Introduction

We are excited to announce that AWS IoT Device Defender is now integrated with AWS Security Hub. This integration allows you to ingest alarms and their attributes from audit and detect features in one central location, without custom coding. This will help you offload or reduce complexity of managing disparate workflows from multiple security consoles when you review devices monitored by AWS IoT Device Defender.

You can use AWS IoT Device Defender to audit and monitor your IoT devices and can use AWS Security Hub to centralize and prioritize security findings from across AWS accounts, services, and supported third-party partners to help analyze security trends and identify the highest priority security issues. With the direct integration of AWS IoT Device Defender to AWS Security Hub, you can view AWS IoT Device Defender alarms alongside events from other AWS security services to centrally view and improve the security posture of your IoT solution.

AWS Security Hub ingests findings from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Systems Manager Patch Manager. With the AWS AWS IoT Device Defender integration to AWS Security Hub, you can ingest AWS IoT Device Defender alarms into AWS Security Hub. Findings from each service are normalized into the AWS Security Finding Format (ASFF), so that you can review findings in a standardized format and take action quickly. You can use AWS Security Hub to provide a centralized view of all security-related findings, where you can set up alerting and automatic remediation.

Solution overview

Figure 1: Solution architecture

Prerequisites

You must have AWS Security Hub set up in the Region where you’re deploying the solution. To set up, refer to the Setting up AWS Security Hub documentation page.
AWS IoT Core Console MQTT test client access.
Note that for device-side metrics and custom metrics, you will need to setup a device side agent with our sample agent in Python or use AWS IoT Device SDK.

Solution walk-through

AWS Security Hub integrations allow aggregating security finding data from several AWS services and from supported AWS Partner Network (APN) security solutions. The Integrations page in the AWS Security Hub console provides access to all of the available AWS and third-party product integrations. The AWS Security Hub API also provides operations to allow you to manage integrations.

Figure 2: AWS Security Hub console showing AWS IoT Device Defender integrations

Navigate to AWS IoT Security Hub > Integrations page to see and accept findings from AWS IoT Device Defender service for your use case.

Under Integrations section, filter for integrations, enter Device Defender.
Choose Accept findings for both audit and detect integrations.

Congratulations! You have enabled accepting AWS IoT Device Defender audit and detect findings to AWS Security Hub. You can continue with following experiment sections to try and test integrations in your AWS account.

Experimenting AWS IoT Device Defender audit findings integration with AWS Security Hub

An AWS IoT Device Defender audit looks at account and device related settings and policies to ensure security measures are in place. To experiment an audit finding, you can create an overly permissive device policy and run the audit on demand to be able to generate findings right away.

Navigate to AWS IoT > Security > Policies.
Choose Create Policy
Under Policy properties section, for Policy name, specify a name for the policy.
Under the Policy document, prepare an overly permissive statement using the following:

For Policy effect, choose Allow
For Policy action, choose * (all AWS IoT Actions)
For Policy resource, enter * (corresponds to all AWS IoT resources)
Choose Create.

Now you’ve created an overly permissive device policy in your AWS account. It will be detected as a security finding with critical severity for the next AWS IoT Device Defender Audit run. You can run an on-demand audit to see the results right away.

Navigate to AWS IoT > Security > Audit > Schedules.
Under Scheduled audits, choose Create.
On the following page, under Available checks, select all checks.
Under Set schedule, for Recurrence, choose Run audit now (once).

The audit is started and will turn from in-progress to not compliant within a few minutes. Choose the latest audit, on the audit Report page, review the Non-compliant checks section.

Figure 3: AWS IoT Device Defender audit report

Your recently created overly permissive IoT policy is detected by the AWS IoT Device Defender audit. Now you can navigate to AWS Security Hub console to check the findings reported by AWS IoT Device Defender audit.

Navigate to AWS IoT Security Hub > Integrations page.
Under Integrations section, for filter integrations, enter Device Defender.
Under AWS IoT Device Defender – Audit, choose See findings.

