- Más nuevo
- Más votos
- Más comentarios
Hi Frank. If the device has a certificate that is registered with IoT Core, it may be able to connect, even without a corresponding Thing registered. This is because it can authenticate, but it doesn't necessarily mean it will be authorized to do anything. That depends on your use of AWS IoT policies.
In general, each device should have its own certificate and own private key. If the device has been securely provisioned, and the private key is securely held on the device, then only that device will be able to authenticate using that certificate. Best practices:
https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html
Ensure that each device has its own unique X.509 certificate in AWS IoT and that devices should never share certificates (one certificate for one device rule). In addition to using a single certificate per device, when using AWS IoT, each device must have its own unique thing in the IoT registry, and the thing name is used as the basis for the MQTT ClientID for MQTT connect.
You can attach an AWS IoT Policy to each certificate. You can use AWS IoT policy variables to then limit which devices can connect using that certificate. An example taken from https://docs.aws.amazon.com/iot/latest/developerguide/connect-and-pub.html
For a connection to be successful, the thing name must be registered in the AWS IoT Core registry and be authenticated using an identity or principal attached to the thing
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":["iot:Publish"],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}"]
},
{
"Effect": "Allow",
"Action": ["iot:Connect"],
"Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
}
]
}
More information:
https://docs.aws.amazon.com/iot/latest/developerguide/iot-authorization.html https://docs.aws.amazon.com/iot/latest/developerguide/iot-policy-variables.html https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies.html https://aws.amazon.com/blogs/iot/understanding-the-aws-iot-security-model/
Additionally you may be interested in using AWS IoT Device Defender. It can audit your fleet helping you to detect any compromised devices.
Thank you for all the details, I'll review these documents today.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
As an FYI, I also had the device try sending using a name that IS assigned to another device -- and that worked too.