Physical security is compromised when a IoT device is stolen, disabled, or tampered with and its
internal systems accessed. For example, bad actors could drain the batteries and block alert
notifications, or insert a USB to introduce malicious code to, or extract data from, the device.

Network security can be compromised and data can be exposed, identities stolen, or packets
routed away from their destination.

Encryption compromises occur when bad actors gain access to security keys. When the keys are
breached, these unauthorized users can reconfigure the keys and take control of the device,
system, or environment.
What happens when a device is compromised?

When a device is compromised, the bad actor could potentially, but not always, access your
environment from within.  
Ask yourself:

 What will you do when a device is compromised? 

 Is it a device you have physical access to, or is it a remote sensor on a shipping
container? 
 How will you know when the device starts to behave in an unexpected manner?  
 Will you have an analytics mechanism to detect and notify of unexpected behaviors? 
 Do you have a quarantine process to take the device offline?

Incorporating these answers into your security design enables faster detection and response when
a breach occurs.

What is the customer and business impact if you experience a security breach?

 How many customers would be impacted by each type of breach?

 To what degree would the customers be impacted based on the device type?
 What can be done to reduce recovery time?

A personal fitness device that stops tracking a person's steps is a nuisance. A hacked smart house
door-lock, where the owner can't get inside at 2:00 AM, creates a security risk. A person with
diabetes who has their insulin pump compromised and their Personal Health Information (PHI)
exposed to the internet could mean that the company is breaking both compliance, federal law, or
both. 

Determine the impact and scope of various attacks and create unique response plans and
simulations. Doing this enables your teams to gain confidence in the plan and in their skills to
execute so that when a breach does occur, they can work quickly to reduce the impact.

What are the security risks?

When creating your design, consider the possibility of a breach, assess the potential
impact, and then revisit your design and implementation process to plan your incident
response accordingly. To understand the impact of a breach and how to create a secure
design to defend against the possible security breach scenarios, select the cards below.
What determines the impact of a security breach? The
IoT device type, and its function, will determine the level of impact during a
security breach. For example, hacking a smart teapot has vastly different
implications than breaching an insulin pump. When a breach occurs, a well-
designed architecture will include a well-tested response plan and a team that
is prepared to act.

What industry-approved material do architects use to

aid in security designs?
To design a secure IoT solution, architects and security teams use industry-
approved design and compliance frameworks to ensure that proper questions
are asked and design elements are met. Let's explore the AWS Well-
Architected Framework.

AWS Well-Architected Framework

The AWS Well-Architected Framework helps identify the pros and cons of decisions
while building systems on AWS. By using the Well-Architected Framework, you learn
architectural best practices for designing and operating reliable, secure, efficient, and
cost-saving systems in the cloud. It provides a way for you to consistently measure your
architectures against best practices and identify areas for improvement.
The framework is based on five pillars: Operational excellence, security, reliability,
performance efficiency, and cost optimization. When architecting technology solutions,
informed trade-offs are made between the pillars based upon your business context. For
IoT workloads, AWS provides multiple services that enable you to design robust
architectures for your applications. IoT applications are composed of many devices
(called things) that securely connect and interact with complementary cloud-based
components. IoT applications gather, process, analyze, and act on data generated by
connected devices.
Start your design with security in mind
Build each phase of your IoT design around securing the devices, the communications,
the data in transit and at rest. Using the frameworks to answer questions and determine
the trade-offs that need to be made between the pillars, you will create a design that
works for your company. The next task is to get your technical staff ready to support and
 resolve what you have designed. Familiarity with the technology is the key to keeping it
secure. How do you build your team's security confidence and IoT familiarity? 

AWS Well-Architected Framework

To read more about the Well-Architected Framework, choose Framework.
FRAMEWORK

Practice makes perfect. Incident response teams who run

through simulations have faster response times in an actual
intrusion.
 1
Educate your teams about your cloud platform, IoT devices, and how to use them.
 2
Create action plans and remediation steps for intrusion scenarios.
 3
Ensure that your teams have access to detection and remediation tools.
 4
Prepare an incident response team.
 5
Run simulated breach tests. A periodic test of your action plan tests and refines its effectiveness.

Explore the layers of IoT 

Another IoT framework to consult is the AWS IoT lens of the AWS Well-Architected
Framework. As it is aptly named, this guide provides a specific focus on IoT design principles.
Within the IoT lens, there are six distinct logical IoT layers to consider when designing an IoT
workload. Take a moment to explore these design layers.
Edge layer
–

Consists of the physical devices, the embedded operating systems, and the
device firmware.
Provisioning layer
–

Consists of the Public Key Infrastructure (PKI) used to create unique

identities for devices, the process by which firmware is first installed on
devices, and the application workflow that provides configuration data to
the device.
Communications layer
–
 Handles the connectivity, message routing among and between devices
and the AWS Cloud. The communication layer lets you establish how IoT
messages are sent and received by devices, and how devices represent
and store their physical state in the AWS Cloud.
Ingestion layer
–

Plays a key role in collecting and aggregating important sensor information

from devices while decoupling the flow of data from the communication
between devices.
Analytics layer
–

Processes and performs analytics on IoT data.

Application layer
–

One of the key value propositions of using AWS IoT is provided by the
ease with which data generated by IoT devices can be consumed by other
relevant cloud native capabilities. 

The purpose of management applications is to create scalable ways to

operate your devices after they are deployed in the field.

To read the AWS IoT Lens of the AWS Well-Architected Framework whitepaper, choose IoT

Lens.

IOT LENS

AWS security solutions

AWS offers a suite of IoT services to help you secure your devices, connectivity, and
data. These services enable you to use end-to-end security, from physical device
protection to data at rest. They also provide security features that enable the application
and execution of security policies required to meet their security watermark. 

Use the design principle of the AWS Well-Architected Framework, security pillar, to

help design and build a secure IoT infrastructure. 
Let's take a moment to explore the Well-Architected Framework security pillar.
Lesson 2  of  7
AWS Well-Architected Framework security pillar

The security pillar

The Well-Architected Framework provides guidelines and in-depth best practices to use while
architecting a secure solution in AWS. The security pillar encompasses the ability to protect
information, systems, and assets while delivering business value through risk assessments and
mitigation strategies.
AWS Security Pillar whitepaper
The focus of this paper is the security pillar of the Well-Architected Framework. It
provides guidance to help you apply best practices in the design, delivery, and
maintenance of secure AWS environments.
SECURITY PILLAR
The concept of least privilege is a design principle where users,
services, applications are granted only the necessary privileges to
complete their task. 

Design principles in the security pillar

There are seven design principles for security in the cloud. To examine the design principles for
strengthening your system security, select the appropriate tile below.

Implement a strong identity foundation

Implement the principle of least privilege and enforce separation of duties
with the appropriate authorization for each interaction with your AWS
resources. Centralize permissions management and reduce or even eliminate
reliance on long-term credentials.

Enable traceability
Monitor, alert, and audit actions and changes to your environment in real
time. To automatically respond and take action, integrate logs and metrics
with systems. 

Automate security best practices

Automated software-based security mechanisms improve your ability to
securely scale more rapidly and cost effectively. Create secure architectures,
including the implementation of controls that are defined and managed as
code in version-controlled templates.

Keep people away from data

reate mechanisms and tools to reduce or eliminate the need for direct access or manual
processing of data. This reduces the risk of loss or modification and human error when
handling sensitive data.

Encrypt data in transit and at rest

Classify your data into sensitivity levels and use mechanisms, such as
encryption, tokenization, and access control, where appropriate.

Prepare for a security event

Prepare for an incident by having an incident management process that aligns
to your organizational requirements. Run incident response simulations, and
use tools with automation to increase your speed for detection, investigation,
and recovery.

Best practices for cloud security 

Before you architect any system, put in place best practices that influence security. You
want to control who can perform what actions, be able to identify security incidents,
protect your systems and services, and maintain the confidentiality and integrity of data
through data protection. The best practice areas for cloud security are:

1. AWS Identity and Access Management (IAM)

2. Detective controls
3. Infrastructure protection
4. Data protection
5. Incident response

Explore each cloud security best practice in more depth:

IDENTITY AND ACCESS MANAGEMENT

AWS Identity and Access Management (IAM) ensures that only authorized and authenticated
users are able to access your resources, and only in a manner that you intend. 

In the environment in which you define principals (users, groups, services, and roles), build out
policies aligned with these principals, and implement strong credential management. These
permission-management elements form the core of authentication and authorization. 

Best practices for IAM include:

 1. Create individual users. Create an IAM user for yourself and individual users for others.
Doing this creates a unique set of credentials per person, enabling you to increase,
decrease, or revoke individual people based on performance, role, or trustworthiness.
2. Configure a strong password policy. Require password rotation of 90 days or fewer and
with mixed case, special-character password combinations. Doing so ensures that data is
protected, passwords are easy to manage, and complex passwords increase account
resilience against brute force logins attacks.
3. Rotate security credentials regularly. You can generate and download a credential report
that lists all users in your account and the status of their various credentials, including
passwords, access keys, and MFA devices. You can get a credential report from the AWS
Management Console, the AWS SDKs and Command Line Tools, or the IAM API. Use
the Access Key Last Used column from the Credential Report to identify and revoke
unused credentials. Enable credential rotation for IAM users and use the Credential
Report to audit credential rotation. This ensures that data cannot be accessed with old
keys.

Key Services
IAM supports the protection and management of credentials. 

Additionally:

 •  AWS Security Token Service (AWS STS) lets you request temporary, limited-privilege
credentials for authentication with other AWS APIs.

 •  IAM instance profiles for Amazon Elastic Compute Cloud (Amazon EC2) instances enable
you to use the Amazon EC2 metadata service and managed temporary credentials for accessing
other AWS APIs.

Detective controls
Directive controls establish the governance, risk, and compliance models the environment will
operate within. By using detective controls, you can identify a potential security incident. 

Asset inventory, auditing, and behavior analysis are different types of detective controls that
enable you to identify and react to unexpected activity.

Best Practices include:

1. Customize the delivery of AWS CloudTrail and other service-specific logging to capture
API activity globally, and centralize the data for storage and analysis.
2. Architects should consider detective controls end-to-end. You should not only generate
and store logs. Your information security function needs robust analytics and retrieval
capabilities to provide insight into security-related activity.
 3. Deeply integrate the flow of security events and findings into a notification and workflow
system, such as a ticketing system, a bug/issue system, or other security information and
event management (SIEM) system.

Key Services

 Amazon GuardDuty is a managed threat-detection service that continuously monitors for

malicious or unauthorized behavior.
 AWS Config provides you with an AWS resource inventory, configuration history, and
configuration change notifications to enable security and governance. 
 Amazon CloudWatch Logs enables you to centralize logs into streams. CloudWatch Logs
scales to ingest logs without the need to manage infrastructure. 
 Amazon Simple Storage Service (Amazon S3) and Amazon Simple Storage Service
Glacier (Amazon S3 Glacier) can be used to centralize storage and long-term archiving of
log data. 
 Amazon Athena can be used to analyze logs, such as CloudTrail logs, to help you
identify trends and further isolate activity by attribute, such as source IP address or user.

Infrastructure protection encompasses control methodologies, such as defense in depth, necessary to meet
best practices and organizational or regulatory obligations. It ensures that systems and services within
your workload are protected against unintended and unauthorized access and potential vulnerabilities.

Best Practices include:

1. Take a least privilege approach.

2. Automate deployments and maintenance, and remove operator access to reduce your
surface area.
3. Ensure that operating system and application configurations, such as firewall settings and
anti-malware definitions, are correct and up-to-date.
4. When designing network access control list (network ACL) rules, consider that it’s a
stateless firewall and, therefore, you must define both outbound and inbound rules to
meet your needs.

Key Services
 Amazon VPC security groups provide a stateful firewall, enabling you to specify traffic
rules and define relationships to other security groups. 
 AWS Shield is a managed distributed denial of service (DDoS) protection service.
 AWS WAF is a web application firewall.
 AWS Firewall Manager is a security management service to centrally configure and
manage AWS WAF rules. 
 Amazon Inspector is used to identify vulnerabilities or deviations from best practices.
 AWS CloudFormation is used to create and manage infrastructure.

Data Protection
Data classification provides a way to categorize organizational data based on levels of sensitivity.
Encryption protects data by way of rendering it unintelligible to unauthorized access.

Best Practices include:

1.  Classify your data.

2. Encrypt it in transit and at rest.
3. Define data backup, replication, and recovery approaches.

Key Services
 AWS Key Management Service (AWS KMS) enables you to define encryption keys,
encrypt data, and protect keys with IAM and access policies.
 AWS CloudHSM provides a hardware security module for managing your keys.
 Amazon DynamoDB implements a fast NoSQL database. This can be used to store
encrypted content for your tokens.
 Amazon S3 cross-Region replication enables automatic, asynchronous copying of objects
across buckets in different AWS Regions. 
 Amazon S3 lifecycle polices and versioning enable you to implement a backup strategy
and meet retention requirements. 
 Amazon Elastic Block Store (Amazon EBS) snapshot operations enable you back up your
volumes attached to EC2 instances.

Incident Response
Have processes in place to respond to and mitigate the potential impact of security incidents. Putting in
place the tools and access ahead of a security incident, then routinely practicing incident response through
test runs, helps you to ensure that your architecture can accommodate timely investigation and recovery.

