Announcing Mitigation Actions for AWS IoT Device Defender

There’s a new way for you to act on information discovered by AWS IoT Device Defender audits. Now you can create mitigation actions for audit results that automate a response to alerts from an audit.

AWS IoT Device Defender customers often say that it’s invaluable for how AWS gives them visibility into potential malicious device activity. You can do the following:

·      Audit customer fleet to check for security best practices

·      Detect unusual activity by monitoring the behavior of your devices

Using the auditing capability of AWS, you can reference a report in the AWS IoT dashboard of all non-compliant devices. If a device becomes non-compliant, you receive an Amazon SNS notification.

This post describes how you can now select default mitigation actions. At the same time, you can still create a custom response using SNS. To see possible mitigation actions, look at an example alert scenario.

Overview
When you go to the AWS IoT Device Defender console, the first thing that you notice is a new tab under Defend called Mitigation actions. To create a new mitigation action, choose Create.

AWS provides several default mitigation actions:

  • Add things to a thing group
  • Enable IoT logging—Use to enable global IoT logging.
  • Publish a finding to SNS
  • Replace the default policy version—Use to replace a device’s certificate policy with no policy; in other words, no permissions.
  • Update the CA certificate—Use to deactivate a CA certificate.
  • Update the device certificate—Use to deactivate a device certificate.

Walkthrough
For this example, create a new thing group called “Quarantine” in the Thing Group dashboard. Then, create two new mitigation actions:

  • An action to completely disable a certificate, with the following configuration:
    • Action name: Disable_Device
    • Action type: Update device certificate
    • Action execution role: AWSIoTDeviceDefenderAuditRole
    • Action: Deactivate
  • An action to move things into a special “thing” group called “Quarantine,” with the following configuration:
    • Action name: Quarantine
    • Action type: Add things to thing group
    • Action execution role: AWSIoTDeviceDefenderAuditRole
    • Thing groups: Select a thing group
    • Override dynamic groups: Select this option

The new thing group called “Quarantine” is selected in AWS IoT Device Defender as the target for the Quarantine mitigation action. You ask the mitigation action to remove the thing from all dynamic thing groups. You might use this action if you’re using dynamic thing groups to perform over-the-air (OTA) updates using AWS IoT jobs. In that case, you don’t want any further data sent to the compromised devices.

For any mitigation action, you give AWS IoT Device Defender a role (in this case called AWSIoTDeviceDefenderAudit) with the permissions it must have to perform the associated remediations. For a list of the necessary permissions by mitigation action, see the AWS IoT Device Defender Help documentation.

Now, run a test. In this example, suppose that there are two connections open simultaneously with the same authentication certificate. This could mean that a device is provisioned incorrectly, or that a bad actor is in control of a device or its key pair.

Usually, your default is to disable the certificate immediately until you determine what’s happening. However, because there is a chance that there’s simply a bug on the device, you don’t want to delete the certificate. So what do you do?

While drilling down into the results of an audit on the Audits results page, you notice that you have one non-compliant certificate that is shared.

AWS IoT Device Defender Audit Results

When you choose On-demand, you see the details of the audit findings, as shown in the following screenshot.

AWS IoT Device Defender Audit Readings

Before mitigation actions, you had two options:

  • Manually disable the non-compliant certificate.
  • Disable the non-compliant certificate using an SNS notification that triggers an action through an AWS Lambda function.

With the new mitigation actions, just choose Start mitigation actions on the upper right to act immediately.

When you choose Start mitigation actions, a pop-up appears showing categories of findings that need attention along with compatible mitigation actions. Under Select actions for Device certificate shared, three compatible mitigation actions appear: quarantine the thing, publish to SNS, or disable the certificate.

To correct this issue, choose one or more mitigation actions. You can even choose Select all to perform all the actions simultaneously. You’re done!

Conclusion
You can see how the new mitigation actions offer a quick and easy way to perform remediation against common IoT security issues. Mitigation actions are now available in all Regions where AWS IoT Device Defender is available.

To learn more about how to start securing your devices, see AWS IoT Device Defender, or watch the Manage Security of Your IoT Devices with AWS IoT Device Defender webinar.