Security best practices for Amazon IoT SiteWise
This topic contains security best practices for Amazon IoT SiteWise.
Keep your components up to date
If you use SiteWise Edge gateways to ingest data to the service, it's your responsibility to configure and maintain your SiteWise Edge gateway's environment. This responsibility includes upgrading to the latest versions of the gateway's system software, Amazon IoT Greengrass software, and connectors.
Note
The Amazon IoT SiteWise Edge connector stores secrets on your file system. These secrets control who can view the data cached within your SiteWise Edge gateway. It's strongly recommended that you turn on disk or file-system encryption for the system running your SiteWise Edge gateway.
For information on how to upgrade components in the Amazon IoT SiteWise console, see Change the version of SiteWise Edge gateway component packs.
Encrypt your SiteWise Edge gateway's file system
Encrypt and secure your SiteWise Edge gateway, so your industrial data is secure as it moves through the SiteWise Edge gateway. If your SiteWise Edge gateway has a hardware security module, you can configure Amazon IoT Greengrass to secure your SiteWise Edge gateway. For more information, see Hardware security integration in the Amazon IoT Greengrass Version 1 Developer Guide. Otherwise, consult the documentation for your operating system to learn how to encrypt and secure your file system.
Secure access to your edge configuration
Don't share your edge console application password or your SiteWise Monitor application password. Don't put this password in places where anyone can see them. Implement a healthy password rotation policy by configuring an appropriate expiration for your password.
Securing data on Siemens Industrial Edge Management
The device data you choose to share with Amazon IoT SiteWise Edge is determined in your Siemens
IEM Databus configuration topics. By electing topics to share with SiteWise Edge, you are
sharing topic-level data with Amazon IoT SiteWise. The Siemens Industrial Edge Marketplace
is an independent marketplace, separate from Amazon. To protect your shared data, the SiteWise Edge
application will not run unless you utilize Siemens Secured Storage. For more
information, see Secure Storage
Grant SiteWise Monitor users minimum possible permissions
Follow the principle of least privilege by using the minimum set of access policy permissions for your portal users.
-
When you create a portal, define a role that allows the minimum set of assets needed for that portal. For more information, see Use service roles for Amazon IoT SiteWise Monitor.
-
When you and your portal administrators create and share projects, use the minimum set of assets needed for that project.
-
When an identity no longer needs access to a portal or project, remove them from that resource. If that identity is no longer applicable to your organization, delete that identity from your identity store.
The least principle best practice also applies to IAM roles. For more information, see Policy best practices.
Don't expose sensitive information
You should prevent the logging of credentials and other sensitive information, such as personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a SiteWise Edge gateway requires root privileges and access to CloudWatch Logs requires IAM permissions.
-
Don't use sensitive information in names, descriptions, or properties of your assets or models.
-
Don't use sensitive information in SiteWise Edge gateway or source names.
-
Don't use sensitive information in names or descriptions of your portals, projects, or dashboards.
Follow Amazon IoT Greengrass security best practices
Follow Amazon IoT Greengrass security best practices for your SiteWise Edge gateway. For more information, see Security best practices in the Amazon IoT Greengrass Version 1 Developer Guide.
See also
-
Security best practices in the Amazon IoT Developer Guide