X.509 certificates Amazon IoT policies Minimal Amazon IoT policy for the core device

Amazon IoT Greengrass Version 1 entered the extended life phase on June 30, 2023. For more information, see the Amazon IoT Greengrass V1 maintenance policy. After this date, Amazon IoT Greengrass V1 won't release updates that provide features, enhancements, bug fixes, or security patches. Devices that run on Amazon IoT Greengrass V1 won't be disrupted and will continue to operate and to connect to the cloud. We strongly recommend that you migrate to Amazon IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Device authentication and authorization for Amazon IoT Greengrass

Devices in Amazon IoT Greengrass environments use X.509 certificates for authentication and Amazon IoT policies for authorization. Certificates and policies allow devices to securely connect with each other, Amazon IoT Core, and Amazon IoT Greengrass.

X.509 certificates are digital certificates that use the X.509 public key infrastructure standard to associate a public key with the identity contained in a certificate. X.509 certificates are issued by a trusted entity called a certificate authority (CA). The CA maintains one or more special certificates called CA certificates that it uses to issue X.509 certificates. Only the certificate authority has access to CA certificates.

Amazon IoT policies define the set of operations allowed for Amazon IoT devices. Specifically, they allow and deny access to Amazon IoT Core and Amazon IoT Greengrass data plane operations, such as publishing MQTT messages and retrieving device shadows.

All devices require an entry in the Amazon IoT Core registry and an activated X.509 certificate with an attached Amazon IoT policy. Devices fall into two categories:

Greengrass cores. Greengrass core devices use certificates and Amazon IoT policies to connect to Amazon IoT Core. The certificates and policies also allow Amazon IoT Greengrass to deploy configuration information, Lambda functions, connectors, and managed subscriptions to core devices.
Client devices. Client devices (also called connected devices, Greengrass devices, or devices) are devices that connect to a Greengrass core over MQTT. They use certificates and policies to connect to Amazon IoT Core and the Amazon IoT Greengrass service. This allows client devices to use the Amazon IoT Greengrass Discovery Service to find and connect to a core device. A client device uses the same certificate to connect to the Amazon IoT Core device gateway and core device. Client devices also use discovery information for mutual authentication with the core device. For more information, see Device connection workflow and Manage device authentication with the Greengrass core.

X.509 certificates

Communication between core and client devices and between devices and Amazon IoT Core or Amazon IoT Greengrass must be authenticated. This mutual authentication is based on registered X.509 device certificates and cryptographic keys.

In an Amazon IoT Greengrass environment, devices use certificates with public and private keys for the following Transport Layer Security (TLS) connections:

The Amazon IoT client component on the Greengrass core connecting to Amazon IoT Core and Amazon IoT Greengrass over the internet.
Client devices connecting to Amazon IoT Greengrass to get core discovery information over the internet.
The MQTT server component on the Greengrass core connecting to client devices in the group over the local network.

The Amazon IoT Greengrass core device stores certificates in two locations:

Core device certificate in /greengrass-root/certs. Typically, the core device certificate is named hash.cert.pem (for example, 86c84488a5.cert.pem). This certificate is used by the Amazon IoT client for mutual authentication when the core connects to the Amazon IoT Core and Amazon IoT Greengrass services.
MQTT server certificate in /greengrass-root/ggc/var/state/server. The MQTT server certificate is named server.crt. This certificate is used for mutual authentication between the local MQTT server (on the Greengrass core) and Greengrass devices.

Note
greengrass-root represents the path where the Amazon IoT Greengrass Core software is installed on your device. Typically, this is the /greengrass directory.

For more information, see Amazon IoT Greengrass core security principals.

Certificate authority (CA) certificates

Core devices and client devices download a root CA certificate used for authentication with Amazon IoT Core and Amazon IoT Greengrass services. We recommend that you use an Amazon Trust Services (ATS) root CA certificate, such as Amazon Root CA 1. For more information, see CA certificates for server authentication in the Amazon IoT Core Developer Guide.

Note

Your root CA certificate type must match your endpoint. Use an ATS root CA certificate with an ATS endpoint (preferred) or a VeriSign root CA certificate with a legacy endpoint. Only some Amazon Web Services Regions support legacy endpoints. For more information, see Service endpoints must match the root CA certificate type.

Client devices also download the Greengrass group CA certificate. This is used to validate the MQTT server certificate on the Greengrass core during mutual authentication. For more information, see Device connection workflow. The default expiration of the MQTT server certificate is seven days.

Certificate rotation on the local MQTT server

Client devices use the local MQTT server certificate for mutual authentication with the Greengrass core device. By default, this certificate expires in seven days. This limited period is based on security best practices. The MQTT server certificate is signed by the group CA certificate, which is stored in the cloud.

For certificate rotation to occur, your Greengrass core device must be online and able to access the Amazon IoT Greengrass service directly on a regular basis. When the certificate expires, the core device attempts to connect to the Amazon IoT Greengrass service to obtain a new certificate. If the connection is successful, the core device downloads a new MQTT server certificate and restarts the local MQTT service. At this point, all client devices that are connected to the core are disconnected. If the core device is offline at the time of expiry, it does not receive the replacement certificate. Any new attempts to connect to the core device are rejected. Existing connections are not affected. Client devices cannot connect to the core device until the connection to the Amazon IoT Greengrass service is restored and a new MQTT server certificate can be downloaded.

You can set the expiration to any value between 7 and 30 days, depending on your needs. More frequent rotation requires more frequent cloud connection. Less frequent rotation can pose security concerns. If you want to set the certificate expiration to a value higher than 30 days, contact Amazon Web Services Support.

In the Amazon IoT console, you can manage the certificate on the group's Settings page. In the Amazon IoT Greengrass API, you can use the UpdateGroupCertificateConfiguration action.

When the MQTT server certificate expires, any attempt to validate the certificate fails. Client devices must be able to detect the failure and terminate the connection.

Amazon IoT policies for data plane operations

Use Amazon IoT policies to authorize access to the Amazon IoT Core and Amazon IoT Greengrass data plane. The Amazon IoT Core data plane consists of operations for devices, users, and applications, such as connecting to Amazon IoT Core and subscribing to topics. The Amazon IoT Greengrass data plane consists of operations for Greengrass devices, such as retrieving deployments and updating connectivity information.

An Amazon IoT policy is a JSON document that's similar to an IAM policy. It contains one or more policy statements that specify the following properties:

Effect. The access mode, which can be Allow or Deny.
Action. The list of actions that are allowed or denied by the policy.
Resource. The list of resources on which the action is allowed or denied.

Amazon IoT policies support * as a wildcard character, and treat MQTT wildcard characters (+ and #) as literal strings. For more information about the * wildcard, see Using wildcard in resource ARNs in the Amazon Identity and Access Management User Guide.

For more information, see Amazon IoT policies and Amazon IoT policy actions in the Amazon IoT Core Developer Guide.

Note

Amazon IoT Core enables you to attach Amazon IoT policies to thing groups to define permissions for groups of devices. Thing group policies don't allow access to Amazon IoT Greengrass data plane operations. To allow a thing access to an Amazon IoT Greengrass data plane operation, add the permission to an Amazon IoT policy that you attach to the thing's certificate.

Amazon IoT Greengrass policy actions

Greengrass Core Actions

Amazon IoT Greengrass defines the following policy actions that Greengrass core devices can use in Amazon IoT policies:

greengrass:AssumeRoleForGroup

Permission for a Greengrass core device to retrieve credentials using the Token Exchange Service (TES) system Lambda function. The permissions that are tied to the retrieved credentials are based on the policy that's attached to the configured group role.

This permission is checked when a Greengrass core device attempts to retrieve credentials (assuming the credentials are not cached locally).

greengrass:CreateCertificate

Permission for a Greengrass core device to create its own server certificate.

This permission is checked when a Greengrass core device creates a certificate. Greengrass core devices attempt to create a server certificate upon first run, when the core's connectivity information changes, and on designated rotation periods.

greengrass:GetConnectivityInfo

Permission for a Greengrass core device to retrieve its own connectivity information.

This permission is checked when a Greengrass core device attempts to retrieve its connectivity information from Amazon IoT Core.

greengrass:GetDeployment

Permission for a Greengrass core device to retrieve deployments.

This permission is checked when a Greengrass core device attempts to retrieve deployments and deployment statuses from the cloud.

greengrass:GetDeploymentArtifacts

Permission for a Greengrass core device to retrieve deployment artifacts such as group information or Lambda functions.

This permission is checked when a Greengrass core device receives a deployment and then attempts to retrieve deployment artifacts.

greengrass:UpdateConnectivityInfo

Permission for a Greengrass core device to update its own connectivity information with IP or hostname information.

This permission is checked when a Greengrass core device attempts to update its connectivity information in the cloud.

greengrass:UpdateCoreDeploymentStatus

Permission for a Greengrass core device to update the status of a deployment.

This permission is checked when a Greengrass core device receives a deployment and then attempts to update the deployment status.

