Transport security in Amazon IoT - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Transport security in Amazon IoT

The Amazon IoT message broker and Device Shadow service encrypt all communication while in-transit by using TLS version 1.2. TLS is used to ensure the confidentiality of the application protocols (MQTT, HTTP, and WebSocket) supported by Amazon IoT. TLS support is available in a number of programming languages and operating systems. Data within Amazon is encrypted by the specific Amazon service. For more information about data encryption on other Amazon services, see the security documentation for that service.

For MQTT, TLS encrypts the connection between the device and the broker. TLS client authentication is used by Amazon IoT to identify devices. For HTTP, TLS encrypts the connection between the device and the broker. Authentication is delegated to Amazon Signature Version 4.

Amazon IoT requires devices to send the Server Name Indication (SNI) extension to the Transport Layer Security (TLS) protocol and provide the complete endpoint address in the host_name field. The host_name field must contain the endpoint you are calling, and it must be:

Connections attempted by devices without the correct host_name value will fail, and Amazon IoT will log failures to CloudWatch if the authentication type is Custom Authentication.

Amazon IoT does not support the SessionTicket TLS extension.

Transport security for LoRaWAN wireless devices

LoRaWAN devices follow the security practices described in LoRaWAN ™ SECURITY: A White Paper Prepared for the LoRa Alliance™ by Gemalto, Actility, and Semtech.

For more information about transport security with LoRaWAN devices, see Data security with Amazon IoT Core for LoRaWAN.

TLS cipher suite support

Amazon IoT supports the following cipher suites:

  • ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-RSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Connection security

Amazon IoT message broker and Device Shadow services rely on communication using encryption and TLS 1.2. Amazon IoT supports the following TLS cipher suites:

  • ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-RSA-AES128-GCM-SHA256 (recommended)

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA