Security best practices for Amazon IoT Greengrass
This topic contains security best practices for Amazon IoT Greengrass.
Grant minimum possible permissions
Follow the principle of least privilege for your components by running them as unprivileged users. Components should not run as root unless it is absolutely necessary.
Use the minimum set of permissions in IAM roles. Limit the use of the *
wildcard for the Action
and Resource
properties in your IAM
policies. Instead, declare a finite set of actions and resources when possible. For more
information about least privilege and other policy best practices, see Policy best
practices.
The least privilege best practice also applies to Amazon IoT policies you attach to your Greengrass core.
Don't hardcode credentials in Greengrass components
Don't hardcode credentials in your user-defined Greengrass components. To better protect your credentials:
-
To interact with Amazon services, define permissions for specific actions and resources in the Greengrass core device service role.
-
Use the secret manager component to store your credentials. Or, if the function uses the Amazon SDK, use credentials from the default credential provider chain.
Don't log sensitive information
You should prevent the logging of credentials and other personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a core device requires root privileges and access to CloudWatch Logs requires IAM permissions.
-
Don't use sensitive information in MQTT topic paths.
-
Don't use sensitive information in device (thing) names, types, and attributes in the Amazon IoT Core registry.
-
Don't log sensitive information in your user-defined Greengrass components or Lambda functions.
-
Don't use sensitive information in the names and IDs of Greengrass resources:
-
Core devices
-
Components
-
Deployments
-
Loggers
-
Keep your device clock in sync
It's important to have an accurate time on your device. X.509 certificates have an expiry date and time. The clock on your device is used to verify that a server certificate is still valid. Device clocks can drift over time or batteries can get discharged.
For more information, see the Keep your device's clock in sync best practice in the Amazon IoT Core Developer Guide.
Cipher Suite Recommendations
Greengrass default selects the latest TLS Cipher Suites available on the device. Consider disabling the use of legacy cipher suites on the device. For example, CBC cipher suites.
For more information, see the Java
Cryptography Configuration
See also
-
Security best practices in Amazon IoT Core in the Amazon IoT Developer Guide
-
Ten security golden rules for Industrial IoT solutions
on the Internet of Things on Amazon Official Blog