Key management in Amazon IoT - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Key management in Amazon IoT

All connections to Amazon IoT are done using TLS, so no client-side encryption keys are necessary for the initial TLS connection.

Devices must authenticate using an X.509 certificate or an Amazon Cognito Identity. You can have Amazon IoT generate a certificate for you, in which case it will generate a public/private key pair. If you are using the Amazon IoT console you will be prompted to download the certificate and keys. If you are using the create-keys-and-certificate CLI command, the certificate and keys are returned by the CLI command. You are responsible for copying the certificate and private key onto your device and keeping it safe.

Amazon IoT does not currently support customer-managed Amazon KMS keys (KMS keys) from Amazon Key Management Service (Amazon KMS); however, Device Advisor and Amazon IoT Wireless use only an Amazon owned key to encrypt customer data.

Device Advisor

All data sent to Device Advisor when using the Amazon APIs is encrypted at rest. Device Advisor encrypts all of your data at rest using KMS keys stored and managed in Amazon Key Management Service. Device Advisor encrypts your data using Amazon owned keys. For more information about Amazon owned keys, see Amazon owned keys.