Q. What is Amazon IoT Device Defender?

Amazon IoT Device Defender is a fully managed IoT security service that enables you to secure your IoT configurations on an ongoing basis. With Amazon IoT Device Defender, you get tools to identify and respond to security issues. Amazon IoT Device Defender audits your fleet to ensure it adheres to security best practices, continuously monitors your device fleets to detect any abnormal device behavior, alerts you about security issues as they arise, and provides built-in mitigation actions for these security issues.

Q. What are the key capabilities of Amazon IoT Device Defender?

Audit Amazon IoT Device Defender audits your device-related resources (such as X.509 certificates, IoT policies, and Client IDs) against Amazon IoT security best practices (for example, the principle of least privilege or unique identity per device). Amazon IoT Device Defender reports configurations that are out of compliance with security best practices, such as multiple devices using the same identity, or overly permissive policies that can allow one device to read and update data for many other devices.

Rules Detect Amazon IoT Device Defender detects unusual device behavior that may be indicative of a compromise by continuously monitoring high-value security metrics from the device and Amazon IoT Core (e.g., the number of listening TCP ports on your devices or authorization failure counts). You can specify normal device behavior for a group of devices by setting up behaviors (rules) for these metrics. Amazon IoT Device Defender monitors and evaluates each datapoint reported for these metrics against user-defined behaviors (rules) and alerts you if an anomaly is detected.

ML Detect Amazon IoT Device Defender automatically sets device behaviors for you with machine-learning (ML) models using data across six cloud-side metrics (for example, authorization failure counts, messages sent counts) and seven device-side metrics (for example, packets out, listening TCP port counts) from a trailing 14-day period. It then retrains the models each day to refresh the device behaviors based on the latest trailing 14 days after initial models are built. Amazon IoT Device Defender monitors and identifies anomalous datapoints for these metrics with the ML models and triggers an alarm if an anomaly is detected. Compared to Rules Detect, the key benefits of the feature are: it automatically detects operational and security anomalies across fleet devices for ease of use and it dynamically updates expected device behaviors based on new data trends to reduce false positive rates.

Alerting Amazon IoT Device Defender publishes alarms to the Amazon IoT Console, Amazon CloudWatch, and Amazon SNS.

Mitigation Amazon IoT Device Defender enables you to investigate issues by providing contextual and historical information about the device such as device metadata, device statistics, and historical alerts for the device. You can also use Amazon IoT Device Defender built-in mitigation actions to perform mitigation steps on Audit and Detect alarms such as adding things to a thing group, replacing default policy version and updating device certificate.

Q. How do customers secure devices today using Amazon IoT and how does Amazon IoT Device Defender help?

Amazon IoT Core provides the security building blocks for you to securely connect devices to the cloud and to other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption at various levels of strictness based on your configurations. Following the Amazon Web Services shared responsibility model, you own baselining security configurations regularly according to business requirements. However, human or systemic errors and authorized actors with bad intentions can introduce configurations with negative security impacts.

Amazon IoT Device Defender helps you continuously audit security configurations for compliance with security best practices and your own organizational security policies. The continuous audit is essential as misconfigurations can happen at any point of time. Additionally, security configurations can be impacted by the passage of time and new threats are constantly emerging. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptanalysis methods.

Amazon IoT Device Defender identifies opportunities to use Amazon IoT security controls effectively. However, if security misconfigurations are not remediated or new attack vectors are disclosed publicly before devices are patched, the security of connected devices may be compromised. Amazon IoT Device Defender complements preventative security controls in Amazon IoT by helping you identify devices already compromised and initiating quarantine and other corrective actions.

Q. Do I need to change device level code to use Amazon IoT Device Defender?

No. You can audit your IoT configurations as well as monitor all cloud-side metrics with just a few clicks in the console. If you also want to monitor device-side metrics with Rules Detect, you need to make some changes to your device code to publish device-side metrics to Amazon IoT Device Defender. Reference implementation for a sample agent can be found here. Amazon IoT Greengrass and FreeRTOS are fully integrated with Amazon IoT Device Defender for both device-side and cloud-side metrics.

If your device platform has available specialized hardware that enables a trusted execution environment, we highly recommend implementing your device agent to run in a trusted environment. Consult your hardware security solution vendor for specific guidance on how to implement this type of design.

Q. Can I monitor non-standard metrics I’ve defined myself using Amazon IoT Device Defender?

Yes, you can create your own custom metrics to monitor using Device Defender. See the documentation for how to start monitoring device-side metrics that you’ve defined.

Q. How does Amazon IoT Device Defender work?

Amazon IoT Device Defender allows you to schedule audit tasks, monitor device activities, and receive notifications for audit findings and abnormal device behavior alarms.

