AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations
The types of audit checks that can be performed.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "AuthenticatedCognitoRoleOverlyPermissiveCheck" :AuditCheckConfiguration, "CaCertificateExpiringCheck" :AuditCheckConfiguration, "CaCertificateKeyQualityCheck" :AuditCheckConfiguration, "ConflictingClientIdsCheck" :AuditCheckConfiguration, "DeviceCertificateExpiringCheck" :AuditCheckConfiguration, "DeviceCertificateKeyQualityCheck" :AuditCheckConfiguration, "DeviceCertificateSharedCheck" :AuditCheckConfiguration, "IntermediateCaRevokedForActiveDeviceCertificatesCheck" :AuditCheckConfiguration, "IotPolicyOverlyPermissiveCheck" :AuditCheckConfiguration, "IoTPolicyPotentialMisConfigurationCheck" :AuditCheckConfiguration, "IotRoleAliasAllowsAccessToUnusedServicesCheck" :AuditCheckConfiguration, "IotRoleAliasOverlyPermissiveCheck" :AuditCheckConfiguration, "LoggingDisabledCheck" :AuditCheckConfiguration, "RevokedCaCertificateStillActiveCheck" :AuditCheckConfiguration, "RevokedDeviceCertificateStillActiveCheck" :AuditCheckConfiguration, "UnauthenticatedCognitoRoleOverlyPermissiveCheck" :AuditCheckConfiguration}
YAML
AuthenticatedCognitoRoleOverlyPermissiveCheck:AuditCheckConfigurationCaCertificateExpiringCheck:AuditCheckConfigurationCaCertificateKeyQualityCheck:AuditCheckConfigurationConflictingClientIdsCheck:AuditCheckConfigurationDeviceCertificateExpiringCheck:AuditCheckConfigurationDeviceCertificateKeyQualityCheck:AuditCheckConfigurationDeviceCertificateSharedCheck:AuditCheckConfigurationIntermediateCaRevokedForActiveDeviceCertificatesCheck:AuditCheckConfigurationIotPolicyOverlyPermissiveCheck:AuditCheckConfigurationIoTPolicyPotentialMisConfigurationCheck:AuditCheckConfigurationIotRoleAliasAllowsAccessToUnusedServicesCheck:AuditCheckConfigurationIotRoleAliasOverlyPermissiveCheck:AuditCheckConfigurationLoggingDisabledCheck:AuditCheckConfigurationRevokedCaCertificateStillActiveCheck:AuditCheckConfigurationRevokedDeviceCertificateStillActiveCheck:AuditCheckConfigurationUnauthenticatedCognitoRoleOverlyPermissiveCheck:AuditCheckConfiguration
Properties
AuthenticatedCognitoRoleOverlyPermissiveCheck-
Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
CaCertificateExpiringCheck-
Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
CaCertificateKeyQualityCheck-
Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are
ACTIVEorPENDING_TRANSFER.Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
ConflictingClientIdsCheck-
Checks if multiple devices connect using the same client ID.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
DeviceCertificateExpiringCheck-
Checks if a device certificate is expiring. This check applies to device certificates expiring within 30 days or that have expired.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
DeviceCertificateKeyQualityCheck-
Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
-
Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
IntermediateCaRevokedForActiveDeviceCertificatesCheck-
Checks if device certificates are still active despite being revoked by an intermediate CA.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
IotPolicyOverlyPermissiveCheck-
Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
IoTPolicyPotentialMisConfigurationCheck-
Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
IotRoleAliasAllowsAccessToUnusedServicesCheck-
Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
IotRoleAliasOverlyPermissiveCheck-
Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
LoggingDisabledCheck-
Checks if AWS IoT logs are disabled.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
RevokedCaCertificateStillActiveCheck-
Checks if a revoked CA certificate is still active.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
RevokedDeviceCertificateStillActiveCheck-
Checks if a revoked device certificate is still active.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
UnauthenticatedCognitoRoleOverlyPermissiveCheck-
Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.
Required: No
Type: AuditCheckConfiguration
Update requires: No interruption