Best Practices include:

1.  Use tags to properly describe AWS resources.

2. Determine access for your incident team ahead of the incident and regularly verify that
the access works.
3. Use AWS Auto Scaling to allow instances under investigation to be removed without
affecting availability of applications.

Key Service
 IAM is used to grant appropriate authorization to incident response teams in advance. 
 AWS CloudFormation automates the creation of trusted environments.  
 AWS CloudTrail provides a history of AWS API calls that can assist in response, and
trigger automated detection and response systems. 
 Amazon CloudWatch Events is used to trigger different automated actions from changes
in AWS resources, including CloudTrail. 
  AWS Step Functions is used to coordinate a sequence of steps to automate an incident
response process.

Lesson 3  of  7
IoT device security
Securing IoT devices
Your IoT environment can have an infinite variety of devices. You must determine the best way
to secure individual devices using standard IoT security rules as a guide. Two important concepts
to understand when discussing potential threats are attack surface and IoT infrastructure.

To learn more about these two important concepts, choose the appropriate card below .

What is an attack surface?

An attack surface includes all entry points of your systems that an
unauthorized user may target to obtain unauthorized access to your assets,
such as sensitive data, device functionalities, or computing and networking
capabilities.
What is an IoT infrastructure?
An IoT infrastructure includes all elements and building blocks of your IoT
solution, including device hardware and firmware, on-premises and in-cloud
systems and software, and processes such as device manufacturing, shipping,
and provisioning.

Reduce the attack surface of your IoT infrastructure

How do you do this? Explore the topics below for more information.
Eliminate unused entry points
–

Identify and eliminate unused entry points on your devices, field gateways, and backend
systems.

Know what IoT devices you have, where they are deployed or will be
deployed, and how to access the devices.
Disable unused features
–

Disable unused device sensors, actuators, services, or their unused functions.

If a sensor or an actuator isn't being used, then it's a liability that can be
exploited. Disable the device, quarantine it, remove it from its location. If it
can't be removed, verify that it is both disabled and tamper proof.
Remove insecure configurations
–

Disable unused functionality or configurations that are insecure by default in your

dependencies.

Not using a protocol? Not using that function of the device? Remove it or
disable it so that an unauthorized user cannot use it against you.
Reduce third-party dependencies
–

Use the least possible number of dependencies, such as third-party libraries and network
services. 

    The more dependencies you have, the more vectors for potential bad actors.
Secure-by-default configurations
–
Employ secure-by-default configurations across your IoT infrastructure.

Verify that security is built into your devices and configurations so that the device is
purposely built to be secure.
Update dependencies
–

Only add well-maintained dependencies, and establish a mechanism to keep them up to date. 

If the added dependencies contain functionality not used by the device

(for example, opening ports, domain sockets), disable them in your code or
by means of the library's configuration files.
Continually review
–

Regularly review and identify attack surface minimization opportunities as your

IoT infrastructure evolves.

Validate IoT hardware with AWS device qualification

The AWS Device Qualification Program (DQP) is a hardware validation and benefits program
for all AWS Partner Network (APN) Partners. Through this program, APN Partners can submit
their hardware for technical validation for Amazon FreeRTOS, AWS IoT Greengrass, AWS IoT
Core, and Amazon Kinesis Video Streams. 

Devices qualified under the DQP are listed in the AWS Partner Device Catalog, enabling AWS
customers to easily discover devices that are designed to work with AWS services and build on
the IoT expertise provided by the APN Partners.

AWS DQP benefits

The AWS Device Qualification Program offers several benefits including:

Business
The AWS Device Qualification Program offers participating APN Partners
benefits for qualifying their devices:

 Connects hardware partners with AWS customers and creates new

business opportunities
 Becomes eligible for AWS credit benefits for each qualified and listed
device
  Becomes eligible for MDF benefit after approval of first-device listing

Marketing
Participating APN Partners benefit from marketing opportunities and visibility to AWS
customers, AWS sales, and other APN Partners:

 Customer-facing AWS Partner Device Catalog, which lists qualified devices

 Exclusive branding using the device qualification badge
 Announcement of newly qualified devices in the APN blog

Technical
Qualification of devices offers product differentiation for APN partners and helps reduce
the integration friction for customers:

 AWS IoT Device Tester for Amazon FreeRTOS and AWS IoT Greengrass allows
APN Partners to validate devices quickly.
 Technical validation combines APN Partner and AWS expertise by helping
customers discover devices that are designed to work with AWS services.

AWS Device Qualification Program

AWS DPQ WEBSITE

When determining devices for your IoT infrastructure, one major consideration is the footprint of
the operating system on the device. A Microsoft Windows full installation, for example, would
be too large for sensors and devices with limited storage and limited memory capabilities.
However, the devices need to be able to communicate between them, gather data and transmit
that data to AWS IoT Core. So how do they do that?  Enter the realm of real-time operating
systems (RTOS)  and in particular, Amazon FreeRTOS. Amazon FreeRTOS is a real-time
operating system kernel for embedded devices. Amazon FreeRTOS remains open source and
free, although Amazon owns and is the caretaker of Amazon FreeRTOS. Let's take a moment to
discuss what this is and how it's implemented.
What Is Amazon FreeRTOS?

Amazon FreeRTOS is based on the FreeRTOS kernel, a popular open-source operating system for
microcontrollers, and extends it with software libraries that make it easy to securely connect customers’
small, low-power devices directly to AWS Cloud services, like AWS IoT Core, or to more powerful edge
devices running AWS IoT Greengrass.
Security Capabilities: Amazon FreeRTOS comes with libraries to help secure device data and
connections, including support for data encryption and key management. Amazon FreeRTOS includes
support for Transport Layer Security (TLS v1.2) to help devices connect securely to the cloud.
Code signaling: Amazon FreeRTOS also has a code signing feature to ensure that customer device code is
not compromised during deployment. It also includes capabilities for OTA updates to remotely update
devices with feature enhancements or security patches. 

Amazon FreeRTOS on the web

For additional information on Amazon FreeRTOS choose the additional info button.
ADDITIONAL INFO

Amazon FreeRTOS Architecture

Amazon FreeRTOS is typically flashed to devices as a single compiled image with all the

components required for device applications. This image combines functionality for the

applications written by the embedded developer, the software libraries provided by Amazon, the

FreeRTOS kernel, and drivers and board support packages (BSPs) for the hardware platform.

Independent of the individual microcontroller used, embedded application developers can expect

the same standardized interfaces to the FreeRTOS kernel and all Amazon FreeRTOS software

libraries. 
Over-the-air updates
With over-the-air (OTA) updates, you can deploy files to one or more devices in your fleet.
Although OTA updates were designed to update device firmware, you can use them to send any
number of files to one or more devices registered with AWS IoT. When you send files over the
air, it is a best practice to digitally sign them so that the devices that receive the files can verify
that they have not been tampered with en route. 

Over-the-air updates of Amazon FreeRTOS

Amazon FreeRTOS OTA updates enable you to perform the following operations:

 Digitally sign and encrypt firmware before deployment

 Deploy new firmware images to a single device, a group of devices, or your
entire fleet.
  Deploy firmware to devices as they are added to groups, reset, or
reprovisioned.
 Verify the authenticity and integrity of new firmware after it's deployed to
devices.
 Monitor the progress of a deployment.
 Debug a failed deployment.

Lesson 4  of  7
Student exercise
A university library and the Internet of Things 
Read the following scenario and write down or sketch out the necessary IoT devices,
infrastructure, and security measures you would need to accomplish both the customer asks and
objectives.

Scenario
As the administrator of a university library, you must create an IoT infrastructure that allows
students to easily identify and locate books, videos, and research material in the 27-story media
center and library. The solution must identify the availability status of various media, whether in-
stock or checked out; provide location information for the media by floor, aisle, and rack;
automate check-out of available titles; and include a value add that gives students additional
cross-referenced material. The solution must be secure and uniquely identify students.
Additionally, there must be a way to track print services and paper consumption. Each book and
media asset is fitted a smart sensor when it arrives in the library and before it goes into
circulation.
Take a moment to design your IoT Solution:
Look at the solution listed below when you are done.
Solution hints
–

Things to think about:

It's a 27-story media center. How would they track location?

What types of devices would they need per floor, or per area?

1. Most students have a smartphone. How could you use this for
authentication? 
2. What about searching the card catalog electronically?
3. What about smartphone app usage? How could you use this to cross
reference material? 
4. Online database?
5. App authentication?

Solution suggestion
–

Depending on budget and resources, there could be many different potential solutions
to the university library scenario. 

Below is only one idea. As you review it, ask yourself these questions: 
 How closely does your solution match?  
 What could be done better in the solution below? 
 How could you make this solution more secure? 
 What additional ideas could you add to your solution?
Potential solution
 To verify their student status and account information, students can
authenticate to an application on their smartphone, using their student
ID, a password, and a security question.
 Each book sits in a bin or on a cart with an IoT device sensor that
tracks the books in the bins and the location of the cart in the library
to ensure that no book leaves the library without being checked out. 
 The application contains access to the library catalog and can query
for book titles. The smart-sensors within the books update the catalog
with their status: IN or OUT. 
 When selecting a title, the application lists the location of the book
and brings up an interactive map to guide them to the proper area.
Sensors in the ceiling of each floor level track their location and guide
them to the book.
 Additionally, the application cross-references the topic and author and
displays additional materials for consideration as a value add.
 Checkout of the media is accomplished through the application.  

Lesson 5  of  7
Best practices

As you move through your IoT journey, you will see many best practices listed and many
recommendations made. Remember that IoT is ever-changing and maturing, and so will the list
of best practices and recommendations. Periodically review them when you review and update
your security designs.
Below are a list of fundamental IoT security best practices from the topics you've just reviewed.  
 1
Incorporate security during the design phase.
 2
Build on recognized IT security and cyber-security frameworks. 
 3
Proactively assess the impact of potential security events.
 4
Reduce the attack surface of your IoT ecosystem.
 5
Use the principle of least privilege.

For additional information on IoT security and the Ten Security Golden Rules for IoT
solutions, choose IOT GOLDEN RULES.
IOT GOLDEN RULES
The Internet of Things on AWS – Official Blog
Ten security golden rules for IoT solutions
by Nima Sharifi Mehr | on 20 AUG 2019 | Permalink |  Share

The Internet of Things (IoT) solutions help transform your operations and customer experiences
across a variety of industries and uses. That unlimited opportunity brings excitement, but it also
brings security, risk, and privacy concerns.

To protect customers, devices, and companies, every IoT solution should start and end with
security.  The best IoT security solution offers multi-layered protection from the edge to the
cloud, letting you secure your IoT devices, connectivity, and data.

Ideally, you could rely on a publicly known and reusable list of security practices for every
building block in your IoT solutions that are aligned with your unique requirements and
constraints. However, in reality, you must plan at least some of your security strategy yourself by
using security rules as your guide.

I compiled the following best practices to help you protect your business and IoT ecosystem,
from design and implementation to ongoing operations and management. A list of high-level
recommendations follows each rule as well. These recommendations are not an exhaustive list
and only clarify the underlying concepts behind each rule.

1. Provision devices and systems with unique identities and credentials.

2. Apply authentication and access control mechanisms.
3. Use cryptographic network protocols.
4. Create continuous update and deployment mechanisms.
5. Deploy security auditing and monitoring mechanisms.
6. Build continuous health checks for security mechanisms.
7. Proactively assess the impact of potential security events.
 8. Minimize the attack surface of your IoT ecosystem.
9. Avoid unnecessary data access, storage, and transmission.
10. Monitor vulnerability disclosure and threat intelligence sources.

Glossary of terms
Familiarize yourself with the following terms to help you navigate both this list of best practices
and the larger world of IoT resources that exist across the internet.

Attack surface: All entry points of your systems that a bad actor could target to obtain
unauthorized access to your assets, such as sensitive data, device functionalities, or computing
and networking capabilities.

Deployment artifacts: All source code, configuration, and binary files that users need for secure
and reliable software or firmware installation on IoT devices or general-purpose hosts.

IoT ecosystem: All elements and building blocks of your IoT solution, including device
hardware and firmware, on-premises and in-cloud systems and software, and processes such as
device manufacturing, shipping, and provisioning.

Principle of least privileges: A security best practice to only grant identities with the least
number of privileges required to perform their intended operations within expected contexts.

Threat model: A living document that captures your assets and the systems that interact with
them. It also includes the trust boundaries of your systems and their entry points, relevant threats
to your assets, and corresponding mitigation or accepted risks.

1. Provision devices and systems with unique identities and

credentials
 Assign unique identities to all devices and on-premises or in-cloud systems of your IoT
ecosystems.
 Assign unique and cryptographic credentials such as X.509 certificates to each identity.
 Create mechanisms to facilitate the generation, distribution, rotation, and revocation of
credentials.
 Opt to use hardware-protected modules such as Trusted Platform Modules
(TPMs) or hardware security modules (HSMs) for storing credentials and performing
authentication operations.

