AWS Security ChangesHomeSearch

AWS wellarchitected documentation change

Service: wellarchitected · 2025-07-04 · Documentation low

File: wellarchitected/latest/iot-lens/key-aws-services-sec.md

Summary

Updated IoT security documentation with expanded service listings, hyperlinks to AWS services, and enhanced descriptions of security controls. Added details about AWS IoT credentials endpoint, AWS Private Certificate Authority, and integration with security services like Security Hub.

Security assessment

The changes primarily improve documentation clarity and completeness by adding links and expanding descriptions of security-related AWS services (e.g., IoT Device Defender, IAM, KMS). While these updates enhance security documentation, there is no evidence they address a specific disclosed vulnerability or security incident. The addition of temporary credential management via AWS IoT credentials endpoint and emphasis on hardware security modules are security best practice recommendations rather than fixes.

Diff

diff --git a/wellarchitected/latest/iot-lens/key-aws-services-sec.md b/wellarchitected/latest/iot-lens/key-aws-services-sec.md
index 16fcea964..a9af3c260 100644
--- a//wellarchitected/latest/iot-lens/key-aws-services-sec.md
+++ b//wellarchitected/latest/iot-lens/key-aws-services-sec.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](abstract-and-introduction.html)
+[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](iot-lens.html)
@@ -7 +7 @@
-The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Device Defender, AWS Identity and Access Management (IAM), and Amazon Cognito. In combination, these services along with other AWS security services allow you to securely control access to IoT devices, AWS services, IoT applications, and resources for your users. The following services and features support IoT security: 
+The essential AWS security services in IoT are the [AWS IoT Core](https://aws.amazon.com/iot-core/), [AWS IoT Device Management](https://aws.amazon.com/iot-device-management/), [AWS IoT Device Defender](https://aws.amazon.com/iot-device-defender/), [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/), and [Amazon Cognito](https://aws.amazon.com/pm/cognito/). In combination, these services along with other AWS security services allow you to securely control access to IoT devices, AWS services, IoT applications and resources for your users. Additional AWS services such as [AWS IoT Greengrass](https://aws.amazon.com/greengrass/), [Amazon S3](https://aws.amazon.com/s3/), [Amazon DynamoDB](https://aws.amazon.com/dynamodb/), and [Amazon Relational Database Service](https://aws.amazon.com/rds/) are often used in IoT applications. The following services and features support IoT security: 
@@ -11 +11 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Asset inventory:** AWS IoT Device Management can be used as an inventory for IoT devices and AWS Systems Manager Inventory can be used to provide visibility into on premises computing resources and edge gateways. 
+**Asset inventory:** [AWS IoT Device Management](https://aws.amazon.com/iot-device-management/) can be used as an inventory for IoT devices and AWS Systems Manager Inventory can be used to provide visibility into on premises computing resources and edge gateways. 
@@ -13 +13 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**AWS Identity and Access Management (IAM):** Device credentials (X.509 certificates, IAM, Amazon Cognito identity pools and Amazon Cognito user pools, or custom authorization tokens) enable you to securely control device and external user access to AWS resources. AWS IoT policies add the ability to implement fine grained access to IoT devices. ACM Private CA provides a cloud-based approach to creating and managing device certificates. Use AWS IoT thing groups to manage IoT permissions at the group level instead of individually. 
+**AWS Identity and Access Management (IAM):** Device credentials (X.509 certificates, IAM, Amazon Cognito identity pools and Amazon Cognito user pools, or custom authorization tokens) enable you to securely control device and external user access to AWS resources. AWS IoT policies add the ability to implement fine grained access to IoT devices. [AWS Private Certificate Authority](https://aws.amazon.com/private-ca/) provides a cloud-based approach to creating and managing device certificates. Use AWS IoT thing groups to manage IoT permissions at the group level instead of individually. Use the AWS IoT credentials endpoint to obtain temporary IAM credentials in an IoT device in order to use AWS services from the IoT device. 
@@ -15 +15 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Detective controls** : AWS IoT Device Defender records device communication and cloud side metrics from AWS IoT Core. AWS IoT Device Defender can automate security responses by sending notifications through Amazon Simple Notification Service (Amazon SNS) to internal systems or administrators. AWS CloudTrail logs provide administrative actions of your IoT application. Amazon CloudWatch is a monitoring service with integration with AWS IoT Core and can trigger CloudWatch Events to automate security responses. CloudWatch captures detailed logs related to connectivity and security events between IoT edge components and cloud services. 
+**Detective controls** : [AWS IoT Device Defender](https://aws.amazon.com/iot-device-defender/) records device communication and cloud side metrics from [AWS IoT Core](https://aws.amazon.com/iot-core/). [AWS IoT Device Defender](https://aws.amazon.com/iot-device-defender/) can automate security responses by sending notifications through [Amazon Simple Notification Service (SNS)](https://aws.amazon.com/pm/sns/) to internal systems or administrators. [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) logs provide administrative actions of your IoT application. [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) is a monitoring service with integration with [AWS IoT Core](https://aws.amazon.com/iot-core/) and can trigger CloudWatch Events to automate security responses. CloudWatch captures detailed logs related to connectivity and security events between IoT edge components and cloud services. 
@@ -17 +17 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Infrastructure protection** : AWS IoT Core is a cloud service that lets connected devices easily and securely interact with cloud applications and other devices. The AWS IoT rules engine in AWS IoT Core uses IAM permissions to communicate with other downstream AWS services. AWS has created a wide selection of industry leading IoT silicon vendors, device manufacturers, and gateway partners who have integrated AWS IoT Greengrass into their software and hardware offerings. You have the option to store your device private key on a hardware secure element and store sensitive device information at the edge with AWS IoT Greengrass Secrets Manager and encrypt secrets using private keys for root of trust security. 
