3.1.6. Manage Device Certificate Lifecycles

ID	Priority	Best Practice
BP 3.1.6.1	Required	Perform certificate lifecycle management

Architecture Notes - BP 3.1.6.1 - Perform certificate lifecycle management

A certificate lifecycle includes different phases such as creation, activation, rotation, revocation or expiry. An automated workflow can be put in place to identify certificates that needs attention, along with remediation actions.

Recommendation 3.1.6.1.1 - Document your plan for managing certificates

As explained earlier, X509 certificates helps to establish the identity of devices and encrypts the traffic from the edge to cloud. Thus, planning the lifecycle management of device certificates is essential. Enable auditing and monitoring for compromise or expiration of your device certificates. Determine how frequently you need to rotate device certificates, audit cloud or device-related configurations and permissions to ensure that security measures are in place. For example, use AWS IoT Device Defender to monitor the health of the device certificates and different configurations across your fleet. AWS IoT device defender can work in conjunction with AWS IoT Jobs to help enable rotate the expired or compromised certificates.

Recommendation 3.1.6.1.2 - Use certificates signed by your trusted intermediate CA for on-boarding devices

As a best practice, the root CA needs to be locked and protected to secure the chain of trust. The device certificates should be generated from an intermediate CA. So define a process to programmatically manage intermediate CA certificates as well. For example, enable AWS IoT Device Defender Audit to report on your intermediate CAs that are revoked but device certificates are still active or if the CA certificate quality is low. You can thereafter use a security automation workflow using mitigation actions in Device defender to resolve the issues.

Recommendation 3.1.6.1.3 - Secure provisioning claims private keys and disable the certificate in case of misuse and record the event for further investigation

Monitor provisioning claims for private keys at all times, including on the device. For example:

• Use AWS IoT CloudWatch metrics and logs to monitor for indications of misuse. If you detect misuse, disable the provisioning claim certificate so it cannot be used for device provisioning.
• Use AWS IoT Device Defender to identify security issues and deviations from best practices.

For more information:

• IoT Device Vulnerability Analysis and Management
• Just In Time Registration of Device Certificates

Additional Resources

1. AWS IoT Device Defender: Audit
2. AWS IoT Device Defender: Detect
3. The Internet of Things on AWS – Official Blog: Announcing Mitigation Actions for AWS IoT Device Defender
4. The Internet of Things on AWS – Automating Security Remediation Using AWS IoT Device Defender
5. The Internet of Things on AWS – Detect anomalies on connected devices using AWS IoT Device Defender
6. The Internet of Things on AWS – Using Device Time to Validate AWS IoT Server Certificates
7. The Internet of Things on AWS – Ten security golden rules for IoT solutions
8. AWS re:Invent 2019: Designing secure IoT solutions from the edge to cloud
9. Manage Security of Your IoT Devices with AWS IoT Device Defender - AWS Online Tech Talks