AWS wellarchitected high security documentation change
Summary
Added detailed operational excellence best practices for IoT workloads, including device hierarchy management, fleet provisioning automation, monitoring implementation, and security-focused device lifecycle management processes.
Security assessment
Multiple security-focused changes: 1) IOTOPS05-BP03 mandates birth certificates with limited privileges to prevent misuse of unprovisioned devices. 2) IOTOPS04-BP01 requires secure device identity management and JITP/JITR provisioning. 3) IOTOPS05-BP02-2 specifies secure certificate handling for device registration. These directly address device authentication risks and unauthorized access prevention.
Diff
diff --git a/wellarchitected/latest/iot-lens/prepare.md b/wellarchitected/latest/iot-lens/prepare.md index 997b4f651..b3283c3cb 100644 --- a//wellarchitected/latest/iot-lens/prepare.md +++ b//wellarchitected/latest/iot-lens/prepare.md @@ -3 +3,3 @@ -[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](abstract-and-introduction.html) +[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](iot-lens.html) + +IOTOPS03-BP01 Use static and dynamic device hierarchies to support fleet operationsIOTOPS03-BP02 Use index and search services to enable rapid identification of target devicesIOTOPS04-BP01 The device management processes should be automated, data-driven, and based on previous, current, and expected device behavior IOTOPS05-BP01 Document how devices join your fleet from manufacturing to provisioningIOTOPS05-BP02 Use programmatic techniques to provision devices at scaleIOTOPS05-BP03 Use device level features to enable re-provisioningIOTOPS06-BP01 Implement monitoring to capture logs and metricsIOTOPS06-BP02 Capture and monitor application performance at the edge IOTOPS06-BP03 Monitor the status of your IoT devices IOTOPS06-BP04 Use device state management services to detect status and connectivity patterns @@ -7 +9,94 @@ -For IoT applications, the need to procure, provision, test, and deploy hardware in various environments means that the preparation for operational excellence must be expanded to cover aspects of your deployment that will primarily run-on physical devices and will not run in the cloud. Operational metrics must be defined to measure and improve business outcomes and then determine if devices should generate and send any of those metrics to your IoT application. You also must plan for operational excellence by creating a streamlined process of functional testing that allows you to simulate how devices may behave in their various environments. +For IoT applications, the need to procure, provision, test, and deploy hardware in various environments means that the preparation for operational excellence must be expanded to cover aspects of your deployment that will primarily run-on physical devices and will not run in the cloud. Operational metrics must be defined to measure and improve business outcomes and then determine if devices should generate and send any of those metrics to your IoT application. + +It is essential that you review how to make sure that your IoT workloads are resilient to failures, how devices can self-recover from issues without human intervention, and how your cloud-based IoT application will scale to meet the needs of an ever-increasing load of connected devices. + +When using an IoT system, you have the opportunity to use additional components/tools for handling IoT operations. These tools include services that allow you to monitor and inspect device behavior, capture connectivity metrics, provision devices using unique identities, and perform long-term analysis on top of device data. + +IOTOPS03: Do you organize the fleet to quickly identify devices? +--- + +The ability to quickly identify and interact with specific devices gives you the agility to troubleshoot and potentially isolate devices in case you encounter operational challenges. When operating large-scale device fleets, you need to deploy ways to organize, index, and categorize them. This is useful when targeting new device software with updates and when you need to identify why some devices in your fleet behave differently than others. + +## IOTOPS03-BP01 Use static and dynamic device hierarchies to support fleet operations + +Using a software registry, devices can be categorized into static groups based on their fixed attributes (such as version or manufacturer) and into dynamic groups based on their changing attributes (such as battery percentage or firmware version). Operationalizing devices in groups can help you manage, control, and search for devices more efficiently. + +**Level of risk exposed if this best practice is not established:** High + +**Prescriptive guidance IOTOPS03-BP01-01** _Manage several devices at once by categorizing them into static groups and hierarchy of groups._ + + * Build a hierarchy of static groups for efficient categorization and indexing of your devices. + + * Use provisioning templates to assign devices to static groups as they are provisioned for the first time. + + * For example, categorize all sensors of a car under a car group and all the cars under a vehicle group. Child groups inherit policies and permissions attached to their respective parent groups. + + + + +**Prescriptive guidance IOTOPS03-BP01-02** _Build a device index to efficiently search for devices, and aggregate registry data, runtime data, and device connectivity data._ + + * Use a fleet indexing service from AWS IoT Core to index device and group data. + + * Use a device index to search registry metadata, stateful metadata, and device connectivity status metadata. + + * Use a group index to search for groups based on group name, description, attributes, and