Configuration and vulnerability analysis in Amazon IoT Greengrass - Amazon IoT Greengrass
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Greengrass Version 1 entered the extended life phase on June 30, 2023. For more information, see the Amazon IoT Greengrass V1 maintenance policy. After this date, Amazon IoT Greengrass V1 won't release updates that provide features, enhancements, bug fixes, or security patches. Devices that run on Amazon IoT Greengrass V1 won't be disrupted and will continue to operate and to connect to the cloud. We strongly recommend that you migrate to Amazon IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Configuration and vulnerability analysis in Amazon IoT Greengrass

IoT environments can consist of large numbers of devices that have diverse capabilities, are long-lived, and are geographically distributed. These characteristics make device setup complex and error-prone. And because devices are often constrained in computational power, memory, and storage capabilities, this limits the use of encryption and other forms of security on the devices themselves. Also, devices often use software with known vulnerabilities. These factors make IoT devices an attractive target for hackers and make it difficult to secure them on an ongoing basis.

Amazon IoT Device Defender addresses these challenges by providing tools to identify security issues and deviations from best practices. You can use Amazon IoT Device Defender to analyze, audit, and monitor connected devices to detect abnormal behavior, and mitigate security risks. Amazon IoT Device Defender can audit devices to ensure they adhere to security best practices and detect abnormal behavior on devices. This makes it possible to enforce consistent security policies across your devices and respond quickly when devices are compromised. In connections with Amazon IoT Core, Amazon IoT Greengrass generates predictable client IDs that you can use with Amazon IoT Device Defender features. For more information, see Amazon IoT Device Defender in the Amazon IoT Core Developer Guide.

In Amazon IoT Greengrass environments, you should be aware of the following considerations:

  • It's your reponsibility to secure your physical devices, the file system on your devices, and the local network.

  • Amazon IoT Greengrass doesn't enforce network isolation for user-defined Lambda functions, whether or not they run in a Greengrass container. Therefore, it's possible for Lambda functions to communicate with any other process running in the system or outside over network.

If you lose control of a Greengrass core device and you want to prevent client devices from transmitting data to the core, do the following:

  1. Remove the Greengrass core from the Greengrass group.

  2. Rotate the group CA certificate. In the Amazon IoT console, you can rotate the CA certificate on the group's Settings page. In the Amazon IoT Greengrass API, you can use the CreateGroupCertificateAuthority action.

    We also recommend using full disk encryption if the hard drive of your core device is vulnerable to theft.