AWS Security ChangesHomeSearch

AWS wellarchitected documentation change

Service: wellarchitected · 2025-07-04 · Documentation high

File: wellarchitected/latest/iot-lens/detective-controls.md

Summary

Expanded IoT security detective controls documentation with three new best practices (IOTSEC06-BP01 to BP03), added specific metrics/alarm examples, enhanced logging guidance, and integration with AWS security services.

Security assessment

The changes add detailed security monitoring practices (e.g., authorization error tracking, audit checks, automated remediation) but do not reference a specific resolved vulnerability. Proactive security hardening documentation is added.

Diff

diff --git a/wellarchitected/latest/iot-lens/detective-controls.md b/wellarchitected/latest/iot-lens/detective-controls.md
index b853d134e..5fa4ccc88 100644
--- a//wellarchitected/latest/iot-lens/detective-controls.md
+++ b//wellarchitected/latest/iot-lens/detective-controls.md
@@ -3 +3,3 @@
-[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](abstract-and-introduction.html)
+[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](iot-lens.html)
+
+IOTSEC06-BP01 Collect and analyze logs and metrics to capture authorization errors and failures to enable appropriate responseIOTSEC06-BP02 Send alerts when security events, misconfiguration, and behavior violations are detectedIOTSEC06-BP03 Alert on non-compliant device configurations and remediate using automation
@@ -7 +9 @@
-Due to the scale of data, metrics, and logs in IoT applications, aggregating and monitoring is an essential part of a well-architected IoT application. Unauthorized users will probe for bugs in your IoT application and will look to take advantage of individual devices to gain further access into other devices, applications, and cloud resources. To operate an entire IoT solution, you will need to manage detective controls not only for an individual device but also for the entire fleet of devices in your application. You will need to enable several levels of logging, monitoring, and alerting to detect issues at the device level as well as the fleet-wide level. 
+Due to the scale of data, metrics, and logs in IoT applications, aggregating and monitoring is an essential part of a well-architected IoT application. Proper access controls paired with detection mechanisms help prevent unauthorized access to devices and connected resources. In order to operate an entire IoT solution, you will need to manage detective controls not only for an individual device but also for the entire fleet of devices in your application. You will need to enable several levels of logging, monitoring, and alerting to detect issues at the device level as well as the fleet-wide level. 
@@ -9 +11 @@ Due to the scale of data, metrics, and logs in IoT applications, aggregating and
-In a well-architected IoT application, each layer of the IoT application generates metrics and logs. At a minimum, your architecture should have metrics and logs related to the physical device, the connectivity behavior of your device, message input and output rates per device, provisioning activities, authorization attempts, and internal routing events of device data from one application to another. 
+In a well-architected IoT application, each layer of the IoT application generates metrics and logs. At a minimum, your architecture should have metrics and logs related to the physical device, the connectivity behavior of your device, message input and output rates per device, provisioning activities, authorization attempts, and internal routing events of device data from one application to another. Also, actions performed by the IoT application itself as well as actions performed by users of the IoT application should be logged. 
@@ -11 +13 @@ In a well-architected IoT application, each layer of the IoT application generat
-IOTSEC 6: How do you analyze application logs and device metrics to detect security issues?  
+IOTSEC06: How do you analyze application and device logs and metrics to detect security issues?  
@@ -16 +18,3 @@ Your device logs and metrics play a critical role in monitoring security behavio
-In AWS IoT, you can implement detective controls using AWS IoT Device Defender, CloudWatch Logs, AWS IoT Greengrass logs and CloudWatch Metrics. AWS IoT Device Defender processes logs and metrics related to device behavior and connectivity behaviors of your devices. AWS IoT Device Defender also lets you continuously monitor security metrics from devices and AWS IoT Core for deviations from what you have defined as appropriate behavior for each device or with ML detect to automatically learn normal device behaviors. Set a default set of thresholds when device behavior or connectivity behavior deviates from normal activity. 
+In AWS IoT, you can implement detective controls using AWS IoT Device Defender, Amazon CloudWatch Logs, AWS IoT Greengrass logs and Amazon CloudWatch Metrics. AWS IoT Device Defender processes logs and metrics related to device behavior and connectivity behaviors of your devices. AWS IoT Device Defender also lets you continuously monitor security metrics from devices and AWS IoT Core for deviations from what you have defined as appropriate behavior for sets of devices or each device. 
+
+Augment Device Defender metrics with the Amazon CloudWatch Metrics, Amazon CloudWatch Logs generated by AWS IoT Core, AWS IoT Greengrass logs and Amazon GuardDuty. These service-level logs provide important insight into activity about not only activities related to AWS IoT services and AWS IoT Core protocol usage, but also provide insight into the downstream applications running in AWS that are critical components of your end-to-end IoT application. All Amazon CloudWatch Logs should be analyzed centrally to correlate log information across all sources. AWS CloudTrail logs should be used to understand which AWS APIs have been used by which IAM principals as part of the IoT application processing. 
@@ -18 +22 @@ In AWS IoT, you can implement detective controls using AWS IoT Device Defender,
-Augment Device Defender metrics with Amazon CloudWatch Metrics, Amazon CloudWatch Logs generated by AWS IoT Core, AWS IoT Greengrass logs, and Amazon GuardDuty. These service-level logs provide important insight into activity about not only activities related to AWS IoT Platform services and AWS IoT Core protocol usage, but also provide insight into the downstream applications running in AWS that are critical components of your end-to-end IoT application. All Amazon CloudWatch Logs should be analyzed centrally to correlate log information across all sources. 
+Implement logging in any automation created as a part of the IoT application. Most IoT applications include some type of automated processing using, for example, AWS Lambda functions or AWS Step Functions. Add appropriate logging to these function implementations as well. 
@@ -20 +24 @@ Augment Device Defender metrics with Amazon CloudWatch Metrics, Amazon CloudWatc
-**Best practice IOTSEC_6.1 – Collect and analyze logs and metrics to capture authorization errors and failures to enable appropriate response**
+## IOTSEC06-BP01 Collect and analyze logs and metrics to capture authorization errors and failures to enable appropriate response
@@ -24 +28,16 @@ Device logs and metrics can provide your organization with the insight to be ope
-**Recommendation IOTSEC_6.1.1** – _Enable metrics and create alarms that track authorization and error metrics_
+**Level of risk exposed if this best practice is not established:** Medium 
+
+**Prescriptive guidance IOTSEC06-BP01-01** _Enable metrics and create alarms that track authorization and error metrics._
+
+Observe the trends for these AWS IoT metrics: 
+
+  * ` Connect.AuthError `
+
+  * ` PublishIn.AuthError `
+
+  * ` PublishOut.AuthError `
+
+  * ` Subscribe.AuthError `
+
+
+
@@ -26 +45 @@ Device logs and metrics can provide your organization with the insight to be ope
-  * Observe the trends for these AWS IoT metrics: Connect.AuthError, PublishIn.AuthError, PublishOut.AuthError and Subscribe.AuthError. 
+Configure CloudWatch alarms for each of the preceding metrics to alarm based on levels higher than normal for your workload. 
@@ -28 +47 @@ Device logs and metrics can provide your organization with the insight to be ope
-  * Configure CloudWatch alarms for each of the preceding metrics to alarm based on levels higher than normal for your workload. 
+## IOTSEC06-BP02 Send alerts when security events, misconfiguration, and behavior violations are detected
@@ -29,0 +49 @@ Device logs and metrics can provide your organization with the insight to be ope
+Audit the configuration of your devices and detect and alert when a device behavior or IoT application processing differs from the expected behavior. Audit logs provide visibility into operational data that can indicate potential security issues active in the device fleet. 
@@ -30,0 +51 @@ Device logs and metrics can provide your organization with the insight to be ope
+**Level of risk exposed if this best practice is not established:** Medium 
@@ -31,0 +53 @@ Device logs and metrics can provide your organization with the insight to be ope
+**Prescriptive guidance IOTSEC06-BP02-01** _Enable metrics to detect security events from the data plane._
@@ -33 +55 @@ Device logs and metrics can provide your organization with the insight to be ope
-**Best practice IOTSEC 6.2 – Alert when on security events, misconfiguration, and behavior violations are detected**
+Create IoT Device Defender security profiles to generate events which could indicate security risks. AWS IoT Device Defender [Ccoud-side metrics](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/detect-cloud-side-metrics.html) report on device behavior observed by AWS IoT Core. You can detect events based on configured rules. For example, create a security profile in AWS IoT Device Defender, that detects unusual device behavior that may be indicative of a unauthorized access by continuously monitoring activity between the device and AWS IoT Core. You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each data point reported for these metrics against user-defined behaviors (rules) and alerts you if behavior outside the defined rules settings is detected. 
@@ -35 +57 @@ Device logs and metrics can provide your organization with the insight to be ope
-Audit the configuration of your devices and detect and alert when a device behavior differs from the expected behavior. It provides visibility into operational data that can indicate potential security issues active in the device fleet. 
+**Prescriptive guidance IOTSEC06-BP02-02** _Enable auditing to check misconfigurations._
@@ -37 +59 @@ Audit the configuration of your devices and detect and alert when a device behav
-**Recommendation IOTSEC_6.2.1** – _Enable metrics to detect security events from the data plane_
+Audit checks are necessary to determine that devices stay configured according to best practices throughout their lifecycle. For instance, it is necessary to audit devices regularly on basic checks such as logging, use of shared certificates and unique device identifiers. AWS IoT Device Defender audit checks can help you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. Some of the auditing capabilities that are supported natively are `LOGGING-DISABLED-CHECK`, `IOT-POLICY-OVERLY-PERMISSIVE-CHECK`, `DEVICE-CERTIFICATE-SHARED-CHECK`, and `CONFLICTING-CLIENT-IDS-CHECK`. 
@@ -39 +61 @@ Audit the configuration of your devices and detect and alert when a device behav
-Create a threat model to detect events from security vulnerabilities or device compromises. You can detect events based on configured rules or machine learning (ML) models. For example, create a security profile in AWS IoT Device Defender, that detects unusual device behavior that might be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core. You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected. When you use ML Detect, the feature sets device behaviors automatically with machine learning to monitor device activities. 
+**Prescriptive guidance IOTSEC06-BP02-03** _Facilitate alerting on a behavior violation._
@@ -41 +63 @@ Create a threat model to detect events from security vulnerabilities or device c
-**Recommendation IOTSEC_6.2.2** – _Enable auditing to check misconfigurations_
+Enable alarms or notifications when the device behavior is anomalous based on configured IoT Device Defender rules. AWS IoT Device Defender Security Profiles can be set up to define limits for metric values so that alerts are signaled if device behavior is observed to be outside of these limits. 
@@ -43 +65 @@ Create a threat model to detect events from security vulnerabilities or device c
-Audit checks are necessary to determine that device stays configured with required best practices throughout its lifecycle. For instance, its necessary to audit devices regularly on basic checks such as logging, shared certificates and unique device IDs. For example, AWS IoT Device Defender can help you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. Some of the auditing capabilities supported natively are `LOGGING_DISABLED_CHECK`, `IOT_POLICY_OVERLY_PERMISSIVE_CHECK`, `DEVICE_CERTIFICATE_SHARED_CHECK`, and `CONFLICTING_CLIENT_IDS_CHECK`. 
+**Prescriptive guidance IOTSEC06-BP02-04** _Capture device-side behavior metrics and alert on device behavior violations._
@@ -45 +67 @@ Audit checks are necessary to determine that device stays configured with requir
-**Recommendation IOTSEC_6.2.3** – _Ensure alerting on a behavior violation_
+AWS IoT Device Defender can be configured to monitor device-side metrics which are reported to AWS IoT Device Defender from messages sent to AWS IoT Core by the device. Additional configuration and processing may be needed in the device in order to generate and send these device-side metrics. When available, these metrics can be used to alert you when behavior within the device is determined to be outside of normal ranges. Use AWS IoT Device Defender rules to monitor activity within the device. Appropriate action can then be taken, such as moving the device to a maintenance state or performing a remote OTA update on the device. 
@@ -47 +69 @@ Audit checks are necessary to determine that device stays configured with requir
-Enable alarming or notifications when the device behavior is anomalous based on configured rules or ML models. For example, AWS IoT Device Defender can alert you with the metric datapoint reported by the device when an ML model flags the datapoint as anomalous. This removes the need for you to define accurate behaviors of your devices and helps you get started with monitoring more quickly and easily. 
+## IOTSEC06-BP03 Alert on non-compliant device configurations and remediate using automation
@@ -49 +71 @@ Enable alarming or notifications when the device behavior is anomalous based on
-**Best practice IOTSEC_6.3 – Alert on non-compliant device configurations and remediate using automation**
+Implement continuous monitoring to track device configurations and metrics. Regular auditing helps maintain security baselines and identify necessary updates as technologies evolve and new threats emerge. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptoanalysis techniques. 
@@ -51 +73 @@ Enable alarming or notifications when the device behavior is anomalous based on
-Enable auditing to continuously assess configurations and metrics on the device. security configurations can be impacted by the passage of time and new threats are constantly emerging. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptoanalysis methods. 
+**Level of risk exposed if this best practice is not established:** Medium 
@@ -53 +75 @@ Enable auditing to continuously assess configurations and metrics on the device.
-**Recommendation IOTSEC_6.3.1** – _Ensure regular auditing for identifying configuration issues_
+**Prescriptive guidance IOTSEC06-BP03-01** _Verify regular auditing is enabled for identifying configuration issues._
@@ -55 +77 @@ Enable auditing to continuously assess configurations and metrics on the device.
-Audit checks are necessary to determine that device stays configured with required best practices throughout its lifecycle. For instance, its necessary to audit devices regularly on basic checks such as logging, shared certificates and unique device IDs. For example, AWS IoT Device Defender can help you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. Some of the auditing capabilities supported natively are` LOGGING_DISABLED_CHECK`, `IOT_POLICY_OVERLY_PERMISSIVE_CHECK`, `DEVICE_CERTIFICATE_SHARED_CHECK`, and `CONFLICTING_CLIENT_IDS_CHECK`. 
+Audit checks are necessary to determine that devices stay configured according to best practices throughout their lifecycle. For instance, it is necessary to audit devices regularly on basic checks such as logging, use of shared certificates and unique device identifiers. AWS IoT Device Defender audit checks can help you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. Some of the auditing capabilities that are supported natively are `LOGGING-DISABLED-CHECK`,` IOT-POLICY-OVERLY-PERMISSIVE-CHECK`, `DEVICE-CERTIFICATE-SHARED-CHECK`, and `CONFLICTING-CLIENT-IDS-CHECK`. A full list of audit features can be found in [Audit checks](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit-checks.html). 
@@ -57 +79 @@ Audit checks are necessary to determine that device stays configured with requir
-**Recommendation IOTSEC_6.3.2** – _Use automation to remediate issues_
+**Prescriptive guidance IOTSEC06-BP03-02** _Use automation to remediate issues._
@@ -59 +81 @@ Audit checks are necessary to determine that device stays configured with requir
-Investigate issues by providing contextual and historical information about the device such as device metadata, device statistics, and historical alerts for the device. For example, you can use AWS IoT Device Defender built-in mitigation actions to perform mitigation steps on Audit and Detect alarms such as adding things to a thing group, replacing default policy version and updating device certificate. Or you can enable a mitigation action to re-enable logging and publish the finding to Amazon SNS should the LOGGING_DISABLED_CHECK find that logging is not enabled. 
+Investigate issues by providing contextual and historical information about the device such as device metadata, device statistics, and historical alerts for the device. For example, you can use AWS IoT Device Defender built-in mitigation actions to perform mitigation steps on Audit and Detect alarms. Mitigations can include actions such as adding things to a thing group, replacing default policy version, and updating a device certificate. Another possible action is to enable a mitigation to re-enable logging and publish the finding to Amazon SNS should the `LOGGING-DISABLED-CHECK` find that logging is not enabled. Defining the actions taken when an alert is signaled is done by creating Lambda functions which are invoked through Amazon SNS when the alert is sent.