all parent group names. + + * For example, if you want to send over-the-air (OTA) updates only to devices that are sufficiently charged, then define a dynamic group for devices with more than 90% battery. Devices will dynamically be added to or removed from the group as their battery percentage crosses the threshold. Send OTA updates to all things under this dynamic group + + + + +## IOTOPS03-BP02 Use index and search services to enable rapid identification of target devices + +A large IoT deployment can have millions of sensors sending data to the cloud. A separate indexing and search service can make it straightforward to index and organize the device data, and search for devices by attributes. Ingesting device data to a search service, for example, Amazon OpenSearch Service, makes it straightforward to use powerful search, visualization, and analytics capabilities of OpenSearch Service to organize and search for devices. You can ingest your device data and the state to OpenSearch Service seamlessly. + +**Level of risk exposed if this best practice is not established:** Medium + +**Prescriptive guidance IOTOPS03-BP02-01** _Use an indexed data store to get, update, or delete device state._ + + * Use messaging topics to enable applications and things to get, update, or delete the state information for a Thing (Thing Shadow). + + * Ingest the shadow data to Firehose through the AWS IoT Core rules engine. + + * Ingest the data from Firehose to Amazon OpenSearch Service through built-in destination options for OpenSearch Service. + + * Configure search and visualizations on the data directly or through the OpenSearch Dashboards console. + + * In AWS, you can create an AWS IoT thing for each physical device in the device registry of AWS IoT Core. By creating a thing in the registry, you can associate metadata to devices, group devices, and configure security permissions for devices. An AWS IoT thing should be used to store static data in the thing registry while storing dynamic device data in the thing's associated device shadow. A device's shadow is a JSON document that is used to store and retrieve state information for a device. + + + + +### Resources + + * [AWS IoT Core - Fleet indexing serviceAWS IoT Core - Fleet indexing](https://docs.aws.amazon.com/iot/latest/developerguide/iot-indexing.html) + + * [AWS IoT Core - AWS IoT Device Shadow service](https://docs.aws.amazon.com/iot/latest/developerguide/iot-device-shadows.html) + + * [Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service/) + + * [The Internet of Things on AWS – Official Blog: Archive AWS IoT Device Shadow services in Amazon OpenSearch Service](https://aws.amazon.com/blogs/iot/archive-aws-iot-device-shadows-in-amazon-elasticsearch-service/) + + * [Analyze device-generated data with AWS IoT and Amazon OpenSearch Service](https://aws.amazon.com/blogs/mobile/analyze-device-generated-data-with-aws-iot-and-amazon-elasticsearch-service/) + + + + +IOTOPS04: How do you verify that newly provisioned devices have the required operational prerequisites? +--- + +Logical security for IoT and data centers is similar in that both involve predominantly machine-to-machine authentication. However, they differ in that IoT devices are frequently deployed to environments that cannot be assumed to be physically secure. IoT applications also commonly require sensitive data to traverse the internet. Due to these considerations, it is vital for you to have an architecture that determines how devices will securely gain an identity, continuously prove their identity, be seeded with the appropriate level of metadata, be organized and categorized for monitoring, and enabled with the right set of permissions. + +## IOTOPS04-BP01 The device management processes should be automated, data-driven, and based on previous, current, and expected device behavior + +**Level of risk exposed if this best practice is not established:** High + +**Prescriptive guidance IOTOPS04-BP01-01** _Defining how devices are provisioned must include how the devices are manufactured and how they are registered for both greenfield and brownfield fleet of devices._ + + * In AWS IoT, you can use multiple features to provision your individual device identities signed by your CA to the cloud. This path involves provisioning devices with identities and then using just-in-time-provisioning (JITP), just-in-time-registration (JITR), fleet provisioning or Multi-Account Registration to securely register your device certificates to the cloud. Using AWS services including Route 53, Amazon API Gateway, Lambda, and DynamoDB, will create a simple API interface to extend the provisioning process with device bootstrapping. + + * IoT applications must support incremental rollout and rollback strategies. By having this as part of the operational efficiency plan, you will be equipped to launch a fault-tolerant, efficient IoT application. + + + @@ -9 +104 @@ For IoT applications, the need to procure, provision, test, and deploy hardware -It is essential that you ask how to ensure that your IoT workloads are resilient to failures, how devices can self-recover from issues without human intervention, and how your cloud-based IoT application will scale to meet the needs of an ever-increasing load of connected hardware. +### Resources @@ -11 +106 @@ It is essential that you ask how to ensure that your IoT workloads are resilient -When using an IoT platform, you have the opportunity to use additional components and tools for handling IoT operations. These tools include services that allow you to monitor and inspect device behavior, capture connectivity metrics, provision devices using unique identities, and perform long-term analysis of device data. + * [Device