Security best practices for Amazon IoT Greengrass - Amazon IoT Greengrass
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Amazon IoT Greengrass

This topic contains security best practices for Amazon IoT Greengrass.

Grant minimum possible permissions

Follow the principle of least privilege for your components by running them as unprivileged users. Components should not run as root unless it is absolutely necessary.

Use the minimum set of permissions in IAM roles. Limit the use of the * wildcard for the Action and Resource properties in your IAM policies. Instead, declare a finite set of actions and resources when possible. For more information about least privilege and other policy best practices, see Policy best practices.

The least privilege best practice also applies to Amazon IoT policies you attach to your Greengrass core.

Don't hardcode credentials in Greengrass components

Don't hardcode credentials in your user-defined Greengrass components. To better protect your credentials:

Don't log sensitive information

You should prevent the logging of credentials and other personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a core device requires root privileges and access to CloudWatch Logs requires IAM permissions.

  • Don't use sensitive information in MQTT topic paths.

  • Don't use sensitive information in device (thing) names, types, and attributes in the Amazon IoT Core registry.

  • Don't log sensitive information in your user-defined Greengrass components or Lambda functions.

  • Don't use sensitive information in the names and IDs of Greengrass resources:

    • Core devices

    • Components

    • Deployments

    • Loggers

Keep your device clock in sync

It's important to have an accurate time on your device. X.509 certificates have an expiry date and time. The clock on your device is used to verify that a server certificate is still valid. Device clocks can drift over time or batteries can get discharged.

For more information, see the Keep your device's clock in sync best practice in the Amazon IoT Core Developer Guide.

Cipher Suite Recommendations

Greengrass default selects the latest TLS Cipher Suites available on the device. Consider disabling the use of legacy cipher suites on the device. For example, CBC cipher suites.

For more information, see the Java Cryptography Configuration.

See also