AWS Security ChangesHomeSearch

AWS wellarchitected high security documentation change

Service: wellarchitected · 2025-07-04 · Security-related high

File: wellarchitected/latest/iot-lens/design-principles.md

Summary

Revised IoT design principles with new security-focused recommendations, updated operational guidance, and structural changes to content organization

Security assessment

Added explicit security guidance including 'Build security into your IoT solution' with defense-in-depth recommendations and addressing legacy OT system risks. This directly addresses security vulnerabilities in IoT implementations by emphasizing security controls at all layers.

Diff

diff --git a/wellarchitected/latest/iot-lens/design-principles.md b/wellarchitected/latest/iot-lens/design-principles.md
index 4ad8ccd44..a7e287b13 100644
--- a//wellarchitected/latest/iot-lens/design-principles.md
+++ b//wellarchitected/latest/iot-lens/design-principles.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](abstract-and-introduction.html)
+[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](iot-lens.html)
@@ -7 +7 @@
-In addition to the overall Well-Architected Framework operational excellence design principles, there are five design principles for operational excellence for IoT: 
+The Well-Architected Framework identifies the following set of design principles in order to facilitate good design in the cloud with IoT: 
@@ -9 +9 @@ In addition to the overall Well-Architected Framework operational excellence des
-  * **Plan for device provisioning** : Design your device provisioning process to create your initial device identity in a secure location. Implement a public key infrastructure (PKI) that is responsible for distributing unique certificates to IoT devices. As described above, selection of crypto hardware with a pre-generated private key and certificate eliminates the operational cost of running a PKI. Otherwise, PKI can be done offline with a hardware security module (HSM) during the manufacturing process, or during device bootstrapping. Use technologies that can manage the Certificate Authority (CA) and HSM in the cloud. 
+  * **Decouple ingestion from processing** : In IoT applications, the ingestion layer must be a highly scalable system that can handle a high rate of streaming device data. By decoupling the fast rate of ingestion from the processing portion of your application through the use of queues, buffers, and messaging services, your IoT application can scale elastically as needed and make several decisions without impacting devices, such as the frequency it processes data or the type of data it is interested in. 
@@ -11 +11 @@ In addition to the overall Well-Architected Framework operational excellence des
-  * **Implement device bootstrapping** : Devices that support personalization by a technician (in the industrial domain) or user (in the consumer domain) can also undergo provisioning. For example, a smartphone application that interacts with the device over Bluetooth LE and with the cloud over Wi-Fi. You must design the ability for devices to programmatically update their configuration information using a globally distributed bootstrap API. A bootstrapping design ensures that you can programmatically send the device new configuration settings through the cloud. These changes should include settings such as which IoT endpoint to communicate with, how frequently to send an overall status for the device, and any updated security settings such as server certificates. The process of bootstrapping goes beyond initial provisioning and plays a critical role in device operations by providing a programmatic way to update device configuration through the cloud. A bootstrapping API and endpoint must be available for the entire defined life of all devices, and must be able to respond to requests for all versions of firmware that have ever been deployed on a device. 
+  * **Design for offline behavior** : Due to things like connectivity issues or misconfigured settings, devices may go offline for longer periods of time than anticipated. Design your edge software to handle extended periods of offline connectivity and create metrics in the cloud to track devices that are not connected or communicating on a regular timeframe. 
@@ -13 +13 @@ In addition to the overall Well-Architected Framework operational excellence des
-  * **Document device communication patterns** : In an IoT application, device behavior is documented by hand at the hardware level. In the cloud, an operations team must formulate how the behavior of a device will scale once deployed to a fleet of devices. A cloud engineer should review the device communication patterns and extrapolate the total expected inbound and outbound traffic of device data and determine the expected infrastructure necessary in the cloud to support the entire fleet of devices. During operational planning, these patterns should be measured using device and cloud-side metrics to ensure that expected usage patterns are met in the system. 
+  * **Design for lean data at the edge and enrich in the cloud** : Given the constrained nature of IoT devices, the initial device schema will be optimized for storage on the physical device and efficient transmissions from the device to your IoT application. For this reason, unformatted device data will often not be enriched with static application information that can be inferred from the cloud. As data is ingested into your application, you should first enrich the data with human readable attributes, deserialize, or expand any fields that the device serialized, and then format the data in a data store that is tuned to support your applications read requirements. 
@@ -15 +15 @@ In addition to the overall Well-Architected Framework operational excellence des
-  * **Implement over-the-air (OTA) updates** : To benefit from long-term investments in hardware, you must be able to continually update the firmware on the devices with new capabilities. In the cloud, you can apply a robust firmware update process that allows you to target specific devices for firmware updates, roll out changes over time, track success and failures of updates, and have the ability to roll back or put a stop to firmware changes based on key performance indicators (KPIs). 
+  * **Handle personalization** : Devices that connect to the edge or cloud through Wi-Fi must receive the SSID name and credentials as one of the first steps performed when setting up the device. This data is usually infeasible to write to the device during manufacturing since it is sensitive and site-specific or from the cloud since the device is not connected yet. These factors frequently make personalization data distinct from the device client certificate and private key, which are conceptually upstream, and from cloud-provided firmware and configuration updates, which are conceptually downstream. Supporting personalization can impact design and manufacturing, since it may mean that the device itself requires a user interface for direct data input, or the need to provide a smartphone application to connect the device to the local network. 
@@ -17 +17 @@ In addition to the overall Well-Architected Framework operational excellence des
-  * **Implement functional testing on physical assets** : IoT device hardware and firmware must undergo rigorous testing before being deployed in the field. Acceptance and functional testing are critical for your path to production. The goal of functional testing is to run your hardware components, embedded firmware, and device application software through rigorous testing scenarios, such as intermittent or reduced connectivity or failure of peripheral sensors, while profiling the performance of the hardware. The tests ensure that your IoT device will perform as expected when deployed. 
+  * **Make sure that devices regularly send status checks** : Even if devices are regularly offline for extended periods of time, make sure that the device firmware contains application logic that sets a regular interval to send device status information to your IoT application. Devices must be active participants in making sure that your application has the right level of visibility. Sending this regularly occurring IoT message make sures that your IoT application gets an updated view of the overall status of a device, and can create processes when a device does not communicate within its expected period of time. 
@@ -19 +19,3 @@ In addition to the overall Well-Architected Framework operational excellence des
-  * **Design and build for operations at scale** : Design and build a solution for logging, monitoring, troubleshooting, fleet management, life cycle device and application management at scale. 
+  * **Use Gateways for edge computing, network segmentation, security compliance and bridging administrative domains:** By splitting the workload between local and remote processing helps to balance the timeliness and high bandwidth of local resources with the scale and elasticity of remote resources. Edge gateways can be used to mediate data flows between a low latency local-area network (LAN) and resources on the high-latency wide-area network (WAN), protocols used in each environment and can also mediate between security and administrative domains such as in a Perdue Enterprise Network Architecture (PERA), ANSI/ISA-95 network segmentation. Edge gateways are also used in consumer IoT systems. For example, a smart home gateway which collects data from multiple smart home devices. 
+
+  * **Build security into your IoT solution and apply security at all layers:** IoT implementations can have some unique considerations not present in traditional IT deployments. For example, deploying a consumer IoT device can introduce a new classification of threats that needs to be addressed and industrial IoT requires more thought around reliability, safety and compliance. Many legacy OT systems have limited security features and use industrial protocols which does not support authentication, authorization and encryption. In industrial IoT, the convergence of IT and OT systems is creating a mix of technologies that were designed to withstand risky network environments and ones that were not, which creates risk management difficulties that need to be controlled. So, building security into every part of your IoT solution is essential for minimizing risks to your data, business assets, and reputation. Apply a defense in-depth approach with multiple security controls. 
@@ -30 +32 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Operational excellence
+Definitions
@@ -32 +34 @@ Operational excellence
-Best practices
+Scenarios