Manufacturing and Provisioning with X.509 Certificates in AWS IoT Core](https://docs.aws.amazon.com/pdfs/whitepapers/latest/device-manufacturing-provisioning/device-manufacturing-provisioning.pdf#device-manufacturing-provisioning) @@ -13 +108,6 @@ When using an IoT platform, you have the opportunity to use additional component -IOTOPS 1. What factors drive your operational priorities? + * [How to automate onboarding of IoT devices to AWS IoT Core at scale with Fleet Provisioning](https://aws.amazon.com/blogs/iot/how-to-automate-onboarding-of-iot-devices-to-aws-iot-core-at-scale-with-fleet-provisioning/) + + + + +IOTOPS05: How do you govern device fleet provisioning process? @@ -16 +116,109 @@ IOTOPS 1. What factors drive your operational priorities? -IOTOPS 2. How are you ensuring that newly provisioned devices have the required operational prerequisites? +IoT solutions can scale to millions of devices and this requires device fleets to be well planned from the perspectives of provisioning processes and metadata organization. Maintain a full chain of security controls over who or what processes can trigger device provisioning to decrease the likelihood of inviting unintended (or rogue) devices into your fleet. + +## IOTOPS05-BP01 Document how devices join your fleet from manufacturing to provisioning + +Document the whole device provisioning process to clearly define the responsibilities of different actors at different stages. The end-to-end device provisioning process involves multiple stages owned by different actors. Documenting the plan and processes by which devices onboard and join the fleet affords the appropriate amount of review for potential gaps. + +**Level of risk exposed if this best practice is not established:** High + +**Prescriptive guidance IOTOPS05-BP01-01** _Document each step (manual and programmatic) of all the stages for the corresponding actors of that stage and clearly define the sequence._ + + * Identify the steps at each stage and the corresponding actors. + + * Device assembly by hardware manufacturer. + + * Device registration by service and solution provider. + + * Device activation by the end user of the service or solution provider. + + * Clearly define and document the dependencies and specific steps for each actor from device manufacturer to the end user. + + * Document whether devices can self-provision or are user-provisioned and how you can make sure that newly provisioned devices are yours. + + + + +**Prescriptive guidance IOTOPS05-BP01-02** _Assign device metadata to enable straightforward grouping and classification of devices in a fleet._ + + * The metadata can be used to group the devices in groups to search and force common actions and behaviors. + + * For example, you can assign the following metadata at the time of manufacturing: + + * Unique ID + + * Manufacturer details + + * Model number + + * Version or generation + + * Manufacturing date + + * If a particular model of a device requires a security patch, then you can easily target the patch to the devices that are part of the corresponding model number group. Similarly, you can apply the patches to devices manufactured in a specific time frame or belonging to a particular version or generation. + + * Along with creating a virtual representation of your device in the device registry, as part of the operational process, you must create thing types that encapsulate similar static attributes that define your IoT devices. A thing type is analogous to the product classification for a device. The combination of thing, thing type, and device shadow can act as your first entry point for storing important metadata that will be used for IoT operations. + + + + +## IOTOPS05-BP02 Use programmatic techniques to provision devices at scale + +Scaling the onboarding and provisioning of a large device fleet can be a bottleneck if there is even one manual step per device. Programmatic techniques define patterns of behavior for automating the provisioning process such that authenticated and authorized devices can onboard at any time. This practice provides a well-documented, reliable, and programmatic provisioning mechanism that is consistent across all devices devoid of human errors. + +**Level of risk exposed if this best practice is not established:** Medium + +**Prescriptive guidance IOTOPS05-BP02-01** _Embed provisioning claims into the devices that are mapped to approval authorities recognized by the provisioning service._ + + * Generate a provisioning claim and embed it into the device at the time of manufacturing. + + * AWS IoT Core can generate and securely deliver certificates and private keys to your devices when they connect to AWS IoT for the first time, using AWS IoT Fleet Provisioning. + + + + +**Prescriptive guidance IOTOPS05-BP02-2** _Use programmatic bootstrapping mechanisms if you are bringing your own certificates._ + + * Determine if you will or won't have device information beforehand + + * If you do not have device information beforehand, use just-in-time provisioning (JITP). + + * Enable automatic registration and associate a provisioning template with the CA certificate used to sign the device certificate. + + * For example, when a device attempts to connect to AWS IoT by using a certificate signed by a registered CA certificate, AWS IoT loads the template from the certificate and initiates the JITP workflow. + + * If you have device information beforehand, use bulk registration. + + * Specify a list of single-thing provisioning template values that are stored in a file in an S3 bucket. + + * Run the start-thing-registration-task command to register things in bulk. Provide provisioning template, S3 bucket name, a key name, and a role ARN to the command. +