O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Best Practices for IoT Security in the Cloud

1.451 visualizações

Publicada em

by Daniel Austin, Principal Solutions Architect, AWS

  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Best Practices for IoT Security in the Cloud

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Daniel Austin Principal Solution Architect, AWS Enterprise April 25, 2017 Best Practices for IoT Security in the Cloud
  2. 2. All things around us are getting connected
  3. 3. All things around us are getting connected
  4. 4. Things will proliferate 2013 2015 2020 Vertical Industry Generic Industry Consumer Automotive Many Some Lots
  5. 5. Connected ≠ Smart Internet 1985 IoT 2016 Gopher HTTP FTP MQTT NNTP CoAP Telnet XMPP Archie AQMP
  6. 6. In reality, it is even more complex Layer Standards Application HTTP, MQTT, AMQP, CoAP, XMPP Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI
  7. 7. But my data isn’t sensitive!
  8. 8. Why do IoT at all? Changes happen in the real world!
  9. 9. The Risk Changes happen in the real world! Bad
  10. 10. A Simple Goal
  11. 11. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Things People
  12. 12. The System DynamoDB LambdaKinesis
  13. 13. The System DynamoDB LambdaKinesis
  14. 14. The System DynamoDB LambdaKinesis
  15. 15. The System DynamoDB LambdaKinesis
  16. 16. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Things People
  17. 17. Network Traffic Is Complex 04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags [P.], seq 1586864891:1586864913, ack 820274045, win 227, options [nop,nop,TS val 2390025928 ecr 577393885], length 22 0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2 0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d 0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8 0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200 0x0040: 0454 656d 703a 2038 3346
  18. 18. Network Tools Are Up To It MQ Telemetry Transport Protocol Publish Message 0011 0010 = Header Flags: 0x32 (Publish Message) 0011 .... = Message Type: Publish Message (3) .... 0... = DUP Flag: Not set .... .01. = QOS Level: Acknowledged deliver (1) .... ...0 = Retain: Not set Msg Len: 20 Topic: foo/bar Message Identifier: 1 Message: Temp: 83F
  19. 19. Mutual Auth TLS
  20. 20. Mutual Auth TLS
  21. 21. Mutual Auth TLS
  22. 22. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Things People
  23. 23. What are Certs and Keys? Certificate – Public identity Private Key – Private proof Root CA – Validate rootCA
  24. 24. Elliptical Curve Cryptography (ECC) ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 Elliptical curve logarithm vs RSA integer factorization Smaller key sizes for same security ECDHE – key exchange algorithm (forward secrecy with ephemeral keys) ECDSA – signature algorithm with EC private keys (authentication)
  25. 25. AWS-Generated Keypair
  26. 26. Actual Commands $ aws iot create-keys-and-certificate --set-as-active { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "keyPair": { "PublicKey": "-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----", "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----" }, "certificateId": "d7677b0…SNIP…026d9" }
  27. 27. AWS-Generated Keypair
  28. 28. Client Generated Keypair CSR
  29. 29. Certificate Signing Request Dear Certificate Authority, I’d really like a certificate for %NAME%, as identified by the keypair with public key %PUB_KEY%. If you could sign a certificate for me with those parameters, it’d be super spiffy. Signed (Cryptographically), - The holder of the private key
  30. 30. Client Generated Keypair CSR
  31. 31. Actual Commands $ openssl genrsa –out ThingKeypair.pem 2048 Generating RSA private key, 2048 bit long modulus ....+++ ...+++ e is 65537 (0x10001) $ openssl req -new –key ThingKeypair.pem –out Thing.csr ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:NY Locality Name (eg, city) [Default City]:New York Organization Name (eg, company) [Default Company Ltd]:ACME Organizational Unit Name (eg, section) []:Makers Common Name (eg, your name or your server's hostname) []:John Smith Email Address []:jsmith@acme.com
  32. 32. Actual Commands $ aws iot create-certificate-from-csr --certificate-signing-request file://Thing.csr --set-as-active { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "certificateId": "b5a396e…SNIP…400877b" }
  33. 33. Register your own Certificate Authority
  34. 34. Register your own Certificate Authority CSR
  35. 35. Provisioning your own certificates CSR
  36. 36. Provisioning your own certificates
  37. 37. Just-in-time registration
  38. 38. Just-in-time registration AWS Lambda
  39. 39. Enhanced Security from Device to Cloud
  40. 40. Private Key Protection – Test & Dev $ openssl genrsa -out ThingKeypair.pem 2048 Generating RSA private key, 2048 bit long modulus ......................+++ .................................+++ e is 65537 (0x10001) $ ls -l ThingKeypair.pem -rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem $ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem -r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
