IoT Core endpoint redirecting published to another account


We have several environments in IoT core for the shale of this questions let's call them dev and Staging. Dev environment has endpoint and staging has endpoint. We have a device provisioned with JITP in dev environment which connects without any issue to dev environment as expected. Now, if we change the device endpoint to "bbbbbbb...." keeping dev certificates and we try to publish a message. The device connects to dev environment and we get the message in dev environment. Is this an expected behaviour?

2 Answers


To ensure that the device connects to the account which corresponds to the specified endpoint, you need to:

  1. register the certificate in both accounts. This is called Multi Account Registration. Follow the instruction for registering a client certificate signed by an unregistered CA

  2. ensure the MQTT client you use sends the SNI extension



answered a year ago

I discussed this with one of my engineers in the past

I think It is not expected behavior for a device to be able to connect to the wrong environment (in this case, the "dev" environment) with the wrong endpoint (in this case, the "bbbbbbb...." endpoint that belongs to the "staging" environment).

When a device is provisioned with Just-in-Time Provisioning (JITP) in AWS IoT Core, it receives a unique X.509 certificate and private key that is used to authenticate the device when it connects to AWS IoT Core. The device also receives an endpoint URL that it should use to connect to AWS IoT Core.

If the device attempts to connect to the wrong endpoint URL, it will not be able to establish a connection with AWS IoT Core. The device should only be able to connect to the correct environment (either "dev" or "staging") using the correct endpoint URL for that environment.

It is possible that there may be some issue with the device or its configuration that is causing it to connect to the wrong environment. It would be helpful to check the device logs and configuration to try to determine the cause of the issue. @seekrsi

answered a year ago
  • If the device attempts to connect to the wrong endpoint URL, it will not be able to establish a connection with AWS IoT Core.

    For general certificates that do not use multi-account registration or the SNI field for connection, this actually will work. IoT Core will check the certificate id (hash) and determine which account it belongs to, and then if the policy allows, establish a connection to that AWS account regardless of the endpoint FQDN used.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions