3.1.4. Analyze Application Logs To Identify Security Events¶
| ID | Priority | Best Practice |
|---|---|---|
| BP 3.1.4.1 | Required | Collect and analyze logs and metrics to capture authorization errors and failures to enable appropriate response |
| BP 3.1.4.2 | Highly Recommended | Alert when security events, misconfiguration, and behavior violations are detected |
| BP 3.1.4.3 | Recommended | Alert on non-compliant device configurations and remediate using automation |
Architecture Notes - BP 3.1.4.1 - Collect and Analyze Logs to Capture Auth Errors¶
Device logs and metrics can provide your organization with the insight to be operationally efficient with your IoT workloads by identifying security events, anomalies, and issues from device data. Record error-level messages from AWS IoT Core to provide operational visibility to potential security issues.
Recommendation 3.1.4.1.1 - Enable metrics and create alarms that track authorization and error metrics
Observe the trends for these AWS IoT metrics: Connect.AuthError, PublishIn.AuthError, PublishOut.AuthError and Subscribe.AuthError. Configure CloudWatch alarms for each of the preceding metrics to alarm based on levels higher than normal for your workload.
Architecture Notes - BP 3.1.4.2 - Alert When Security Events and Behavior Violations Are Detected¶
Audit the configuration of your devices and detect and alert when a device behavior differs from the expected behavior. It provides visibility into operational data that can indicate potential security issues active in the device fleet.
Recommendation 3.1.4.2.1 - Enable metrics to detect security events from the data plane
Create a threat model to detect events from security vulnerabilities or device compromises. You can detect events based on configured rules or Machine Learning (ML) models. For example, create a security profile in AWS IoT Device Defender, that detects unusual device behavior that may be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core. You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected. When you use ML Detect, the feature sets device behaviors automatically with machine learning to monitor device activities
Recommendation 3.1.4.2.2 - Enable auditing to check misconfigurations
Enable auditing to check for misconfigurations on a regular basis. Audit your device-related resources such as X.509 certificates, permissions, and Client IDs. Additionally, check configurations that are out of compliance with security best practices, such as multiple devices using the same identity, or overly permissive policies that can allow one device to read and update data for many other devices.
Recommendation 3.1.4.2.3 - Ensure alerting on a behavior violation
Enable alarming or notifications when the device behavior is anomalous based on configured rules or ML models. For example, AWS IoT Device Defender will alert you with the metric datapoint reported by the device when an ML model flags the datapoint as anomalous. This removes the need for you to define accurate behaviors of your devices and helps you get started with monitoring more quickly and easily
Architecture Notes - BP 3.1.4.3 - Alert on Non-Compliant Device Configurations and Remediate Using Automation¶
Enable auditing to continuously assess configurations and metrics on the device. security configurations can be impacted by the passage of time and new threats are constantly emerging. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptoanalysis methods.
Recommendation 3.1.4.3.1 - Ensure regular auditing for identifying configuration issues
Audit checks are necessary to determine that device stays configured with required best practices throughout its lifecycle. For instance, its necessary to audit devices regularly on basic checks such as logging, shared certificates and unique device id’s. For example, AWS IoT Device Defender can help you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. Some of the auditing capabilities that’s supported natively are LOGGING_DISABLED_CHECK, IOT_POLICY_OVERLY_PERMISSIVE_CHECK, DEVICE_CERTIFICATE_SHARED_CHECK, and CONFLICTING_CLIENT_IDS_CHECK.
Recommendation 3.1.4.3.2 - Use automation to remediate issues
Investigate issues by providing contextual and historical information about the device such as device metadata, device statistics, and historical alerts for the device. For example, you can use AWS IoT Device Defender built-in mitigation actions to perform mitigation steps on Audit and Detect alarms such as adding things to a thing group, replacing default policy version and updating device certificate. Or you can enable a mitigation action to re-enable logging and publish the finding to Amazon SNS should the LOGGING_DISABLED_CHECK find that logging is not enabled.