AWS resources

AWS provides the following assets and services to help you identify, sort, and secure your IoT
assets:
  Security and Identity for AWS IoT
 Amazon Cognito, a service that provides authentication, authorization, and user
management for your web and mobile apps
 AWS Identity and Access Management (IAM), a service that enables you to manage
access to AWS services and resources securely

2. Apply authentication and access control mechanisms

 Establish clear trust boundaries in your IoT ecosystem based on your threat model, and
enforce access controls on all access outside those boundaries.
 Identify and mitigate issues with entry points in your IoT ecosystem that can
facilitate forging or spoofing identities and unauthorized escalation of privileges.
 If your threat model includes potential physical access to devices by unauthorized actors,
tamper-proof your devices’ hardware and disable any unused hardware
interfaces physically and/or at the firmware or operating system layer.
 Create mechanisms to assess the credentials and privileges of your IoT ecosystem
periodically as well as when their associated identities transition through lifecycle events.
 Consider physical access controls such as tamper-proofing devices as an additional layer
of defense.
 Enforce resource consumption limits and throttling to protect the availability of shared
resources.

AWS resources

AWS provides the following assets and services to help you authenticate and manage access:

 Security and Identity for AWS IoT

 Amazon Cognito
 AWS Identity and Access Management (IAM)
 Deploy Secrets to the AWS IoT Greengrass Core

3. Use cryptographic network protocols

 Protect the confidentiality and integrity of inbound and outbound short and long-range
network communication channels that you use for data transfers, monitoring,
administration, provisioning, and deployments.
 Protect the integrity of data, regardless of classification level, by using cryptographic
network protocols to detect any unauthorized modification.
 For resource-constrained devices that cannot support cryptographic network protocols,
you should limit their network activity to short-range connections within network-level
trust boundaries as identified in your threat model.
 Employ open and standard cryptographic network protocols that the security community
publicly and continuously vets and peer-reviews. Using cryptographic primitives such as
one-way hash functions or encryption functions cannot replace cryptographic protocols
 for protecting data in transit. Cryptographic protocols consider contextual information
required for enforcing data transportation security controls. These include recipient
authentication, secure cryptographic key exchange or negotiation, and message
order integrity and successful message delivery verification.

AWS resources

AWS provides the following assets and services to help you encrypt your networks:

 AWS IoT SDKs, to help you securely and quickly connect your devices to AWS IoT
 Amazon FreeRTOS Libraries, to provide additional functionality to the FreeRTOS kernel
and its internal libraries

4. Create continuous update and deployment mechanisms

 Use cryptographic network protocols for transferring deployment artifacts.
 Apply and verify digital signatures on distributed deployment artifacts.
 Apply a default configuration for deploying security updates and patches automatically.
 Employ authentication and access controls on deployment artifact repositories and their
distribution systems.
 Maintain an inventory of the deployed software across your IoT ecosystem, including
versions and patch status.
 Monitor status of deployments throughout your IoT ecosystem and investigate any failed
or stalled deployments.
 Use version control mechanisms to prevent unauthorized actors from forcing firmware or
software downgrades.
 Maintain notification mechanisms to immediately alert stakeholders when your
infrastructure can’t deploy security updates to your fleet.
 Create mechanisms to identify and replace constrained-devices that are not capable of
receiving updates.
 Create detection and response mechanisms to handle unauthorized changes in deployed
software or firmware.

AWS resources

AWS provides the following assets and services to help you organize and maintain a continuous
development and deployment pipeline:

 Amazon FreeRTOS Over-the-Air Updates

 OTA Updates of AWS IoT Greengrass Core Software
 AWS IoT Jobs, to define a set of remote operations that you send to and execute on one
or more devices connected to AWS IoT
 AWS Release Notes
5. Deploy security auditing and monitoring mechanisms
 Deploy auditing and monitoring mechanisms to continuously collect and report activity
metrics and logs from across your IoT ecosystem.
 Monitor on-device and related off-device activities such as network traffic and entry
points, process execution and system interactions for any unexpected behavior.
 Maintain and regularly exercise a security incident response plan along with containment
and recovery mechanisms. This should be in correspondence to the technical skill level of
operators of your IoT elements and their deployment and ownership model.

AWS resources

AWS provides the following assets and services to help you monitor your security at varying
levels:

 AWS IoT Device Defender, to secure your fleet of IoT devices

 Monitoring AWS IoT with CloudWatch Logs, to centralize the logs from all of your
systems, applications, and AWS services that you use, in a single, highly scalable service
 Logging AWS IoT API Calls with AWS CloudTrail, to provide a record of actions taken
by a user, a role, or an AWS service in AWS IoT
 Monitoring with AWS IoT Greengrass Logs
 Amazon GuardDuty, to continuously monitor for malicious activity and unauthorized
behavior to protect your AWS accounts and workloads
 AWS Security Incident Response Guide

