AWS IoT Device Defender now offers a new metric called disconnected duration, which allows customers to monitor the connectivity status and duration of disconnection for their IoT devices. Previously, customers had to rely on custom solutions using AWS Lambda or Amazon CloudWatch and Connect/Disconnect event messages from AWS IoT Core. With the disconnected duration metric, customers can set a threshold for disconnection time and react accordingly. This metric helps to assess the health of device fleets, identify potential security risks, and manage device fleet challenges. In this article, we will learn how to configure a security profile using the disconnected duration metric in AWS IoT Device Defender, and how to receive notifications through Amazon SNS and Amazon SQS.
The following architecture diagram illustrates the flow of messages in the sample solution presented in this article:
1. The simulated device connects and disconnects.
2. After 5 minutes, the disconnected device triggers an anomalous behavior alert in the security profile.
3. The alert notification service publishes a message to the specified SNS topic.
4. The SQS queue is subscribed to the SNS topic and receives the message.
5. Using fleet indexing search, we can identify devices violating the specified security profile.
6. Based on the search, we can create a dynamic thing group to automatically group and manage the violating devices.
To follow along with the steps in this article, you will need:
– An AWS account with access and permission to use AWS IoT Core, AWS IoT Device Defender, and AWS IoT Device Management.
– AWS Identity and Access management (IAM) permission to create and assign roles in AWS IoT Core.
– AWS Identity and Access management (IAM) permission to create SNS topics and SQS queues.
– Access to AWS CloudShell and basic knowledge of Linux and AWS Command Line Interface (AWS CLI).
Creating an SNS topic and an SQS subscription
To start, we need to create an SNS topic and an SQS subscription for receiving violation notifications.
1. Go to the SNS service and navigate to Topics in the left side menu. Create a new topic with the name “Disconnected_things_notification” and select the Standard option. Leave all other configurations as default and click Create topic. Note: The default access policy only allows the topic owner to subscribe to it.
2. Go to the SQS service and navigate to Queues in the left side menu. Create a new queue with the name “Disconnect_thing_notification_queue” and select the Standard option. Leave all other configurations as default and click Create queue. Note: The default access policy only allows messages from the queue owner. In the next menu, navigate to SNS subscription, click on “Subscribe to Amazon SNS topic,” choose “Disconnected_things_notification,” and save.
Creating a security profile
Next, we need to create a security profile that defines anomalous behavior based on the disconnected duration metric.
1. Go to the AWS IoT Core service and navigate to Security → Detect → Security Profiles in the left side menu. Click on “Create Security Profile” and select “Create Rule-based anomaly Detect profile.”
2. In the “Specify security profile properties” menu, configure the following:
– Name: Disconnect_duration_5m
– Target: A target group (select all registered things)
– Role: Create a new role
– SNS configuration: Select the previously created topic, “Disconnected_things_notification.” Select “Create a new role” for SNS Role.
3. In the “Define metric behaviors” menu, do the following:
– Under “Cloud-side metrics,” search and select “Disconnect Duration.”
– Metric Behavior: Select “Alert me.”
– Behavior name: Disconnect_duration_5m.
– Logic fields: Use “Disconnect_duration is greater than or equal – 5 minutes” as the condition.
4. Review your configuration and click on Create. This example configuration sets the disconnected duration threshold to 5 minutes.
Simulating an anomalous device
Now, we will simulate a device that has been disconnected for more than 5 minutes and should trigger a violation in the security profile.
1. In the AWS IoT Core service, navigate to Manage → All devices → Things in the left side menu. Click on “Create things” and select “Create a single thing.”
2. Name your thing as “test_thing” and leave all other configurations as default. Select “Auto-generate a new certificate” and click Next.
3. In the Policies menu, create a new policy with the following configuration:
Go back to the previous menu, refresh, and attach the created policy to the thing. Click Create thing. Download and save the private key, public key, and device certificate, as we will need them in the following steps.
4. We will use AWS CloudShell to install and run a sample using the AWS IoT Device SDK v2 for Python. If you prefer, you can use any other AWS IoT Device SDK and your preferred IDE platform. Go to AWS CloudShell and execute the following commands:
python3 -m pip install awsiotsdk
git clone https://github.com/aws/aws-iot-device-sdk-python-v2.git
5. Upload the private key and device certificate that you downloaded in the previous steps. On the top right of the AWS CloudShell, click on the Actions menu, select “Upload files,” and select the key and certificate files. Note: the files are uploaded to the /home/cloudshell-user directory.
6. Start the simulation by running one of the sample Python scripts. From the /home/cloudshell-user directory, execute the following commands:
aws iot describe-endpoint –endpoint-type iot:Data-ATS
python3 ~/aws-iot-device-sdk-python-v2/samples/basic_connect.py –endpoint
If the sample executes successfully, you will see the following outputs:
Confirming the violation
After running the simulation, you can check if a violation has been detected by the security profile. Note that it may take a few minutes for AWS IoT Device Defender security profiles to publish a violation.
1. Navigate to the SQS service and select the queue you created in the previous steps.
2. Go to the top right menu and select “Send and receive messages.” In the “Receive message” menu, click on “Poll for messages.” You should see a message available, and the body of the message will contain information about the violation.
By following these steps, you will be able to configure a security profile using the disconnected duration metric, receive notifications through Amazon SNS, and manage device fleet requirements and security compliance effectively.