By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT Core endpoint redirecting published to another account

0

We have several environments in IoT core for the shale of this questions let's call them dev and Staging. Dev environment has aaaaaaaa-ats.iot.eu-west-1.amazonaws.com endpoint and staging has bbbbbbbbb-ats.iot.eu-west-1.amazonaws.com endpoint. We have a device provisioned with JITP in dev environment which connects without any issue to dev environment as expected. Now, if we change the device endpoint to "bbbbbbb...." keeping dev certificates and we try to publish a message. The device connects to dev environment and we get the message in dev environment. Is this an expected behaviour?

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreDevice SecurityIAM Policies
Language
English
rePost-User-4060457
asked a year ago372 views
2 Answers
1

Hi,

To ensure that the device connects to the account which corresponds to the specified endpoint, you need to:

  1. register the certificate in both accounts. This is called Multi Account Registration. Follow the instruction for registering a client certificate signed by an unregistered CA

  2. ensure the MQTT client you use sends the SNI extension

Regards,

Massimiliano

AWS
EXPERT
MassimilianoAWS
answered a year ago
0

I discussed this with one of my engineers in the past

I think It is not expected behavior for a device to be able to connect to the wrong environment (in this case, the "dev" environment) with the wrong endpoint (in this case, the "bbbbbbb...." endpoint that belongs to the "staging" environment).

When a device is provisioned with Just-in-Time Provisioning (JITP) in AWS IoT Core, it receives a unique X.509 certificate and private key that is used to authenticate the device when it connects to AWS IoT Core. The device also receives an endpoint URL that it should use to connect to AWS IoT Core.

If the device attempts to connect to the wrong endpoint URL, it will not be able to establish a connection with AWS IoT Core. The device should only be able to connect to the correct environment (either "dev" or "staging") using the correct endpoint URL for that environment.

It is possible that there may be some issue with the device or its configuration that is causing it to connect to the wrong environment. It would be helpful to check the device logs and configuration to try to determine the cause of the issue. @seekrsi

SeanSi
answered a year ago
  • Gavin_A
    a year ago

    If the device attempts to connect to the wrong endpoint URL, it will not be able to establish a connection with AWS IoT Core.

    For general certificates that do not use multi-account registration or the SNI field for connection, this actually will work. IoT Core will check the certificate id (hash) and determine which account it belongs to, and then if the policy allows, establish a connection to that AWS account regardless of the endpoint FQDN used.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content