Transport security in Amazon IoT Core
TLS (Transport Layer Security) is a cryptographic protocol that is designed for secure communication over a computer network. The Amazon IoT Core Device Gateway requires customers to encrypt all communication while in-transit by using TLS for connections from devices to the Gateway. TLS is used to achieve confidentiality of the application protocols (MQTT, HTTP, and WebSocket) supported by Amazon IoT Core. TLS support is available in a number of programming languages and operating systems. Data within Amazon is encrypted by the specific Amazon service. For more information about data encryption on other Amazon services, see the security documentation for that service.
Contents
TLS protocols
Amazon IoT Core supports the following versions of the TLS protocol:
-
TLS 1.3
-
TLS 1.2
Security policies
Note
This feature is not available in China.
A security policy is a combination of TLS protocols and their ciphers that determine which protocols and ciphers are supported during TLS negotiations between a client and a server. You can configure your devices to use predefined security policies based on your needs. Note that Amazon IoT Core doesn't support custom security policies.
You can choose one of the predefined security policies for your devices when
connecting them to Amazon IoT Core. The names of the most recent predefined security policies
in Amazon IoT Core include version information based on the year and month that they were
released. The default predefined security policy is
IoTSecurityPolicy_TLS13_1_2_2022_10. To specify a security policy, you
can use the Amazon IoT console or the Amazon CLI. For more information, see Configuring TLS settings in domain
configurations.
The following table describes the most recent predefined security policies that
Amazon IoT Core supports. The IotSecurityPolicy_ has been removed from policy
names in the heading row so that they fit.
| Security policy | TLS13_1_3_2022_10 | TLS13_1_2_2022_10 | TLS12_1_2_2022_10 | TLS12_1_0_2016_01* | TLS12_1_0_2015_01* | ||
|---|---|---|---|---|---|---|---|
| TCP Port |
443/8443/8883 |
443/8443/8883 |
443/8443/8883 |
443 | 8443/8883 | 443 | 8443/8883 |
| TLS Protocols | |||||||
| TLS 1.2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| TLS 1.3 | ✓ | ✓ | |||||
| TLS Ciphers | |||||||
| TLS_AES_128_GCM_SHA256 | ✓ | ✓ | |||||
| TLS_AES_256_GCM_SHA384 | ✓ | ✓ | |||||
| TLS_CHACHA20_POLY1305_SHA256 | ✓ | ✓ | |||||
| ECDHE-RSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-RSA-AES128-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-RSA-AES128-SHA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-RSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-RSA-AES256-SHA384 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-RSA-AES256-SHA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| AES128-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| AES128-SHA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| AES256-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| AES256-SHA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| DHE-RSA-AES256-SHA | ✓ | ✓ | |||||
| ECDHE-ECDSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-ECDSA-AES128-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-ECDSA-AES128-SHA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-ECDSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-ECDSA-AES256-SHA384 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ECDHE-ECDSA-AES256-SHA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Note
TLS12_1_0_2016_01 is only available in the following Amazon Web Services Regions:
ap-east-1, ap-northeast-2, ap-south-1, ap-southeast-2, ca-central-1, cn-north-1,
cn-northwest-1, eu-north-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2,
us-gov-west-1, us-gov-west-2, us-west-1.
TLS12_1_0_2015_01 is only available in the following Amazon Web Services Regions:
ap-northeast-1, ap-southeast-1, eu-central-1, eu-west-1, us-east-1,
us-west-2.
Important notes for transport security in Amazon IoT Core
For devices that connect to Amazon IoT Core using MQTT, TLS encrypts the connection between the devices and the broker, and Amazon IoT Core uses TLS client authentication to identify devices. For more information, see Client authentication. For devices that connect to Amazon IoT Core using HTTP, TLS encrypts the connection between the devices and the broker, and authentication is delegated to Amazon Signature Version 4. For more information, see Signing requests with Signature Version 4 in the Amazon General Reference.
When you connect devices to Amazon IoT Core, sending the Server Name Indication (SNI)
extensionhost_name field. The host_name field must contain the
endpoint you are calling. That endpoint must be one of the following:
-
The
endpointAddressreturned byaws iot describe-endpoint--endpoint-type iot:Data-ATS -
The
domainNamereturned byaws iot describe-domain-configuration–-domain-configuration-name " domain_configuration_name"
Connections attempted by devices with the incorrect or invalid host_name
value will fail. Amazon IoT Core will log failures to CloudWatch for the authentication type of
Custom
Authentication.
Amazon IoT Core doesn't support the SessionTicket TLS extension
Transport security for LoRaWAN wireless devices
LoRaWAN devices follow the security practices described in LoRaWAN ™ SECURITY: A White Paper Prepared for the LoRa Alliance™ by Gemalto,
Actility, and Semtech
For more information about transport security with LoRaWAN devices, see Data security with Amazon IoT Core for LoRaWAN.
Connection security
Amazon IoT Core message broker and Device Shadow services rely on communication using
encryption and TLS 1.2
-
ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)
-
ECDHE-RSA-AES128-GCM-SHA256 (recommended)
-
ECDHE-ECDSA-AES128-SHA256
-
ECDHE-RSA-AES128-SHA256
-
ECDHE-ECDSA-AES128-SHA
-
ECDHE-RSA-AES128-SHA
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA
-
ECDHE-ECDSA-AES256-SHA
-
AES128-GCM-SHA256
-
AES128-SHA256
-
AES128-SHA
-
AES256-GCM-SHA384
-
AES256-SHA256
-
AES256-SHA