AWS IoT Core credential provider requires private key to be sent

0

I was reading through these docs and noticed that the steps to request a security token requires the client to send its private key to credential provider service.

curl --cert your certificate --key your device certificate key pair -H "x-amzn-iot-thingname: your thing name" --cacert AmazonRootCA1.pem https://your endpoint /role-aliases/your role alias/credentials

This is mentioned in these docs: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/

Looking at it superficially, I would think this is a security flaw and would defeat the purpose of using asymmetric keys in the first place.

Any help to help me understand what is going on is greatly appreciated.

1 Answer
0
Accepted Answer

Hi,

The private key is never sent to the Credential Provider. It is used to establish a mutual (mTLS) connection with the endpoint. That gives Credential Provider the ability to verify the presented X.509 certificates.

AWS
Gavin_A
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions