Streamline IoT Certificate Management with AWS IoT Device Defender's Extended Expiry Checks

Introduction

In today’s interconnected world, IoT security is a major concern for organizations managing large-scale deployments. One of the most critical aspects of securing IoT devices is ensuring their certificates are valid and up to date. Expired or improperly managed certificates can expose devices to security threats, lead to service disruptions, and create compliance risks.

AWS IoT Core uses X.509 certificates for mutual authentication between IoT devices and the cloud. These certificates ensure that only authorized devices can communicate with AWS IoT services. The certificates are registered in the AWS IoT Core Registry and must be managed throughout their lifecycle, including issuance, activation, rotation, and revocation, which can be challenging, especially for industries where devices remain offline for extended periods, such as automotive (vehicles parked or in storage), industrial manufacturing (remote monitoring equipment in isolated locations), healthcare (portable or standby medical devices), utilities (smart meters in rural areas), and agriculture (seasonal sensors and equipment in remote farms).

AWS IoT Device Defender offers a suite of audit checks to help organizations maintain strong security practices across their IoT fleets. Two key checks that support certificate lifecycle management are DEVICE_CERTIFICATE_EXPIRING_CHECK and the newly introduced DEVICE_CERTIFICATE_AGE_CHECK, each addressing distinct operational needs.

• DEVICE_CERTIFICATE_EXPIRING_CHECK monitors certificates that are nearing their expiration date. It allows organizations to proactively detect certificates that will expire within a configurable time window—now extended from a previously fixed 30 days to up to 10 years. This is particularly valuable in scenarios where devices may be offline for long durations or where advance planning is critical, such as in automotive or industrial environments with scheduled maintenance windows.

• DEVICE_CERTIFICATE_AGE_CHECK, on the other hand, flags certificates that have been in use beyond a specified duration, regardless of their expiration date. This check supports a configurable threshold ranging from 30 days up to 10 years, giving organizations the flexibility to define rotation windows that align with their internal policies. This is ideal for organizations that use long-lived certificates (e.g., valid for 10–15 years) but enforce internal rotation policies (e.g., rotate every 12 months) to reduce security exposure and align with compliance requirements.

By combining these two checks, AWS gives organizations the flexibility to track both when certificates will expire and how long they’ve been in use, enabling more robust certificate rotation strategies. These capabilities help reduce the risk of expired or overused credentials, ensure continuous device authentication, and maintain operational continuity/compliance across large, distributed IoT deployments.

How to Configure – AWS Management Console

1. Login to the AWS Management Console and search for the AWS IoT Device Defender service.
2. If you have not enabled IoT Audit checks then click on Automate IoT security audit as seen below

3. An audit check will be created which is scheduled to run on a daily basis with all the 17 security checks enabled. If you go to the Schedules section under Audit, you will be able to see an audit created under the name AWSIoTDeviceDefenderDailyAudit. You can click on the audit to see the checks which are enabled and also edit the checks and the schedule as per your requirements.

4. Now if you go into the Settings section under Audit you will be able to see a new option called Additional audit configuration as seen below. Click on the Edit button as highlighted in the picture below.

5. You can configure two independent thresholds: one for Device Certificate Expiry, which triggers an alert when a certificate is approaching its expiration date, and another for Device Certificate Age, which alerts you when a certificate has been in use longer than the configured duration—regardless of its expiration. For both checks, the threshold can be set to any value between 30 days and 3652 days (10 years). Once you've set your desired values, click Update to save the configuration.

Automated Certificate Rotation – A High-Level Overview

While receiving alerts is a critical first step, the real business value emerges when organizations automate the certificate rotation process based on these insights. Manual certificate management across large-scale IoT fleets introduces substantial operational overhead, increases the risk of human error, and limits scalability. By leveraging the enhanced DEVICE_CERTIFICATE_EXPIRING_CHECK and the newly introduced DEVICE_CERTIFICATE_AGE_CHECK features in AWS IoT Device Defender, businesses can proactively manage certificate lifecycles at scale—ensuring timely renewals, enforcing rotation policies, and maintaining strong security and compliance across their IoT deployments.

Depending on your device capabilities and connectivity patterns, AWS supports multiple approaches for certificate rotation. Devices that are regularly connected and capable of generating key pairs can initiate the rotation themselves by sending a Certificate Signing Request (CSR) to AWS IoT Core. In other scenarios, rotation can be triggered from the cloud, where an automated workflow—powered by services like AWS IoT Device Defender, AWS Lambda, Amazon SNS and AWS IoT Core—directs the device to generate a CSR and complete the rotation process. For devices that are offline for extended periods or require provisioning on reconnect, AWS offers Fleet Provisioning, which allows a device to request and receive a new certificate when it comes back online. These flexible approaches ensure that devices remain securely authenticated throughout their lifecycle, minimizing downtime, reducing operational overhead, and supporting scalable, policy-driven certificate management across diverse IoT environments.

The below section captures the high level workflow of the second approach - triggering certification rotation from the cloud based on audit insights.

1. DEVICE_CERTIFICATE_EXPIRING_CHECK and DEVICE_CERTIFICATE_AGE_CHECK within AWS IoT Device Defender identify certificates that are either approaching expiration or have been in use longer than the defined threshold (both configurable between 30 and 3652 days).
2. The audit findings are published to an Amazon SNS topic, which triggers an AWS Lambda function responsible for coordinating the rotation workflow.
3. This Lambda function sends a MQTT message to a management topic, instructing the device to generate a new Certificate Signing Request (CSR).
4. Device generates new CSR and sends it as a payload to AWS IoT Core which will trigger a AWS IoT Core rule and the corresponding AWS Lambda function, which calls AWS IoT Core to create a new certificate based on received CSR and attaches the same IoT Policy which was used by the expiring certificate.
5. AWS Lambda returns certificate to device as a payload of an MQTT message. Device stores the new certificate and establishes a new MQTT session using rotated credentials.
6. As the final step of successful certificate rotation, AWS Lambda deactivates and deletes the old certificate previously used by the IoT device.

For more details and guidance please refer to the previous blog post we have created.

Conclusion

As IoT ecosystems scale, managing the lifecycle of device certificates becomes not just a security requirement, but a foundational element of operational reliability. With the introduction of enhanced audit checks like DEVICE_CERTIFICATE_EXPIRING_CHECK and DEVICE_CERTIFICATE_AGE_CHECK, AWS IoT Device Defender now empowers organizations to monitor certificate health with greater flexibility and foresight. But visibility alone is not enough. The real transformation happens when these insights are paired with automated certificate rotation, enabling organizations to maintain continuous device authentication, meet compliance mandates, and reduce operational risks. Whether you're managing a handful of smart devices or millions across the globe, adopting automated, policy-driven certificate management is a critical step toward building a secure, resilient, and future-ready IoT infrastructure.

This article was co-authored by Rohit Rangnekar, Ryan Dsouza, Reetesh Varshney & Paritosh Mehta. If you have any questions please feel free to ask in the comments sections.