Figure 4: AWS IoT Device Defender audit findings in AWS Security Hub

Congratulations! You have integrated AWS Security Hub with AWS IoT Device Defender audit findings. Findings in AWS Security Hub are identified by the audit check type as the title and the checked resource identifier. In this example, you will notice “AwsIotPolicy” and “AwsIotAccountSettings” were the non-compliant resource types. Also, audit sends check summaries to AWS Security Hub, which include status, number of resources checked, percentage of non-compliance about an audit task for each check type. The summaries can be identified by its’ title or resource type “AwsIotAuditTask”. You can click each finding and check finding details and trigger workflow actions.

Figure 5: AWS IoT Device Defender audit finding details in AWS Security Hub

You can continue to the following section to also experiment detect findings.

Experimenting AWS IoT Device Defender Detect findings integration with AWS Security Hub

With AWS IoT Device Defender Detect, you can identify unusual behavior that might indicate a compromised device by monitoring the behavior of your devices. You create security profiles, which contain definitions of expected device behaviors, and assign them to a group of devices or to all the devices in your fleet. To experiment with a detect finding, you can create a security profile with a simple expected AWS IoT Core thing behavior, and then connect using an IoT device client that conflicts with the expected behavior.

Navigate to the Security Profiles section of the AWS IoT Device Defender Console: AWS IoT > Manage > Security > Detect > Security Profiles
Choose Create Security Profile and choose Create Rule-based anomaly detect profile
For Target, choose All things
Specify a Security Profile name
Clear all Cloud-side metrics, except Message size
Choose Next
Under the Define metric behaviors section, specify the following parameters for Message size:

Check type: Absolute
Operator: Less than
Value: 8

Keep the others as default, and Choose Next.
Choose Create.

This defines a device behavior that expected message size is less than 8 bytes.

Now, use your IoT devices with AWS IoT device client/SDKs or AWS IoT Core Console MQTT test client to publish messages bigger than 8 bytes on average.

Within five minutes time frame, an AWS IoT Device Defender detect finding will be produced. Navigate to AWS IoT > Security > Detect > Alarms and view produced findings under All alarms.

Now you can navigate to the AWS Security Hub console to view the findings reported by AWS IoT Device Defender Detect.

Navigate to AWS IoT Security Hub > Integrations page.
Under Integrations section, for filter integrations, enter Device Defender.
Under AWS IoT Device Defender – Detect, choose See findings.

Figure 6: AWS IoT Device Defender Detect findings in AWS Security Hub

Congratulations! You have integrated AWS Security Hub with AWS IoT Device Defender Detect findings. You will notice that findings for violations are sent to AWS Security Hub in near real time. Violations can be identified by their Thing name and Behavior name in the Title and time that the violations are detected. After a violation goes out of alarm, the corresponding Security Hub finding is immediately archived. You can click each finding and check finding details and trigger workflow actions.

Figure 7: AWS IoT Device Defender Detect finding details in AWS Security Hub

Note that, you can also use AWS IoT Device Defender ML Detect to set the normal device behavior. AWS IoT Device Defender then identifies anomalies and triggers alarms using the Machine Learning (ML) models. These alarms are sent to AWS Security Hub and can be seen in the AWS Security Hub console as described earlier.

Conclusion

In this post, you’ve learned how to set up AWS IoT Device Defender to send audit and detect findings to AWS Security Hub to gain a centralized view of security findings across the services running on the cloud and the edge. By ingesting security events into AWS, you can triage alarms and get, deeper insights and situational awareness of your IoT and cloud security posture. The solution can be extended using additional AWS services, including Amazon EventBridge, AWS Lambda, and Amazon DynamoDB to correlate AWS Security Hub findings from multiple AWS security services. To learn more, read correlate security findings with AWS Security Hub and Amazon EventBridge. You can also reference this video for a live demo of the solution.

Authors

Ryan Dsouza is a Principal Solutions Architect for IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has over 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, and OT/IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.

Joseph Choi is a Sr. Product Manager-Tech at AWS IoT. He focuses on building services that help device makers, automotive manufacturers, IoT providers monitor and secure their devices.

Emir Ayar is a Tech Lead Solutions Architect on the AWS Prototyping team. He specializes in helping customers build IoT, ML at the Edge, and Industry 4.0 solutions and implement architectural best practices. He lives in Luxembourg and enjoys playing synthesizers.

Leave a Reply