How do Thing names work in IoT?

Question

I'm a little confused about what a Thing's "name" really means in IoT services.

I created a Thing with a name ("thing1") and created a certificate for it at the same time. That certificate is only assigned to thing1.

I set up a client using the certificate, and it was able to connect to the IoT service and send shadow updates as "thing1". Then I tried having that device send shadow updates as "thing2" or "thing3". To my surprise, this worked, even though there is no "thing2" or "thing3" defined on my account.

I had planned to give each of my devices its own certificate and assumed that by having separate certificates, the devices would not be able to spoof another device. But this doesn't seem to be the case.

What's the recommended way to achieve the security I want?

Accepted Answer

Hi Frank. If the device has a certificate that is registered with IoT Core, it may be able to connect, even without a corresponding Thing registered. This is because it can authenticate, but it doesn't necessarily mean it will be authorized to do anything. That depends on your use of AWS IoT policies.

In general, each device should have its own certificate and own private key. If the device has been securely provisioned, and the private key is securely held on the device, then only that device will be able to authenticate using that certificate. Best practices:

https://docs.aws.amazon.com/wellarchitected/latest/iot-lens/identity-and-access-management-iam.html

> Ensure that each device has its own unique X.509 certificate in AWS IoT and that devices should never share certificates (one certificate for one device rule). In addition to using a single certificate per device, when using AWS IoT, each device must have its own unique thing in the IoT registry, and the thing name is used as the basis for the MQTT ClientID for MQTT connect.

You can attach an AWS IoT Policy to each certificate. You can use AWS IoT [policy variables](https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html) to then limit which devices can connect using that certificate. An example taken from https://docs.aws.amazon.com/iot/latest/developerguide/connect-and-pub.html

> For a connection to be successful, the thing name must be registered in the AWS IoT Core registry and be authenticated using an identity or principal attached to the thing

```
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action":["iot:Publish"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}"]
      },
      {
        "Effect": "Allow",
        "Action": ["iot:Connect"],
        "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
      }
    ]
}
```

More information:

https://docs.aws.amazon.com/iot/latest/developerguide/iot-authorization.html
https://docs.aws.amazon.com/iot/latest/developerguide/iot-policy-variables.html
https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies.html
https://aws.amazon.com/blogs/iot/understanding-the-aws-iot-security-model/

Additionally you may be interested in using [AWS IoT Device Defender](https://docs.aws.amazon.com/iot/latest/developerguide/device-defender.html). It can [audit your fleet](https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit-checks.html) helping you to detect any compromised devices.

How do Thing names work in IoT?

相關內容