Security best practices for Amazon IoT SiteWise
This topic contains security best practices for Amazon IoT SiteWise.
Use authentication credentials on your OPC-UA servers
Require authentication credentials to connect to your OPC-UA servers. Consult the documentation for your servers to do so. Then, to allow your gateway to connect to your OPC-UA servers, add server authentication secrets to your gateway. For more information, see Configuring source authentication.
Use encrypted communication modes for your OPC-UA servers
Choose a non-deprecated, encrypted message security mode when you configure your OPC-UA sources for your gateway. This helps secure your industrial data as it moves from your OPC-UA servers to the gateway. For more information, see Data in transit over the local network and Configuring data sources.
Keep your components up to date
If you use Amazon IoT SiteWise gateways to ingest data to the service, it's your responsibility to configure and maintain your gateway's environment. This responsibility includes upgrading to the latest versions of the gateway's system software, Amazon IoT Greengrass software, and connectors.
The Amazon IoT SiteWise Edge connector stores secrets on your file system. These secrets control who can view the data cached within your gateway. It's strongly recommended that you turn on disk or file-system encryption for the system running your gateway.
Encrypt your gateway's file system
Encrypt and secure your gateway, so your industrial data is secure as it moves through the gateway. If your gateway has a hardware security module, you can configure Amazon IoT Greengrass to secure your gateway. For more information, see Hardware security integration in the Amazon IoT Greengrass Version 1 Developer Guide. Otherwise, consult the documentation for your operating system to learn how to encrypt and secure your file system.
Secure access to your edge configuration
Don't share your edge console application password or your SiteWise Monitor application password. Don't put this password in places where anyone can see them. Implement a healthy password rotation policy by configuring an appropriate expiration for your password.
Grant SiteWise Monitor users minimum possible permissions
Follow the principle of least privilege by using the minimum set of access policy permissions for your portal users.
-
When you create a portal, define a role that allows the minimum set of assets needed for that portal. For more information, see Using service roles for Amazon IoT SiteWise Monitor.
-
When you and your portal administrators create and share projects, use the minimum set of assets needed for that project.
-
When an identity no longer needs access to a portal or project, remove them from that resource. If that identity is no longer applicable to your organization, delete that identity from your identity store.
The least principle best practice also applies to IAM roles. For more information, see Policy best practices.
Don't expose sensitive information
You should prevent the logging of credentials and other sensitive information, such as personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a gateway requires root privileges and access to CloudWatch Logs requires IAM permissions.
-
Don't use sensitive information in names, descriptions, or properties of your assets or models.
-
Don't use sensitive information in gateway or source names.
-
Don't use sensitive information in names or descriptions of your portals, projects, or dashboards.
Follow Amazon IoT Greengrass security best practices
Follow Amazon IoT Greengrass security best practices for your gateway. For more information, see Security best practices in the Amazon IoT Greengrass Version 1 Developer Guide.
See also
-
Security best practices in the Amazon IoT Developer Guide