AWS IoT Device Defender FAQs

Page topics

General

General

AWS IoT Device Defender is a fully managed IoT security service that enables you to secure your IoT configurations on an ongoing basis. With AWS IoT Device Defender, you get tools to identify and respond to security issues. AWS IoT Device Defender audits your fleet to ensure it adheres to security best practices, continuously monitors your device fleets to detect any abnormal device behavior, alerts you about security issues as they arise, and provides built-in mitigation actions for these security issues.

Audit AWS IoT Device Defender audits your device-related resources (such as X.509 certificates, IoT policies, and Client IDs) against AWS IoT security best practices (for example, the principle of least privilege or unique identity per device). AWS IoT Device Defender reports configurations that are out of compliance with security best practices, such as multiple devices using the same identity, or overly permissive policies that can allow one device to read and update data for many other devices.

Rules Detect AWS IoT Device Defender detects unusual device behavior that may be indicative of a compromise by continuously monitoring high-value security metrics from the device and AWS IoT Core (e.g., the number of listening TCP ports on your devices or authorization failure counts). You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. AWS IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected.

ML Detect AWS IoT Device Defender automatically sets device behaviors for you with machine-learning (ML) models using device data across six cloud-side metrics (for example, authorization failure counts, messages sent counts) and seven device-side metrics (for example, packets out, listening TCP port counts) from a trailing 14-day period. It then retrains the models each day (as long as it has sufficient data to train the model) to refresh the expected device behaviors based on the latest trailing 14 days after initial models are built. AWS IoT Device Defender monitors and identifies anomalous datapoints for these metrics with the ML models and triggers an alarm if an anomaly is detected. Compared to Rules Detect, the key benefits of the feature are: it automatically detects operational and security anomalies across fleet devices without needing you to define normal device activity thresholds and it dynamically updates expected device behaviors based on new data trends from your devices to reduce false positives.

Alerting AWS IoT Device Defender publishes alarms to the AWS IoT Console, Amazon CloudWatch, and Amazon SNS.

Mitigation AWS IoT Device Defender enables you to investigate issues by providing contextual and historical information about the device such as device metadata, device statistics, and historical alerts for the device. You can also use AWS IoT Device Defender built-in mitigation actions to perform mitigation steps on Audit and Detect alarms such as adding things to a thing group, replacing default policy version and updating device certificate.

AWS IoT Core provides the security building blocks for you to securely connect devices to the cloud and to other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption at various levels of strictness based on your configurations. Following the AWS shared responsibility model, you own baselining security configurations regularly according to business requirements. However, human or systemic errors and authorized actors with bad intentions can introduce configurations with negative security impacts.  

AWS IoT Device Defender helps you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. The continuous audit is essential as misconfigurations can happen at any point of time. Additionally, security configurations can be impacted by the passage of time and new threats are constantly emerging. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptanalysis methods.

AWS IoT Device Defender identifies opportunities to use AWS IoT security controls effectively. However, if security misconfigurations are not remediated or new attack vectors are disclosed publicly before devices are patched, the security of connected devices may be compromised. AWS IoT Device Defender complements preventative security controls in AWS IoT by helping you identify devices already compromised and initiating containment and corrective actions.

No. You can audit your IoT configurations as well as monitor all cloud-side metrics with just a few clicks in the console. If you also want to monitor device-side metrics, you need to make some changes to your device code to publish device-side metrics to AWS IoT Device Defender. Reference implementation for a sample agent can be found here. AWS IoT Greengrass and FreeRTOS are fully integrated with AWS IoT Device Defender for both device-side and cloud-side metrics.

If your device platform has available specialized hardware that enables a trusted execution environment, we highly recommend implementing your device agent to run in a trusted environment. Consult your hardware security solution vendor for specific guidance on how to implement this type of design.

Yes, you can create your own custom metrics to monitor using Device Defender. See the documentation for how to start monitoring device-side metrics that you’ve defined.

AWS IoT Device Defender allows you to schedule audit tasks, monitor device activities, and receive notifications for audit findings and abnormal device behavior alarms.

Audit tasks conduct assessments of your AWS IoT configurations. You can launch audit tasks on-demand or on a scheduled basis. To increase the accuracy of audit checks and minimize false positives, AWS IoT Device Defender incorporates the context of device interactions with AWS IoT Core.

AWS IoT Device Defender ingests and analyzes high-value security metrics collected from connected devices and their interactions with AWS IoT Core to continuously monitor device activities and detect abnormal device behaviors. When you use Rules Detect, the metric data is continuously evaluated against user-defined behaviors; when you use ML Detect, the metric data is continuously evaluated by automatically built machine-learning models to identify anomalies. The collection and emittance of device metrics is optional. However, it’s highly recommended. AWS IoT Device Defender provides reference implementation and documentation for device agents responsible for collecting and emitting the device-side metrics.

The results from scheduled audit tasks and any detected device activity anomalies are published to the AWS IoT Console, AWS IoT Device Defender API and are accessible through Amazon CloudWatch. Additionally, you can configure AWS IoT Device Defender to send results to Amazon SNS topics for integration with security dashboards or triggering automated remediation workflows.

AWS IoT Device Defender uses machine-learning models to monitor and identify anomalous datapoints for device behavior metrics in ML Detect. While AWS IoT Device Defender is building its initial ML model for your devices, it requires 14 days and a minimum of 25,000 metric datapoints per metric to generate the model. Afterwards, it updates the model every day as long as the minimum 25,000 metric datapoints per metric are met. If the minimum datapoint requirement is not met, AWS IoT Device Defender will attempt to update the model on the next day. It will retry daily for 30 days before discontinuing the model updating.

We designed a set of measures to address false positive alarms of ML models based on your business use case when you use AWS IoT Device Defender ML Detect so that you have tools to control the alarms you receive:

  1. Change the number of consecutive datapoints required to trigger alarm: If you frequently get false alarms due to metric data spikes, you could use this setting to require multiple consecutive datapoints to be anomalous before getting an alarm.
  2. Change the ML Detect confidence: For chronic false-positive cases, you could simply tune detection for alarms at higher confidence. We provide LOW, MEDIUM, HIGH confidence levels for you to choose from. HIGH confidence represents low alarm sensitivity/volume, MEDIUM confidence medium alarm sensitivity/volume, and LOW confidence high alarm sensitivity/volume.
  3. Suppress alarms: For one-off cases where you know that certain actions on you end might cause false positives (for example, OTA job), you could update the related ML Detect behavior to suppress alarms. In addition, AWS IoT Device Defender defaults alarms to ‘suppressed’ in the default ML Detect Security Profile setup unless you opt in changing the default configuration.

See the AWS Region Table for the current list of regions supported by AWS IoT Device Defender.

You can use AWS IoT Device Defender regardless of your geographic location, as long as you have access to one of the above AWS regions.

Yes. Visit the AWS IoT Device Defender pricing page for more information.

You have the flexibility to use Audit, Rules Detect or ML Detect independently, since they are each charged separately. Please visit the AWS IoT Device Defender pricing page for more information.

No, you will not need to pay for messages used to report device-side Detect metrics to AWS IoT Device Defender.

Yes, you will need to pay for connectivity if you connect with AWS IoT Core solely to report device-side Detect metrics to AWS IoT Device Defender. Please visit the AWS IoT Core pricing page for more information.

When you use Rules Detect, start by creating a Security Profile with an expected restrictive behavior (for example, low thresholds) and attach it to a thing group for a representative set of devices. AWS IoT Device Defender will alert you with the metric datapoint reported by the device for the behavior that is violated. You can fine-tune the device behavior threshold to match your use case over time.

When you use ML Detect, the feature sets device behaviors automatically with machine learning to monitor device activities. AWS IoT Device Defender will alert you with the metric datapoint reported by the device when an ML model flags the datapoint as anomalous. This removes the need for you to define accurate behaviors of your devices and helps you get started with monitoring more quickly and easily.