Posted On: May 5, 2022

Amazon IoT Secure Tunneling allows customers to access devices that are deployed behind restricted firewalls at remote sites. When a tunnel is created, a pair of client access tokens (CAT) will be generated and used by the source and destination devices to connect to the Secure Tunneling service. Prior to today, a token can be stored and reused, making it susceptible to malicious use. Now single-use tokens will be revoked after a successful connection. When the connection drops, instead of saving CATs to a local device and establishing a token re-delivery method, customers can call the RotateTunnelAccessToken API to deliver a new pair of CATs to the source and destination devices to resume connection with the original device in the predefined tunnel period. Once reconnected, customers can securely access and continue troubleshooting remote devices using Secure Tunneling.

IoT Developers and Fleet Administrators can use Amazon Command Line Interface to call the RotateTunnelAccessToken API to regain access. There are no device-side actions required to use this feature. Depending on where the customer runs into connection issues, token rotation supports rotating CATs in source, destination, or both modes. Additionally, the new CATs will be published to destination devices via their subscribed MQTT topic to further reduce friction. This feature allows customers to access the same destination device multiple times before the tunnel duration exhausts.

Single-use token and token rotation are available in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD. Using the RotateTunnelAccessToken API is free of charge, but you will continue to incur costs for opening tunnels as specified on our pricing page. To learn more about the single-use token and token rotation, read the RotateTunnelAccessToken API documentation and Amazon IoT Device Management Secure Tunneling documentation.