6. Build continuous health checks for security mechanisms

 Continuously check that your security controls and systems are intact by using
mechanisms such as canary tests.
 Verify that security controls prevent unauthorized access and maintain their integrity in
the event of external dependency or internal system failures.
 Test your IoT devices to ensure that they maintain their security controls in the event of
failures such as:
o Low or fluctuating battery power
o Low memory or processing resources
o Malfunctioning physical sensors or other attached devices
o Ingestion of malformed inputs including sensed data
o Absence of network connection or intermittent connectivity

AWS resources

AWS provides the following assets and services to help you monitor the integrity of your
security apparatus:
  AWS IoT Device Defender
 AWS Config, to assess, audit, and evaluate the configurations of your AWS resources
 Amazon CloudWatch

7. Proactively assess the impact of potential security events

 Create and maintain a threat model that encompasses all assets and systems across your
IoT ecosystem.
 Identify and measure the impact of a security event on your IoT devices, their sensed
environment and actuation systems, their associated on-premises and cloud
infrastructure, human operators and supply chain systems, and processes.
 Consider different elements of security events such as scale, sophistication, and level of
unauthorized access to assess potential impact and create corresponding in-depth layers
of prevention, detection, containment, and recovery.
 Provision your devices and field gateways with credentials that grant only the required
privileges.

AWS resources

AWS provides the following assets to help you determine the effects of a security breach:

 AWS Shared Responsibility Model for security and compliance

8. Minimize the attack surface of your IoT ecosystem

 Identify and eliminate unused entry points on your devices, field gateways, and backend
systems.
 Disable unused device sensors, actuators, services, or their unused functions.
 Disable unused functionality or insecure-by-default configurations in your dependencies.
 Use the least possible number of dependencies, such as third-party libraries and network
services.
 Employ secure-by-default configurations across your IoT ecosystem.
 Only add well-maintained dependencies, and establish a mechanism to keep them up-to-
date.
 Regularly review and identify attack surface minimization opportunities as your IoT
ecosystem evolves.

AWS resources

AWS provides the following assets and services to help you analyze and reduce your attack
surface:

 AWS Cloud Security

 Security and Identity for AWS IoT
  AWS IoT Greengrass Security
 AWS Well Architected Framework, IoT Lens, a document that covers commonly
encountered IoT use cases and identified key solution elements to ensure that your
workload architecture uses established best practices

9. Avoid unnecessary data access, storage, and transmission

 Identify and classify data collected throughout your IoT ecosystem and learn their
corresponding business use-case.
 Identify and execute on opportunities to stop collecting unused data or adjusting
their granularity and retention time.
 Consider using tokenization and one-way cryptographic hashing wherever you don’t need
specific data in its entirety.
 Consider using asymmetric cryptography to protect data at rest on IoT devices and
devices that are only responsible for temporarily collecting and batching data and
periodically submitting the data to other systems for processing.
 Only store and transmit data to central systems with strong ownership and strict security
controls.
 Follow the principle of least privilege in granting access to any collected data.
 Identify and consider the unique capabilities of your IoT devices. This could include
mobility, actuation, sensory data collection and transmission, and ownership transfers
that impact your regulatory and legal compliance.
 Consider privacy and transparency expectations of your customers and corresponding
legal requirements in the jurisdictions where you manufacture, distribute, and operate
your IoT devices and systems.

AWS resources

AWS provides the following assets and services to help you limit access to data and other
resources:

 AWS Data Privacy

 AWS Privacy Notice
 AWS Compliance Programs and Offerings
 AWS Compliance Solutions Guide

10. Monitor vulnerability disclosure and threat intelligence

sources
 Stay informed about disclosed vulnerabilities, adversarial techniques, tactics, and
procedures used in recent attack campaigns and assess their impact on the security of
your IoT ecosystem.
 Correlate information from vulnerability disclosures and threat intelligence with auditing
events, configuration, and metadata from your IoT ecosystem. This way, you can detect
 any trends of involvement or abuse of your infrastructure in the context of
ongoing adversarial campaigns.
 Create a vulnerability disclosure program for your IoT solutions to facilitate engagement
with security researchers and their responsible disclosure of potential security issues.

AWS resources

AWS provides the following assets and services to help you keep up-to-date on security news:

 AWS Security Bulletins 

Conclusion
This post reviewed some of the best practices for keeping your IoT infrastructure secure. I hope
this helps guide you in your efforts to protect your IoT devices, their connectivity, and the data
that they generate. To learn more about how AWS IoT services help you achieve end-to-end
security for your IoT solutions, check out the on-demand webinar, Securing Your Devices from
the Edge to the Cloud.

If you have your own best practices for maintaining IoT security, comment here to share your
insights.