Audit tasks conduct assessments of your Amazon IoT configurations. You can launch audit tasks on-demand or on a scheduled basis. To increase the accuracy of audit checks and minimize false positives, Amazon IoT Device Defender incorporates the context of device interactions with Amazon IoT Core.

Amazon IoT Device Defender ingests and analyzes high-value security metrics collected from connected devices and their interactions with Amazon IoT Core to continuously monitor device activities and detect abnormal device behaviors. When you use Rules Detect, the metric data is continuously evaluated against user-defined behaviors; when you use ML Detect, the metric data is continuously evaluated by automatically built machine-learning models to identify anomalies. The collection and emittance of device metrics is optional. However, it’s highly recommended. Amazon IoT Device Defender provides reference implementation and documentation for device agents responsible for collecting and emitting the device-side metrics.

The results from scheduled audit tasks and any detected device activity anomalies are published to the Amazon IoT Console, Amazon IoT Device Defender API and are accessible through Amazon CloudWatch. Additionally, you can configure Amazon IoT Device Defender to send results to Amazon SNS topics for integration with security dashboards or triggering automated remediation workflows.

Q. How does Amazon IoT Device Defender ML Detect model training work?

Amazon IoT Device Defender uses machine-learning models to monitor and identify anomalous datapoints for device behavior metrics in ML Detect. While Amazon IoT Device Defender is building its initial ML model, it requires 14 days and a minimum of 25,000 metric datapoints per metric to generate the model. Afterwards, it updates the model every day as long as the minimum 25,000 metric datapoints per metric are met. If the minimum datapoint requirement is not met, Amazon IoT Device Defender will attempt to build the model on the next day. It will retry daily for 30 days before discontinuing the model updating.

Q. How do I address false positive alarms from trained models when using Amazon IoT Device Defender ML Detect?

We designed a set of measures to address false positive alarms of ML models based on your business use case when you use Amazon IoT Device Defender ML Detect so that you have tools to control the alarms you receive:

1. Change the number of consecutive datapoints required to trigger alarm: If you frequently get false alarms due to metric data spikes, you could use this setting to require multiple consecutive datapoints to be anomalous before getting an alarm.

2. Change the ML Detect confidence: For chronic false-positive cases, you could simply tune detection for alarms at higher confidence. We provide LOW, MEDIUM, HIGH confidence levels for you to choose from. HIGH confidence represents low alarm sensitivity/volume, MEDIUM confidence medium alarm sensitivity/volume, and LOW confidence high alarm sensitivity/volume.

3. Suppress alarms: For one-off cases where you know that certain actions on you end might cause false positives (for example, OTA job), you could update the related ML Detect behavior to suppress alarms. In addition, Amazon IoT Device Defender defaults alarms to ‘suppressed’ in the initial ML Detect Security Profile setup unless you opt in changing the default configuration.

Q. Which Amazon Web Services regions is Amazon IoT Device Defender available in?

See the Amazon Web Services Region Table for the current list of regions supported by Amazon IoT Device Defender.

You can use Amazon IoT Device Defender regardless of your geographic location, as long as you have access to one of the above Amazon Web Services regions.

Q. Is Amazon IoT Device Defender available in Amazon Web Services China (Ningxia) Region Free Tier?

No, Amazon IoT Device Defender is not currently available in Amazon Web Services China (Ningxia) Region Free Tier.

Q. How much does Amazon IoT Device Defender cost?

You have the flexibility to use Audit, Rules Detect or ML Detect independently, since they are each charged separately. Please visit the Amazon IoT Device Defender pricing page for more information.

Q. When working with Amazon IoT Device Defender, will I need to pay for Amazon IoT Core Messages to report Detect metrics?

No, you will not need to pay for messages used to report device-side Detect metrics to Amazon IoT Device Defender.

Q. When working with Amazon IoT Device Defender, will I need to pay for Amazon IoT Core Connectivity to report Detect metrics?

Yes, you will need to pay for connectivity if you connect with Amazon IoT Core solely to report device-side Detect metrics to Amazon IoT Device Defender. Please visit the Amazon IoT Core pricing page for more information.

Q. How do I know the right values to set for the expected behavior of my devices in Amazon IoT Device Defender?

When you use Rules Detect, start by creating a Security Profile with an expected restrictive behavior (for example, low thresholds) and attach it to a thing group for a representative set of devices. Amazon IoT Device Defender will alert you with the metric datapoint reported by the device for the behavior that is violated. You can fine-tune the device behavior threshold to match your use case over time.

When you use ML Detect, the feature sets device behaviors automatically with machine learning to monitor device activities. Amazon IoT Device Defender will alert you with the metric datapoint reported by the device when an ML model flags the datapoint as anomalous. This removes the need for you to define accurate behaviors of your devices and helps you get started with monitoring more quickly and easily.