Lesson 

1  of  6
Welcome to the AWS IoT Security Primer overview

Welcome to AWS IoT Security Primer. In this course, you learn about IoT security terminology
and concepts used to secure IoT devices, communication channels, and IoT data. You explore
use cases and scenarios and learn about how to create a secure IoT design using the AWS Well-
Architected Framework.

This course is an introduction to IoT security and assumes a basic knowledge of AWS IoT. If
you are new to AWS IoT, or new to IoT in general, we recommend that you first take the IoT
Foundation: Telemetry course.
Overview:
Throughout this course, you review the following topics:

 Designing a secure IoT architecture

 Authentication, certificates, and federated IDs
 Authorization, IAM roles, and policies
 Data and communication security
 Monitoring tools
 AWS IoT Device Defender
 Best practices for each area of study

Welcome to the AWS Internet of Things security introduction. Let's begin your journey.
Lesson 2  of  6
IoT security overview

In this module, you learn concepts and strategies to assist in securing your IoT infrastructure.
Using the Ten security golden rules for IoT solutions and the AWS IoT security whitepaper, this
introduction into IoT security will enable you to quickly gain familiarity with the terminology
and concepts used in AWS IoT.

The AWS security pillar defines security as the ability to protect information, systems, and
assets while delivering business value through risk assessments and mitigation strategies. Each
of these is discussed during your IoT security introduction journey, starting with the connected
IoT devices.

Connected devices are constantly communicating with each other and the cloud using different

kinds of wireless communication protocols. IoT provides device software, control services, and

data services. Each of these areas is secured and protected with different technologies to protect

the infrastructure and ensure that your infrastructure is accessible only by authorized personnel

who have a business need.

Challenges with IoT security
Device exploits
An exploit area is a weakness that can be used to compromise the integrity or availability of your
IoT application. IoT devices, by nature, are vulnerable. IoT fleets consist of devices that have
diverse capabilities, are long-lived, and are geographically distributed. These characteristics,
coupled with the growing number of devices, raise questions about how to address security risks
posed by IoT devices.  

Resource limitations
Many devices have a low level of compute, memory, and storage capabilities, which limit
opportunities for implementing security on devices. Even if you have implemented best practices
for security, security is a constantly evolving area. To detect and mitigate exploits, organizations
should consistently audit device settings and health.

Physical security

To protect users, devices, and companies, IoT devices must be secured and protected. The
foundation of IoT security exists within the control, management, and setup of connections
between devices. Proper protection helps keep data private, restricts access to devices and cloud
resources, offers secure ways to connect to the cloud, and audits device usage. An IoT security
strategy reduces vulnerabilities by using policies such as device identity management,
encryption, and access control.
Communications
Though communication creates responsive IoT applications, it can also expose IoT security
exploits and open up channels for unauthorized users or accidental data leaks.

Skills gap
Hardware engineers traditionally lack the skills to implement proper integration between the
cloud and the back end application. Security engineers do not typically understand hardware
development well enough to assist the hardware engineers.

AWS IoT can connect to and use many of the core AWS Cloud services, such as Amazon
Simple Storage Service (Amazon S3), Amazon Kinesis, Amazon Lambda, and AWS IoT
Analytics. Let's start by reviewing support responsibilities and the shared responsibility
model.

Lesson 3  of  6
Shared responsibility model and AWS IoT Core
AWS security responsibilities are defined by the shared responsibility model, where both
AWS and the customer are responsible for securing different parts of the cloud
environment.

AWS security responsibilities are defined by the shared responsibility model, where both
AWS and the customer are responsible for securing different parts of the cloud
environment.

At a conceptual level, AWS is responsible for securing and managing the cloud
infrastructure, while you, the customer, are responsible for securing whatever
applications and data you put into the cloud. By working together to secure both parts of
the cloud, you and AWS can ensure that the applications, data, operating systems, and
infrastructure are secure and safe from outside threats.
When dealing with AWS IoT security, or when using different AWS resources, take time
to understand what parts of your IoT solution you can control or are maintained by AWS;
for example, you can control the devices, device software, and device certificates.
However, AWS maintains the AWS IoT software development kits (AWS SDKs) and
AWS IoT infrastructure. Being aware of your environment and the individual pieces
enables you to maintain control and security over your IoT fleet and the components that
allow your IoT fleet to successfully authenticate and connect to AWS IoT Core and the
other AWS services.
Lesson 4  of  6
IoT device and data security

AWS IoT provides secure, bidirectional communication between internet-connected

devices, such as sensors, actuators, embedded microcontrollers, or smart appliances, and
the AWS Cloud. This makes it possible for you to collect telemetry data from multiple
devices, and store and analyze the data. You can also create applications that enable your
users to control these devices from their phones or tablets.

IoT security falls into different layers: physical device security, communications, and
data. Let's explore each of these in order.

Device security

The physical devices in your IoT environment can be as different in their primary functions as

they are in their physical locations. Teapots, cars, light bulbs, industrial equipment, medical

devices, temperature sensors, and more. Although each device performs a different task, each

device shares some common attributes. They will each have software that enables them to

function, a basic means to communicate to other devices or to a central repository, and each

device collects data pertaining to their task. 

Physical security
Physical device security deals with the risk or probability of the IoT thing to be
physically altered, destroyed, or tampered with. This might be the removal of a device
completely, the opening of a device to alter the wiring or tamper with the battery, or
simply the destruction of the device, such as the destruction of a security camera during
an altercation. Some devices, such as cameras, are more visible than others, such as the
sensor inside an elevator engine, and therefore the physical security of the devices
partially depends on the accessibility and location.

