Security
When you build systems on AWS infrastructure, security
responsibilities are shared between you and AWS. This
shared
responsibility model
IAM roles
IAM roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to read and write to Amazon DynamoDB, publish to an IoT endpoint, read from the Amazon S3 bucket used to host routes, and start the AWS Step Functions state machine.
AWS IoT Core policies
AWS IoT Core policies allow you to control access to the AWS IoT data plane. The AWS IoT data plane consists of operations that allow you to connect to the AWS IoT message broker and send and receive MQ Telemetry Transport (MQTT) messages. The IoT Device Simulator solution creates an AWS IoT policy which allows the web interface to connect to AWS IoT Core, subscribe, and receive MQTT messages.
Amazon CloudFront
This solution deploys a web interface hosted in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes an Amazon CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.
Amazon API Gateway
This solution deploys an API Gateway REST API and uses the default API endpoint and Secure Sockets Layer (SSL) certificate. The default API endpoint supports only the TLSv1 protocol. To use a later version of Transport Layer Security (TLS), use your own domain name and custom SSL certificate. For more information, refer to Choosing a minimum TLS version for a custom domain in API Gateway in the Amazon API Gateway Developer Guide.
