3.1.3. Manage User Access Rights for IoT Devices¶
| ID | Priority | Best Practice |
|---|---|---|
| BP 3.1.3.1 | Required | Implement authentication and authorization for users accessing IoT resources |
| BP 3.1.3.2 | Highly Recommended | Decouple access to your IoT infrastructure from your IoT applications |
Architecture Notes - BP 3.1.3.1 - Implement Authentication and Authorization for Users Access IoT Resources¶
It enables end users with secure access to connected IoT devices and equipment via different channels such as web or mobile devices. Without valid authentication and authorization, devices can be subjected to compromises or malicious attempts.
Recommendation 3.1.3.1.1 - Implement an identity store to authenticate users of your IoT application
Implement an identity and access management solution for end users. This solution should allow end users with temporary, role-based credentials to access the connected devices. For example, you can use a service like Amazon Cognito to create user pools for authentication. Or, you can use Amazon Cognito integration with SAML or OAuth2.0 compliant identity providers for authentication as well. If you host your own identity store, use AWS IoT custom authorizers to validate tokens (such as JWT, SAML, etc.) for authenticating users.
Recommendation 3.1.3.1.2 - Enable users to be authorized with least privileged access
Authorization is the process of granting permissions to an authenticated identity. You grant permissions to your end users in AWS IoT Core using data plane and control plane IAM policies through the Identity broker. Control plane API allows you to perform administrative tasks like creating or updating certificates, things, rules, and so on. Data plane API allows you send data to and receive data from AWS IoT Core. For example, If you are using Amazon Cognito, use federated identities for user authentication. If you are using a different Identity broker than Amazon Cognito, use AWS IoT custom authorizers to invoke lambda functions that will create the required IAM policies.
Recommendation 3.1.3.1.3 - Adopt least privilege when assigning user permissions
Adopt the least privilege principle and assign only the minimum required permissions to user roles. For example, with Amazon Cognito this can be achieved, by setting up role-based access through IAM policies for authenticated (think of consumers, admins) and unauthenticated users. Consumers or unauthenticated users should not be allowed to run destructive actions against IoT services, such as detaching policies, deleting CA, or deleting certificates.
Architecture Notes - BP 3.1.3.2 - Decouple Access to Your IoT Infrastructure from Your IoT Application¶
By decoupling the IoT infrastructure from the end-user IoT applications, you can build an additional layer of security and reliability.
See the following link for more details:
Recommendation 3.1.3.2.1 - Use an API layer between the application and IoT layer
Build an application interface layer to reduce the blast radius of the IoT data plane from end users. Fundamentally, the primary interface to IoT data plane is MQTT topics. Protecting the data plane essentially means protecting the MQTT topics from unwanted communication. For example, use Amazon API Gateway or AWS AppSync to provide a REST or GraphQL API interface between the end user application and the IoT layer. This will reduce the blast radius of the IoT data plane from end users.
Additional Resources¶
- AWS IoT Core: How AWS IoT works with IAM
- The Internet of Things on AWS – Official Blog: Configuring Cognito User Pools to Communicate with AWS IoT Core
- AWS Security Blog: How to Use New Advanced Security Features for Amazon Cognito User Pools
- AWS Security Blog: How to define least-privileged permissions for actions called by AWS services
- AWS Identity and Access Management: Security best practices in IAM
- AWS Whitepaper: Designing MQTT Topics for AWS IoT Core