Software security

When discussing technology and security vulnerabilities, software security is often the first thing

that comes to mind. The ability of an unauthorized user to access the software through a

vulnerability is often a topic of discussion. Whether you have a handful of IoT devices or a fleet

of thousands of devices, a prime planning discussion is how you are going to monitor, maintain,

and update the device's software. Patching and maintenance of devices is critical to their security,
and time should be taken to understand your IoT infrastructure, the number and types of devices,

and how best to roll out patches and updates.

Secure communications
With thousands of devices gathering data and communicating to each other, the security
of the communications channel is an another critical part of your overall security plan.
The ability to access data in transit and manipulate, delete, or acquire data as it traverses
the network means that the protocols used to transfer the data must be able to inhibit
unauthorized access. Using secure protocols enables authentication of the devices and
ensures that the sender and receiver are who they say they are. This identification is
crucial to maintaining the validity of the data. The use of Transport Layer Security (TLS),
certificates, and other authentication mechanisms used to ensure transport security is
discussed later in the course.

Data security

IoT is all about collecting, analyzing, and acting on gathered data to make informed decisions.

Because data is the goal, along with a secure communication channel, it is important that data

being generated is encrypted and secured both while moving between devices (in transit) and

while in storage (at rest). Encrypting data ensures that any unauthorized user who gains access to

the data cannot read or use the data.

Each of these common IoT features comes with risks and ways to reduce those risks to ensure
that the device is secure. This course will introduce each of these topics to provide you a solid
understanding of the AWS IoT infrastructure.

Lesson 5  of  6
AWS compliance programs
AWS Compliance enables you to understand the controls put in place at AWS to maintain
security and data protection in the cloud. As systems are built on top of the AWS Cloud
infrastructure, compliance responsibilities will be shared. By tying together governance-focused,
audit-friendly service features with applicable compliance or audit standards, AWS compliance
enablers build on traditional programs. This helps you to establish and operate business in an
AWS security-controlled environment.

The IT infrastructure that AWS

provides to its customers is

designed and managed in

alignment with best security

practices and a variety of IT

security standards. The

following is a partial list of

assurance programs with which

AWS complies:

 SOC 1/ISAE 3402, SOC

2, SOC 3

 FISMA, DIACAP, and

FedRAMP

 PCI DSS Level 1

 ISO 9001, ISO 27001,

ISO 27017, ISO 27018

AWS provides customers a wide range of information on its IT control environment in

whitepapers, reports, certifications, accreditations, and other third-party attestations. For more
information, see Risk and Compliance whitepaper and the AWS Security Center. 
AWS Compliance Center
Learn more about our compliance offerings.
AWS COMPLIANCE

The AWS Compliance Center offers you a central location to research cloud-related regulatory

requirements and how they impact your industry. Select the country you are interested in, and the

AWS Compliance Center will display the country’s regulatory position regarding the adoption of

cloud services. 

AWS Artifact provides several compliance reports issued by third-party auditors who have tested
and verified AWS compliance with a variety of global, regional, and industry-specific security
standards and regulations. When new reports are released, they are made available for customers
to download in AWS Artifact. For more information, see Compliance Reports FAQ. You can
also access AWS Artifact directly through your AWS Management Console.

Even if your business doesn't require use of any of the compliance programs, it should be
reassuring that AWS plans and works with customers to ensure regulatory and security
compliance using third party audits.

Now, let's return to our IoT security journey by discussing IoT infrastructure and architecture. 

Lesson 5  of  6
AWS compliance programs
AWS Compliance enables you to understand the controls put in place at AWS to maintain
security and data protection in the cloud. As systems are built on top of the AWS Cloud
infrastructure, compliance responsibilities will be shared. By tying together governance-focused,
audit-friendly service features with applicable compliance or audit standards, AWS compliance
enablers build on traditional programs. This helps you to establish and operate business in an
AWS security-controlled environment.

The IT infrastructure that AWS provides to its customers is designed and managed in alignment

with best security practices and a variety of IT security standards. The following is a partial list

of assurance programs with which AWS complies:

 SOC 1/ISAE 3402, SOC 2, SOC 3

 FISMA, DIACAP, and FedRAMP

 PCI DSS Level 1

 ISO 9001, ISO 27001, ISO 27017, ISO 27018

AWS provides customers a wide range of information on its IT control environment in

whitepapers, reports, certifications, accreditations, and other third-party attestations. For more
information, see Risk and Compliance whitepaper and the AWS Security Center. 
AWS Compliance Center
Learn more about our compliance offerings.
AWS COMPLIANCE

The AWS Compliance Center offers you a central location to research cloud-related regulatory

requirements and how they impact your industry. Select the country you are interested in, and the

AWS Compliance Center will display the country’s regulatory position regarding the adoption of

cloud services. 
AWS Artifact provides several compliance reports issued by third-party auditors who have tested
and verified AWS compliance with a variety of global, regional, and industry-specific security
standards and regulations. When new reports are released, they are made available for customers
to download in AWS Artifact. For more information, see Compliance Reports FAQ. You can
also access AWS Artifact directly through your AWS Management Console.

Even if your business doesn't require use of any of the compliance programs, it should be
reassuring that AWS plans and works with customers to ensure regulatory and security
compliance using third party audits.

Now, let's return to our IoT security journey by discussing IoT infrastructure and architecture.