Key management in Amazon IoT
All connections to Amazon IoT are done using TLS, so no client-side encryption keys are necessary for the initial TLS connection.
Devices must authenticate using an X.509 certificate or an Amazon Cognito Identity. You can have Amazon IoT
generate a certificate for you, in which case it will generate a public/private key pair. If
you are using the Amazon IoT console you will be prompted to download the certificate and keys.
If you are using the create-keys-and-certificate
Amazon IoT does not currently support customer-managed Amazon KMS keys (KMS keys) from Amazon Key Management Service (Amazon KMS); however, Device Advisor and Amazon IoT Wireless use only an Amazon owned key to encrypt customer data.
Device Advisor
All data sent to Device Advisor when using the Amazon APIs is encrypted at rest. Device Advisor
encrypts all of your data at rest using KMS keys stored and managed in Amazon Key Management Service