Amazon IoT security - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT security

Each connected device or client must have a credential to interact with Amazon IoT. All traffic to and from Amazon IoT is sent securely over Transport Layer Security (TLS). Amazon cloud security mechanisms protect data as it moves between Amazon IoT and other Amazon services.

Amazon IoT security workflows including credentials to interact with Amazon IoT, Transport Layer Security to secure connection, and Amazon Cloud security mechanisms to protect data.

  • You are responsible for managing device credentials (X.509 certificates, Amazon credentials, Amazon Cognito identities, federated identities, or custom authentication tokens) and policies in Amazon IoT. For more information, see Key management in Amazon IoT. You are responsible for assigning unique identities to each device and managing the permissions for each device or group of devices.

  • Your devices connect to Amazon IoT using X.509 certificates or Amazon Cognito identities over a secure TLS connection. During research and development, and for some applications that make API calls or use WebSockets, you can also authenticate using IAM users and groups or custom authentication tokens. For more information, see IAM users, groups, and roles.

  • When using Amazon IoT authentication, the message broker is responsible for authenticating your devices, securely ingesting device data, and granting or denying access permissions you specify for your devices using Amazon IoT policies.

  • When using custom authentication, a custom authorizer is responsible for authenticating your devices and granting or denying access permissions you specify for your devices using Amazon IoT or IAM policies.

  • The Amazon IoT rules engine forwards device data to other devices or other Amazon services according to rules you define. It uses Amazon Identity and Access Management to securely transfer data to its final destination. For more information, see Identity and access management for Amazon IoT.