  41. 41. Private Key Protection Software chroot SELinux Hardware TPMs Smartcards OTP Fuses FIPS-style hardware
  42. 42. Identity Revocation $ aws iot list-certificates { "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "ACTIVE", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443070900.491, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ] }
  43. 43. Identity Revocation $ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED $ aws iot list-certificates { "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "REVOKED", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443192020.792, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ] }
  44. 44. Takeaways • Many provisioning methods • Each device gets its own certificate • Use a certificate authority for offline provisioning
  45. 45. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Things People
  46. 46. Policy actions • Connect • Publish • Subscribe • Unsubscribe • Receive
  47. 47. Connect policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"arn:aws:iot:us-east-1:123456972007: client/MY-THING-NAME" } ] }
  48. 48. Connect policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"arn:aws:iot:us-east-1:123456972007: client/MY-THING-NAME_*" } ] } MY-THING-NAME_Application1 MY-THING-NAME_Application2 MY-THING-NAME_Application3
  49. 49. Publish policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update" } ] }
  50. 50. Even finer control { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update" } ] } Allows updating the entire shadow
  51. 51. Even finer control { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/actions/MyThing/open" } ] } Use a different topic
  52. 52. Even finer control AWS IoT Direct publishing to shadow
  53. 53. Even finer control AWS IoT Use a rule to update specific shadow fields
  54. 54. Takeaways • Structure topics for permissions • Make policies as restrictive as possible • Wildcards can simplify policy management • Rules can help with fine-grained permissions
  55. 55. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Things People
  56. 56. Applications DynamoDB LambdaKinesis
  57. 57. IAM Role policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ] }
  58. 58. Mobile DynamoDB LambdaKinesis AMAZON COGNITO
  59. 59. Policy for Cognito with IoT Cognito authenticated user identity pool role policy: { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*" } Specific policy for Joe IoT Cognito user: { "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123" }
  60. 60. Policy for Cognito with IoT Cognito authenticated user identity pool role policy: { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*" } Specific policy for Joe IoT Cognito user: { "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123" } Amazon Cognito
  61. 61. Policy for Cognito with IoT Cognito authenticated user identity pool role policy: { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*" } Specific policy for Joe IoT Cognito user: { "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123" } AWS IoT
  62. 62. Overall Cognito “pairing” workflow 1. Create a Cognito identity pool 2. Customer signs in using mobile app 3. Associate their user with their devices 4. Create a scope-down policy in IoT for their user 5. Attach that policy to their Cognito user in IoT
  63. 63. Overall Cognito “pairing” workflow 1. Create a Cognito identity pool 2. Customer signs in using mobile app 3. Associate their user with their devices 4. Create a scope-down policy in IoT for their user 5. Attach that policy to their Cognito user in IoT Important: These steps apply to authenticated Cognito users only. (NOT to unauthenticated!)
  64. 64. Managing fine-grained permissions • One user may need permissions to many things • "arn:aws:iot:…:thing/sprinkler123abc" • "arn:aws:iot:…:thing/sprinkler456def" • … • Listing each is tedious
  65. 65. Best practice: Thing name prefixing • Prefix thing name with logical owner • sensor123abc -> joe-sensor123abc • Aspen policy supports wildcards • "arn:aws:iot:…:thing/sensor123abc" • "arn:aws:iot:…:thing/sensor123abc" • "arn:aws:iot:…:thing/sensor456def" • … • "arn:aws:iot:…:thing/joe-*"
  66. 66. Takeaways • Application access is done through IAM roles/policies • Cognito enables secure human control over IoT devices • IoT scope-down policy supports fine-grained control • Naming conventions simplify policy management
  67. 67. Demo Creating Certificates - 1-click - CSR Just In Time Registration
  68. 68. Requirements Secure Communications with Things Strong Thing Identity Fine-grained Authorization for: Things People
  69. 69. Thank you! Daniel Austin danaus@ AWS IoT: https://aws.amazon.com/iot/ Documentation: https://aws.amazon.com/documentation/iot/ AWS Forums: https://forums.aws.amazon.com/forum.jspa?forumID=210

×