Transport security in Amazon IoT
The Amazon IoT message broker and Device Shadow service encrypt all communication while
in-transit by using TLS
For MQTT, TLS encrypts the connection between the device and the broker. TLS client authentication is used by Amazon IoT to identify devices. For HTTP, TLS encrypts the connection between the device and the broker. Authentication is delegated to Amazon Signature Version 4.
Amazon IoT requires devices to send the Server Name Indication (SNI)
extensionhost_name
field. The host_name
field must contain the endpoint you are calling, and it must be:
-
The
endpointAddress
returned byaws iot describe-endpoint
--endpoint-type iot:Data-ATS or
-
The
domainName
returned byaws iot describe-domain-configuration
–-domain-configuration-name " domain_configuration_name
"
Connections attempted by devices without the correct host_name
value will fail, and Amazon IoT will log failures to CloudWatch
if the authentication type is Custom Authentication.
Amazon IoT does not support the SessionTicket TLS extension.
Transport security for LoRaWAN wireless devices
LoRaWAN devices follow the security practices described in LoRaWAN ™ SECURITY: A White Paper Prepared for the LoRa Alliance™ by Gemalto,
Actility, and Semtech
For more information about transport security with LoRaWAN devices, see Data security with Amazon IoT Core for LoRaWAN.
TLS cipher suite support
Amazon IoT supports the following cipher suites:
-
ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)
-
ECDHE-RSA-AES128-GCM-SHA256 (recommended)
-
ECDHE-ECDSA-AES128-SHA256
-
ECDHE-RSA-AES128-SHA256
-
ECDHE-ECDSA-AES128-SHA
-
ECDHE-RSA-AES128-SHA
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA
-
ECDHE-ECDSA-AES256-SHA
-
AES128-GCM-SHA256
-
AES128-SHA256
-
AES128-SHA
-
AES256-GCM-SHA384
-
AES256-SHA256
-
AES256-SHA
Connection security
Amazon IoT message broker and Device Shadow services rely on communication using encryption
and TLS
1.2
-
ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)
-
ECDHE-RSA-AES128-GCM-SHA256 (recommended)
-
ECDHE-ECDSA-AES128-SHA256
-
ECDHE-RSA-AES128-SHA256
-
ECDHE-ECDSA-AES128-SHA
-
ECDHE-RSA-AES128-SHA
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA
-
ECDHE-ECDSA-AES256-SHA
-
AES128-GCM-SHA256
-
AES128-SHA256
-
AES128-SHA
-
AES256-GCM-SHA384
-
AES256-SHA256
-
AES256-SHA