+**Infrastructure protection** : [AWS IoT Core](https://aws.amazon.com/iot-core/) is a cloud service that lets connected devices easily and securely interact with cloud applications and other devices. The AWS IoT rules engine in [AWS IoT Core](https://aws.amazon.com/iot-core/) uses IAM permissions to communicate with other downstream AWS services. AWS has created a wide selection of industry leading IoT silicon vendors, device manufacturers, and gateway partners who have integrated [AWS IoT Greengrass](https://aws.amazon.com/greengrass/) into their software and hardware offerings. Customers have the option to store their device private key on a hardware secure element and store sensitive device information at the edge with [AWS IoT Greengrass](https://aws.amazon.com/greengrass/) Secrets Manager and encrypt secrets using private keys for root of trust security. 
@@ -19 +19 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Data protection** : AWS IoT includes encryption capabilities for devices over TLS to protect your data in transit. AWS IoT integrates directly with services, such as Amazon S3 and Amazon DynamoDB, which support encryption at rest. In addition, AWS Key Management Service (AWS KMS) supports the ability for you to create and control keys used for encryption. On devices, you can use AWS edge offerings such as FreeRTOS, AWS IoT Greengrass, or the AWS IoT Embedded C SDK to support secure communication. 
+**Data protection** : [AWS IoT Core](https://aws.amazon.com/iot-core/) includes encryption capabilities for devices over TLS to protect your data in transit. [AWS IoT Core](https://aws.amazon.com/iot-core/) integrates directly with services, such as [Amazon S3](https://aws.amazon.com/s3/) and [Amazon DynamoDB](https://aws.amazon.com/dynamodb/), which support encryption at rest. In addition, [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/) supports the ability for you to create and control keys used for encryption. On devices, you can use AWS edge offerings such as [FreeRTOS](https://aws.amazon.com/freertos/), [AWS IoT Greengrass](https://aws.amazon.com/greengrass/), or the AWS IoT Embedded C SDK to support secure communication. 
@@ -21 +21 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Patch management:** Implement patch management to fix device vulnerabilities and define appropriate update mechanisms for software and firmware updates using AWS IoT Device Management Jobs service and AWS Systems Manager Patch Manager. Perform deployment of patches only after testing the patches in a test environment before implementing them in production and verify the integrity of the software before starting to run it ensuring that it comes from a reliable source (signed by the vendor) and that it is obtained in a secure manner. 
+**Patch management:** Implement patch management to fix device vulnerabilities and define appropriate update mechanisms for software and firmware updates using [AWS IoT Device Management](https://aws.amazon.com/iot-device-management/) Jobs service and [AWS Systems Manager](https://aws.amazon.com/systems-manager/) Patch Manager. Perform deployment of patches only after testing the patches in a test environment before implementing them in production and verify the integrity of the software before starting to run it making sure that it comes from a reliable source (signed by the vendor) and that it is obtained in a secure manner. 
@@ -23 +23 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Incident response** : AWS IoT Device Defender allows you to create security profiles that can be used to detect deviations from normal device behavior and trigger automated responses including AWS Lambda. AWS IoT Device Management should be used to group devices that need remediation and then using AWS IoT Jobs to deploy fixes to devices. AWS Security Hub can be used to aggregate security alerts from various AWS services and partner products to help you analyze your security trends and identify the highest priority security issues. AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices and enables automated remediation. Security Hub has out-of-the-box integrations with ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), threat investigation, Governance Risk and Compliance (GRC), and incident management tools to provide users with a complete security operations workflow. 
+**Incident response** : [AWS IoT Device Defender](https://aws.amazon.com/iot-device-defender/) allows you to create security profiles that can be used to detect deviations from normal device behavior and trigger automated responses including Serverless Computing -[AWS Lambda](https://aws.amazon.com/pm/lambda/). [AWS IoT Device Management](https://aws.amazon.com/iot-device-management/) should be used to group devices that need remediation and then using AWS IoT Jobs to deploy fixes to devices. [AWS Security Hub](https://aws.amazon.com/security-hub/) can be used to aggregate security alerts from various AWS services and partner products to help you analyze your security trends and identify the highest priority security issues. [AWS Security Hub](https://aws.amazon.com/security-hub/) provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices and enables automated remediation. [AWS Security Hub](https://aws.amazon.com/security-hub/) has out-of-the-box integrations with ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), threat investigation, Governance Risk and Compliance (GRC), and incident management tools to provide users with a complete security operations workflow. 
@@ -25,3 +25 @@ The essential AWS security services in IoT are the AWS IoT registry, AWS IoT Dev
-**Business continuity and recovery**
-
-To backup IoT data at the edge and in the cloud, you can use AWS IoT Greengrass stream manager to locally buffer data and send data to local storage destinations and other life cycle management features available in AWS IoT Greengrass to support your data resiliency and backup needs. AWS Backup can be used to centrally manage and automate backups across AWS services and on premise IoT systems. 
+**Business continuity and recovery** : To backup IoT data at the edge and in the cloud, customers can use [AWS IoT Greengrass](https://aws.amazon.com/greengrass/) stream manager to locally buffer data and send data to local storage destinations and other life cycle management features available in [AWS IoT Greengrass](https://aws.amazon.com/greengrass/) to support your data resiliency and backup needs. [AWS Backup](https://aws.amazon.com/backup/) can be used to centrally manage and automate backups across AWS services and on premise IoT systems. 
@@ -35 +33 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Incident response
+Security assurance