By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS IoT Core credential provider requires private key to be sent

0

I was reading through these docs and noticed that the steps to request a security token requires the client to send its private key to credential provider service.

curl --cert your certificate --key your device certificate key pair -H "x-amzn-iot-thingname: your thing name" --cacert AmazonRootCA1.pem https://your endpoint /role-aliases/your role alias/credentials

This is mentioned in these docs: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/

Looking at it superficially, I would think this is a security flaw and would defeat the purpose of using asymmetric keys in the first place.

Any help to help me understand what is going on is greatly appreciated.

Topics
Internet of Things (IoT)Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS IoT CoreInternet of Things (IoT)Device SecuritySecurity
Language
English
AmuletxHeart
asked 2 years ago696 views
1 Answer
1
Accepted Answer

Hi,

The private key is never sent to the Credential Provider. It is used to establish a mutual (mTLS) connection with the endpoint. That gives Credential Provider the ability to verify the presented X.509 certificates.

AWS
Gavin_A
answered 2 years ago
profile picture
EXPERT
Oleksii Bebych
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content