Security best practices for Amazon IoT Greengrass - Amazon IoT Greengrass
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Greengrass Version 1 entered the extended life phase on June 30, 2023. For more information, see the Amazon IoT Greengrass V1 maintenance policy. After this date, Amazon IoT Greengrass V1 won't release updates that provide features, enhancements, bug fixes, or security patches. Devices that run on Amazon IoT Greengrass V1 won't be disrupted and will continue to operate and to connect to the cloud. We strongly recommend that you migrate to Amazon IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Security best practices for Amazon IoT Greengrass

This topic contains security best practices for Amazon IoT Greengrass.

Grant minimum possible permissions

Follow the principle of least privilege by using the minimum set of permissions in IAM roles. Limit the use of the * wildcard for the Action and Resource properties in your IAM policies. Instead, declare a finite set of actions and resources when possible. For more information about least privilege and other policy best practices, see Policy best practices.

The least privilege best practice also applies to Amazon IoT policies you attach to your Greengrass core and client devices.

Don't hardcode credentials in Lambda functions

Don't hardcode credentials in your user-defined Lambda functions. To better protect your credentials:

  • To interact with Amazon services, define permissions for specific actions and resources in the Greengrass group role.

  • Use local secrets to store your credentials. Or, if the function uses the Amazon SDK, use credentials from the default credential provider chain.

Don't log sensitive information

You should prevent the logging of credentials and other personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a core device requires root privileges and access to CloudWatch Logs requires IAM permissions.

  • Don't use sensitive information in MQTT topic paths.

  • Don't use sensitive information in device (thing) names, types, and attributes in the Amazon IoT Core registry.

  • Don't log sensitive information in your user-defined Lambda functions.

  • Don't use sensitive information in the names and IDs of Greengrass resources:

    • Connectors

    • Cores

    • Devices

    • Functions

    • Groups

    • Loggers

    • Resources (local, machine learning, or secret)

    • Subscriptions

Create targeted subscriptions

Subscriptions control the information flow in a Greengrass group by defining how messages are exchanged between services, devices, and Lambda functions. To ensure that an application can do only what it's intended to do, your subscriptions should allow publishers to send messages to specific topics only, and limit subscribers to receive messages only from topics that are required for their functionality.

Keep your device clock in sync

It's important to have an accurate time on your device. X.509 certificates have an expiry date and time. The clock on your device is used to verify that a server certificate is still valid. Device clocks can drift over time or batteries can get discharged.

For more information, see the Keep your device's clock in sync best practice in the Amazon IoT Core Developer Guide.

Manage device authentication with the Greengrass core

Client devices can run FreeRTOS or use the Amazon IoT Device SDK or Amazon IoT Greengrass Discovery API to get discovery information used to connect and authenticate with the core in the same Greengrass group. Discovery information includes:

  • Connectivity information for the Greengrass core that's in the same Greengrass group as the client device. This information includes the host address and port number of each endpoint for the core device.

  • The group CA certificate used to sign the local MQTT server certificate. Client devices use the group CA certificate to validate the MQTT server certificate presented by the core.

The following are best practices for client devices to manage mutual authentication with a Greengrass core. These practices can help mitigate your risk if your core device is compromised.

Validate the local MQTT server certificate for each connection.

Client devices should validate the MQTT server certificate presented by the core every time they establish a connection with the core. This validation is the client device side of the mutual authentication between a core device and client devices. Client devices must be able to detect a failure and terminate the connection.

Do not hardcode discovery information.

Client devices should rely on discovery operations to get core connectivity information and the group CA certificate, even if the core uses a static IP address. Client devices should not hardcode this discovery information.

Periodically update discovery information.

Client devices should periodically run discovery to update core connectivity information and the group CA certificate. We recommend that client devices update this information before they establish a connection with the core. Because shorter durations between discovery operations can minimize your potential exposure time, we recommend that client devices periodically disconnect and reconnect to trigger the update.

If you lose control of a Greengrass core device and you want to prevent client devices from transmitting data to the core, do the following:

  1. Remove the Greengrass core from the Greengrass group.

  2. Rotate the group CA certificate. In the Amazon IoT console, you can rotate the CA certificate on the group's Settings page. In the Amazon IoT Greengrass API, you can use the CreateGroupCertificateAuthority action.

    We also recommend using full disk encryption if the hard drive of your core device is vulnerable to theft.

For more information, see Device authentication and authorization for Amazon IoT Greengrass.

See also