Greengrass Device Actions

Amazon IoT Greengrass defines the following policy action that client devices can use in Amazon IoT policies:

greengrass:Discover

Permission for a client device to use the Discovery API to retrieve its group's core connectivity information and group certificate authority.

This permission is checked when a client device calls the Discovery API with TLS mutual authentication.

Minimal Amazon IoT policy for the Amazon IoT Greengrass core device

The following example policy includes the minimum set of actions required to support basic Greengrass functionality for your core device.

The policy lists the MQTT topics and topic filters that the core device can publish messages to, subscribe to, and receive messages on, including topics used for shadow state. To support message exchange between Amazon IoT Core, Lambda functions, connectors, and client devices in the Greengrass group, specify the topics and topic filters that you want to allow. For more information, see Publish/Subscribe policy examples in the Amazon IoT Core Developer Guide.
The policy includes a section that allows Amazon IoT Core to get, update, and delete the core device's shadow. To allow shadow sync for client devices in the Greengrass group, specify the target Amazon Resource Names (ARNs) in the Resource list (for example, arn:aws-cn:iot:region:account-id:thing/device-name).
The use of thing policy variables (iot:Connection.Thing.*) in the Amazon IoT policy for a core device is not supported. The core uses the same device certificate to make multiple connections to Amazon IoT Core but the client ID in a connection might not be an exact match of the core thing name.
For the greengrass:UpdateCoreDeploymentStatus permission, the final segment in the Resource ARN is the URL-encoded ARN of the core device.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws-cn:iot:region:account-id:client/core-name-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Receive"
            ],
            "Resource": [
                "arn:aws-cn:iot:region:account-id:topic/$aws/things/core-name-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Subscribe"
            ],
            "Resource": [
                "arn:aws-cn:iot:region:account-id:topicfilter/$aws/things/core-name-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:GetThingShadow",
                "iot:UpdateThingShadow",
                "iot:DeleteThingShadow"
            ],
            "Resource": [
                "arn:aws-cn:iot:region:account-id:thing/core-name-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "greengrass:AssumeRoleForGroup",
                "greengrass:CreateCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "greengrass:GetDeployment"
            ],
            "Resource": [
                "arn:aws-cn:greengrass:region:account-id:/greengrass/groups/group-id/deployments/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "greengrass:GetDeploymentArtifacts"
            ],
            "Resource": [
                "arn:aws-cn:greengrass:region:account-id:/greengrass/groups/group-id/deployments/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "greengrass:UpdateCoreDeploymentStatus"
            ],
            "Resource": [
                "arn:aws-cn:greengrass:region:account-id:/greengrass/groups/group-id/deployments/*/cores/arn%3Aaws%3Aiot%3Aregion%3Aaccount-id%3Athing%2Fcore-name"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "greengrass:GetConnectivityInfo",
                "greengrass:UpdateConnectivityInfo"
            ],
            "Resource": [
                "arn:aws-cn:iot:region:account-id:thing/core-name-*"
            ]
        }
    ]
}

Note

Amazon IoT policies for client devices typically require similar permissions for iot:Connect, iot:Publish, iot:Receive, and iot:Subscribe actions.

To allow a client device to automatically detect connectivity information for the cores in the Greengrass groups that the device belongs to, the Amazon IoT policy for a client device must include the greengrass:Discover action. In the Resource section, specify the ARN of the client device, not the ARN of the Greengrass core device. For example:


{
    "Effect": "Allow",
    "Action": [
        "greengrass:Discover"
    ],
    "Resource": [
        "arn:aws-cn:iot:region:account-id:thing/device-name"
    ]
}

The Amazon IoT policy for client devices doesn't typically require permissions for iot:GetThingShadow, iot:UpdateThingShadow, or iot:DeleteThingShadow actions, because the Greengrass core handles shadow sync operations for client devices. In this case, make sure that the Resource section for shadow actions in the core's Amazon IoT policy includes the ARNs of the client devices.

In the Amazon IoT console, you can view and edit the policy that's attached to your core's certificate.

In the navigation pane, under Manage, expand All devices, and then choose Things.
Choose your core.
On your core's configuration page, choose the Certificates tab.
In the Certificates tab, choose your certificate.
On the certificate's configuration page, choose Policies, and then choose the policy.

If you want to edit the policy, choose Edit active version.
Review the policy and add, remove, or edit permissions as needed.
To set a new policy version as the active version, under Policy version status, select Set the edited version as the active version for this policy.
Choose Save as new version.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Hardware security integration

Identity and access management