By using AWS re:Post, you agree to the Terms of Use

How do Thing names work in IoT?

0

I'm a little confused about what a Thing's "name" really means in IoT services.

I created a Thing with a name ("thing1") and created a certificate for it at the same time. That certificate is only assigned to thing1.

I set up a client using the certificate, and it was able to connect to the IoT service and send shadow updates as "thing1". Then I tried having that device send shadow updates as "thing2" or "thing3". To my surprise, this worked, even though there is no "thing2" or "thing3" defined on my account.

I had planned to give each of my devices its own certificate and assumed that by having separate certificates, the devices would not be able to spoof another device. But this doesn't seem to be the case.

What's the recommended way to achieve the security I want?

  • As an FYI, I also had the device try sending using a name that IS assigned to another device -- and that worked too.

asked 6 months ago130 views
1 Answer
1
Accepted Answer

Hi Frank. If the device has a certificate that is registered with IoT Core, it may be able to connect, even without a corresponding Thing registered. This is because it can authenticate, but it doesn't necessarily mean it will be authorized to do anything. That depends on your use of AWS IoT policies.

In general, each device should have its own certificate and own private key. If the device has been securely provisioned, and the private key is securely held on the device, then only that device will be able to authenticate using that certificate. Best practices:

https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html

Ensure that each device has its own unique X.509 certificate in AWS IoT and that devices should never share certificates (one certificate for one device rule). In addition to using a single certificate per device, when using AWS IoT, each device must have its own unique thing in the IoT registry, and the thing name is used as the basis for the MQTT ClientID for MQTT connect.

You can attach an AWS IoT Policy to each certificate. You can use AWS IoT policy variables to then limit which devices can connect using that certificate. An example taken from https://docs.aws.amazon.com/iot/latest/developerguide/connect-and-pub.html

For a connection to be successful, the thing name must be registered in the AWS IoT Core registry and be authenticated using an identity or principal attached to the thing

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action":["iot:Publish"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}"]
      },
      {
        "Effect": "Allow",
        "Action": ["iot:Connect"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
      }
    ]
}

More information:

https://docs.aws.amazon.com/iot/latest/developerguide/iot-authorization.html https://docs.aws.amazon.com/iot/latest/developerguide/iot-policy-variables.html https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies.html https://aws.amazon.com/blogs/iot/understanding-the-aws-iot-security-model/

Additionally you may be interested in using AWS IoT Device Defender. It can audit your fleet helping you to detect any compromised devices.

profile picture
EXPERT
answered 6 months ago
  • Thank you for all the details, I'll review these documents today.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions