Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device...
Transcript of Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device...
![Page 1: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/1.jpg)
Securing IoT Connected Device Applications
Ian Massingham Technology Evangelist, AWS
IanMmmm
![Page 2: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/2.jpg)
IoT isn’t a new use-case for AWS
Amazon SNS Mobile Push
and Notifications
Amazon DynamoDB
Predictable and Scalable NoSQL
Data Store
AWS Lambda Run Code in
Response to Events
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage APIs
Amazon Kinesis Streaming Analytics
Amazon Cognito User Identity and Data
Synchronization
![Page 3: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/3.jpg)
AWS IoT: simplify and accelerate IoT development
Amazon SNS Mobile Push
and Notifications
Amazon DynamoDB
Predictable and Scalable NoSQL
Data Store
AWS Lambda Run Code in
Response to Events
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage APIs
Amazon Kinesis Streaming Analytics
Amazon Cognito User Identity and Data
Synchronization
AWS IoT Connect Devices to
the Cloud
![Page 4: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/4.jpg)
AWS IoT
“Securely connect one or one billion devices to AWS, so they can interact with applications and other devices”
![Page 5: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/5.jpg)
![Page 6: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/6.jpg)
![Page 7: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/7.jpg)
![Page 8: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/8.jpg)
![Page 9: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/9.jpg)
![Page 10: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/10.jpg)
![Page 11: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/11.jpg)
![Page 12: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/12.jpg)
![Page 13: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/13.jpg)
http://192.168.1.200:8080
![Page 14: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/14.jpg)
http://192.168.1.200:8080
![Page 15: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/15.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 16: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/16.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 17: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/17.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 18: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/18.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 19: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/19.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 20: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/20.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 21: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/21.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 22: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/22.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 23: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/23.jpg)
http://192.168.1.200:8080 http://a.public.address:8080
![Page 24: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/24.jpg)
![Page 25: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/25.jpg)
![Page 26: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/26.jpg)
![Page 27: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/27.jpg)
![Page 28: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/28.jpg)
DADDY, WHERE DO BOTNETS COME FROM?
![Page 29: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/29.jpg)
It doesn’t have to be this way
![Page 30: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/30.jpg)
![Page 31: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/31.jpg)
![Page 32: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/32.jpg)
![Page 33: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/33.jpg)
![Page 34: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/34.jpg)
![Page 35: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/35.jpg)
http://192.168.1.200:8080
![Page 36: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/36.jpg)
http://192.168.1.200:8080
![Page 37: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/37.jpg)
![Page 38: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/38.jpg)
![Page 39: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/39.jpg)
![Page 40: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/40.jpg)
![Page 41: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/41.jpg)
![Page 42: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/42.jpg)
IoT Security: One Slide Primer
Variably-constrained devices
Variably-constrained environment & networks
Remote locations, variable physical security
Diverse IoT market segments, threat models
Variable criticality of the IoT applications
![Page 43: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/43.jpg)
Start with a threat model
![Page 44: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/44.jpg)
Safety
![Page 45: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/45.jpg)
![Page 46: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/46.jpg)
![Page 47: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/47.jpg)
Bad things can happen in the real
world
![Page 48: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/48.jpg)
How can we defend against these threats?
![Page 49: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/49.jpg)
Secure Communications with Things
Strong Thing Identity
Fine-grained Authorisation for: Thing Management (Control plane) Pub/Sub Data Access (Data plane) Access to Services (To add features)
![Page 50: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/50.jpg)
Secure Communications with Things
![Page 51: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/51.jpg)
Mutual TLS Authentication
TLS/SSL
MUTUAL TLS AUTHENTICATION
![Page 52: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/52.jpg)
Public Key Cryptography Options
For same bits & level of security ECC keys are much smaller that RSA keys
Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits)80 1024 160
112 2048 224128 3072 256192 7680 384256 15360 512
https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/
![Page 53: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/53.jpg)
Communicating with non-things (Humans)
![Page 54: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/54.jpg)
How we implement this
MQTT + Mutual Authn TLS AWS Authn + HTTPS
Server Authn TLS + Cert TLS + Cert
Client Authn TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
![Page 55: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/55.jpg)
Strong Thing Identity
![Page 56: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/56.jpg)
Strong Thing Identity
X.509 Certificates
https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
![Page 57: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/57.jpg)
Fine Grained Authorisation
![Page 58: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/58.jpg)
AWS IoT
![Page 59: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/59.jpg)
AWS IoT
Data Plane
Control Plane
Service Access
Data Plane
![Page 60: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/60.jpg)
Applying Permissions to Thing Management
{ "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ] }
![Page 61: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/61.jpg)
Allowing/Denying Access to MQTT Topics
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }
![Page 62: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/62.jpg)
Hardware Security (Private Key & Platform Protection)
![Page 63: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/63.jpg)
IoT Gateways
![Page 64: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/64.jpg)
Amtel Zero Touch Secure Provisioning Kit
![Page 65: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/65.jpg)
If you spend a lot of time on securing your IoT applications,
you’re not spending time solving problems for your customers.
![Page 66: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/66.jpg)
So don’t build a platform, unless you’re building a platform. In
which case, fine, build a platform.
![Page 67: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/67.jpg)
Building ‘Hello World’ (for IoT Developers)
![Page 68: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/68.jpg)
![Page 69: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/69.jpg)
Turns out, developers are creative
![Page 70: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/70.jpg)
Sassy Ping PongScore Keeper
Source: https://www.hackster.io/youngd/ping-pong-showdown-eabaed
![Page 71: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/71.jpg)
Slack-powered Doorbell
Source: www.theatlantic.com/notes/2016/07/make-every-week-2-a-silent-slack-powered-doorbell/490880/
![Page 72: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/72.jpg)
Source: http://www.andrewmcgill.me/2016/08/19/make-every-week-sweetgreen-salad-button.html
EmergencySweet Green Ordering
![Page 73: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/73.jpg)
Push a button to get directions to the right meal within your budget. (Integrate time of day, weather, Google Directions, Yelp, and Stripe)
Source: https://medium.com/@_adeel/nerding-out-with-the-amazon-iot-button-84a6e14b6b28#.ekd5hsnez
![Page 74: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/74.jpg)
How does it work?Invoke a Lambda function
Put object in an S3 bucket
Insert, Update, Read from a DynamoDB table
Publish to an SNS Topic or Endpoint
Publish to a Kinesis stream
Kinesis Firehose > Redshift
Republish to AWS IoT
AWS IoT
![Page 75: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/75.jpg)
But wait, I live in Europe and I want to do this. Right now!
![Page 76: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/76.jpg)
HARDWARE YOU WILL (& MIGHT) NEED
• A Raspberry Pi
• Electronics Kit • Try the SunFounder 37 modules Sensor Kit v2.0 for
Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires
• http://www.amazon.co.uk/dp/B014PF05ZA • Example tutorial
• Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/
![Page 77: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/77.jpg)
SETTING UP FOR GPIO/SENSE HAT
Your own electronics/sensor build C (for embedded C)
http://wiringpi.com Python Wrapper Module for WiringPI
https://github.com/WiringPi/WiringPi-Python
For the Sense Hat Python Module
https://github.com/RPi-Distro/python-sense-hat
![Page 78: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/78.jpg)
SETTING UP FOR AWS IOT
Use the AWS Console to create your device
Download the required crypto materials & save the C header file contents with your endpoint, cert, and key details
Download & set up your chosen AWS IoT SDK Get them at : https://aws.amazon.com/iot/sdk/
Building the C SDK on the Raspberry Pi requires the CppUTest library from: https://github.com/cpputest/cpputest/releases/tag/v3.6
Get started with the sample applications that come with the AWS SDKs
![Page 79: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/79.jpg)
EXAMPLES & DEMOS
Emulating the AWS IoT Button (C++) https://github.com/ianmas-aws/iot-button-emulator
Controlling the Sense Hat via AWS IoT Device Shadow (Python) https://github.com/ianmas-aws/PiPyIoT
![Page 80: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/80.jpg)
![Page 81: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/81.jpg)
Go Build, Have Fun
Ian Massingham Technology Evangelist, AWS
IanMmmm
![Page 82: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/82.jpg)
1.
![Page 83: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/83.jpg)
2.
![Page 84: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/84.jpg)
2.
![Page 85: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/85.jpg)
3.
![Page 86: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/86.jpg)
4.
![Page 87: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/87.jpg)
Alert Someone: AWS IoT to AWS Lambda to SNS
Lambda Function
AWS IoT Rules Engine
PolicyPrivate Key & Certificate
Button
RuleSDK
AWS IoT
AWS Services
Execution Role Policy
SNS Topic
PermissionAction
SNS Topic Subscription
Rule: “Select * from ‘iotbutton/+’
Event Source
Function
SMS or Email
![Page 88: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/88.jpg)
Count items or Track Usage: AWS IoT to DynamoDB to Dashboard
DynamoDB
Rules Engine
Dashboard
S3 Website
Lambda Function
PolicyPrivate Key & Certificate
Button
RuleSDK
AWS IoT
AWS Services
Execution Role
PolicyPermissionAction
Rule: “Select * from ‘iotbutton/+’
Event Source
FunctionDynamoDB API Gateway
![Page 89: Securing IoT Connected Device Applications - GOTO Blog · Securing IoT Connected Device Applications Ian Massingham Technology Evangelist, AWS IanMmmm. ... Amazon Cognito User Identity](https://reader031.fdocuments.us/reader031/viewer/2022020214/5b1e8c517f8b9a853a8ba4f7/html5/thumbnails/89.jpg)
Start or Stop Something : AWS IoT to AWS Lambda to an External Endpoint
Lambda Function
Rules Engine
PolicyPrivate Key & Certificate
Thing/Device
RuleSDK
AWS IoT AWS Services
Execution Role Policy
External Endpoint
Permission
Rule: Select * from ‘iotbutton/+’
Action
External API
LifX API