OTA security - FreeRTOS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

OTA security

The following are three aspects of over-the-air (OTA) security:

Connection security

The OTA Update Manager service relies on existing security mechanisms, such as Transport Layer Security (TLS) mutual authentication, used by Amazon IoT. OTA update traffic passes through the Amazon IoT device gateway and uses Amazon IoT security mechanisms. Each incoming and outgoing HTTP or MQTT message through the device gateway undergoes strict authentication and authorization.

Authenticity and integrity of OTA updates

Firmware can be digitally signed before an OTA update to ensure that it is from a reliable source and has not been tampered with.

The FreeRTOS OTA Update Manager service uses Code Signing for Amazon IoT to automatically sign your firmware. For more information, see Code Signing for Amazon IoT.

The OTA Agent, which runs on your devices, performs integrity checks on the firmware when it arrives on the device.

Operator security

Every API call made through the control plane API undergoes standard IAM Signature Version 4 authentication and authorization. To create a deployment, you must have permissions to invoke the CreateDeployment, CreateJob, and CreateStream APIs. In addition, in your Amazon S3 bucket policy or ACL, you must give read permissions to the Amazon IoT service principal so that the firmware update stored in Amazon S3 can be accessed during streaming.

Code Signing for Amazon IoT

The Amazon IoT console uses Code Signing for Amazon IoT to automatically sign your firmware image for any device supported by Amazon IoT.

Code Signing for Amazon IoT uses a certificate and private key that you import into ACM. You can use a self–signed certificate for testing, but we recommend that you obtain a certificate from a well–known commercial certificate authority (CA).

Code–signing certificates use the X.509 version 3 Key Usage and Extended Key Usage extensions. The Key Usage extension is set to Digital Signature and the Extended Key Usage extension is set to Code Signing. For more information about signing your code image, see the Code Signing for Amazon IoT Developer Guide and the Code Signing for Amazon IoT API Reference.


You can download the Code Signing for Amazon IoT SDK from Tools for Amazon Web Services.