Security best practices for AWS IoT SiteWise
This topic contains security best practices for AWS IoT SiteWise.
Use authentication credentials on your OPC-UA servers
Require authentication credentials to connect to your OPC-UA servers. Consult the documentation for your servers to do so. Then, to allow your SiteWise Edge gateway to connect to your OPC-UA servers, add server authentication secrets to your SiteWise Edge gateway. For more information, see Configuring source authentication.
Use encrypted communication modes for your OPC-UA servers
Choose a non-deprecated, encrypted message security mode when you configure your OPC-UA sources for your SiteWise Edge gateway. This helps secure your industrial data as it moves from your OPC-UA servers to the SiteWise Edge gateway. For more information, see Data in transit over the local network and Configuring data sources.
Keep your components up to date
If you use SiteWise Edge gateways to ingest data to the service, it's your responsibility to configure and maintain your SiteWise Edge gateway's environment. This responsibility includes upgrading to the latest versions of the gateway's system software, AWS IoT Greengrass software, and connectors.
Note
The AWS IoT SiteWise Edge connector stores secrets on your file system. These secrets control who can view the data cached within your SiteWise Edge gateway. It's strongly recommended that you turn on disk or file-system encryption for the system running your SiteWise Edge gateway.
Encrypt your SiteWise Edge gateway's file system
Encrypt and secure your SiteWise Edge gateway, so your industrial data is secure as it moves through the SiteWise Edge gateway. If your SiteWise Edge gateway has a hardware security module, you can configure AWS IoT Greengrass to secure your SiteWise Edge gateway. For more information, see Hardware security integration in the AWS IoT Greengrass Version 1 Developer Guide. Otherwise, consult the documentation for your operating system to learn how to encrypt and secure your file system.
Secure access to your edge configuration
Don't share your edge console application password or your SiteWise Monitor application password. Don't put this password in places where anyone can see them. Implement a healthy password rotation policy by configuring an appropriate expiration for your password.
Grant SiteWise Monitor users minimum possible permissions
Follow the principle of least privilege by using the minimum set of access policy permissions for your portal users.
-
When you create a portal, define a role that allows the minimum set of assets needed for that portal. For more information, see Using service roles for AWS IoT SiteWise Monitor.
-
When you and your portal administrators create and share projects, use the minimum set of assets needed for that project.
-
When an identity no longer needs access to a portal or project, remove them from that resource. If that identity is no longer applicable to your organization, delete that identity from your identity store.
The least principle best practice also applies to IAM roles. For more information, see Policy best practices.
Don't expose sensitive information
You should prevent the logging of credentials and other sensitive information, such as personally identifiable information (PII). We recommend that you implement the following safeguards even though access to local logs on a SiteWise Edge gateway requires root privileges and access to CloudWatch Logs requires IAM permissions.
-
Don't use sensitive information in names, descriptions, or properties of your assets or models.
-
Don't use sensitive information in SiteWise Edge gateway or source names.
-
Don't use sensitive information in names or descriptions of your portals, projects, or dashboards.
Follow AWS IoT Greengrass security best practices
Follow AWS IoT Greengrass security best practices for your SiteWise Edge gateway. For more information, see Security best practices in the AWS IoT Greengrass Version 1 Developer Guide.
See also
-
Security best practices in the AWS IoT Developer Guide
