Configure logging and monitoring for security events in your AWS IoT environment
Created by Prateek Prakash (AWS)
Environment: Production | Technologies: IoT; Security, identity, compliance; Operations | Workload: All other workloads |
AWS services: Amazon CloudWatch; Amazon OpenSearch Service; Amazon GuardDuty; AWS IoT Core; AWS IoT Device Defender; AWS IoT Device Management; Amazon CloudWatch Logs |
Summary
Ensuring that your Internet of Things (IoT) environments are secure is an important priority, particularly because organizations are connecting billions of devices to their IT environments. This pattern provides a reference architecture that you can use to implement logging and monitoring for security events across your IoT environment on the Amazon Web Services (AWS) Cloud. Typically, an IoT environment on the AWS Cloud has the following three layers:
IoT devices that generate relevant telemetry data.
AWS IoT services (for example, AWS IoT Core, AWS IoT Device Management, or AWS IoT Device Defender) that connect your IoT devices to other devices and AWS services.
Backend AWS services that help process telemetry data and provide useful insights for your different business use cases.
The best practices provided by the AWS IoT Lens - AWS Well-Architected Framework whitepaper can help you review and improve your cloud-based architecture and better understand the business impact of your design decisions. An important recommendation is that you analyze application logs and metrics on your devices and in the AWS Cloud. You can achieve this by leveraging different approaches and techniques (for example, threat modeling
This pattern describes how to use AWS IoT and security services to design and implement a security logging and monitoring reference architecture for an IoT environment on the AWS Cloud. This architecture builds on existing AWS security best practices and applies them to your IoT environment.
Prerequisites and limitations
Prerequisites
An existing landing zone environment. For more information about this, see the guide Setting up a secure and scalable multi-account AWS environment on the AWS Prescriptive Guidance website.
The following accounts must be available in your landing zone:
Log Archive account – This account is for users that need to access the logging information for accounts in your landing zone’s organizational units (OUs). For more information about this, see the Security OU – Log Archive account section of the guide AWS Security Reference Architecture on the AWS Prescriptive Guidance website.
Security account – Your security and compliance teams use this account for auditing or to perform emergency security operations. This account is also designated as the administrator account for Amazon GuardDuty. Users from the administrator account can configure GuardDuty, in addition to viewing and managing GuardDuty findings for their own account and all member accounts. For more information about this, see Managing multiple accounts in GuardDuty in the Amazon GuardDuty documentation.
IoT account – This account is for your IoT environment.
Architecture
This pattern extends the Centralized Logging solution
The following architecture diagram shows the key components of an IoT security logging and reference architecture on the AWS Cloud.
The diagram shows the following workflow:
IoT things are the devices that must be monitored for anomalous security events. These devices run an agent to publish security events or metrics to AWS IoT Core and AWS IoT Device Defender.
When AWS IoT logging is enabled, AWS IoT sends progress events about each message as it passes from your devices through the message broker and rules engine to Amazon CloudWatch Logs. You can use CloudWatch Logs subscriptions to push events to a Centralized Logging solution. For more information about this, see AWS IoT metrics and dimensions in the AWS IoT Core documentation.
AWS IoT Device Defender helps monitor insecure configurations and security metrics for your IoT devices. When an anomaly is detected, alarms notify Amazon Simple Notification Service (Amazon SNS), which has an AWS Lambda function as a subscriber. The Lambda function sends the alarm as a message to CloudWatch Logs. You can use CloudWatch Logs subscriptions to push events to your Centralized Logging solution. For more information about this, see Audit checks, Device-side metrics, and Cloud-side metrics in the AWS IoT Core documentation.
AWS CloudTrail logs AWS IoT Core control plane actions that make changes (for example, creating, updating, or attaching APIs). When CloudTrail is set up as part of a landing zone implementation, it sends events to CloudWatch Logs and you can use subscriptions to push events to your Centralized Logging solution
AWS Config managed rules or custom rules evaluate resources that are part of your IoT environment. Monitor your compliance change notifications using CloudWatch Events with CloudWatch Logs as the target. After compliance change notifications are sent to CloudWatch Logs, you can use subscriptions to push events to your Centralized Logging solution.
Amazon GuardDuty continuously analyzes CloudTrail management events and helps identify API calls made to AWS IoT Core endpoints from known malicious IP addresses, unusual geolocations, or anonymizing proxies. Monitor GuardDuty notifications using Amazon CloudWatch Events with log groups in CloudWatch Logs as the target. When GuardDuty notifications are sent to CloudWatch Logs, you can use subscriptions to push events to your Centralized Monitoring solution or use the GuardDuty console in your Security account to view the notifications.
AWS Security Hub monitors your IoT account by using security best practices. Monitor Security Hub notifications by using CloudWatch Events with log groups in CloudWatch Logs as the target. When Security Hub notifications are sent to CloudWatch Logs, use subscriptions to push events to your Centralized Monitoring solution or use the Security Hub console in your Security account to view the notifications.
Amazon Detective evaluates and analyzes information to isolate the root cause and take action on security findings for unusual calls to AWS IoT endpoints or other services in your IoT architecture.
Amazon Athena queries logs stored in your Log Archive account to enhance your understanding of security findings and identify trends and malicious activities.
Tools
Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.
AWS CloudTrail helps you enable governance, compliance, and operational and risk auditing of your AWS account.
Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.
Amazon CloudWatch Logs centralizes the logs from all your systems, applications, and AWS services that you use. You can view and monitor the logs, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account.
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it simple and cost-effective to categorize your data, clean it, enrich it, and move it reliably between various data stores and data streams.
Amazon GuardDuty is a continuous security monitoring service.
AWS IoT Core provides secure, bi-directional communication for Internet-connected devices (such as sensors, actuators, embedded devices, wireless devices, and smart appliances) to connect to the AWS Cloud over MQTT, HTTPS, and LoRaWAN.
AWS IoT Device Defender is a security service that allows you to audit the configuration of your devices, monitor connected devices to detect abnormal behavior, and mitigate security risks.
Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud.
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.
Amazon Virtual Private Cloud (Amazon VPC) provisions a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Epics
| Task | Description | Skills required |
|---|---|---|
Validate the security guardrails in the IoT account. | Validate that the guardrails for CloudTrail, AWS Config, GuardDuty, and Security Hub are enabled in your IoT account. | AWS administrator |
Validate that your IoT account is configured as a member account of your Security account. | Validate that your IoT account is configured and associated as a member account for GuardDuty and Security Hub in your Security account. For more information about this, see Managing GuardDuty accounts with AWS Organizations in the Amazon GuardDuty documentation and Managing administrator and member accounts in the AWS Security Hub documentation. | AWS administrator |
Validate log archiving. | Validate that CloudTrail, AWS Config, and VPC Flow Logs are stored in the Log Archive account. | AWS administrator |
| Task | Description | Skills required |
|---|---|---|
Set up the Centralized Logging solution in your Security account. | Sign in to the AWS Management Console for your Security account and set up the Centralized Logging solution For more information about this, see Collect, analyze, and display Amazon CloudWatch Logs in a single dashboard with the Centralized Logging solution from the Centralized Logging implementation guide in the AWS Solutions Library. | AWS administrator |
| Task | Description | Skills required |
|---|---|---|
Set up AWS IoT logging. | Sign in to the AWS Management Console for your IoT account. Set up and configure AWS IoT Core to send logs to CloudWatch Logs. For more information about this, see Configure AWS IoT logging and Monitor AWS IoT using CloudWatch Logs in the AWS IoT Core documentation. | AWS administrator |
Set up AWS IoT Device Defender. | Set up AWS IoT Device Defender to audit your IoT resources and detect anomalies. For more information about this, see Getting started with AWS IoT Device Defender in the AWS IoT Core documentation. | AWS administrator |
Set up CloudTrail. | Set up CloudTrail to send events to CloudWatch Logs. For more information about this, see Sending events to CloudWatch Logs in the AWS CloudTrail documentation. | AWS administrator |
Set up AWS Config and AWS Config rules. | Set up AWS Config and the required AWS Config rules. For more information about this, see Setting up AWS Config with the console and Setting up AWS Config rules with the console in the AWS Config documentation. | AWS administrator |
Set up GuardDuty. | Set up and configure GuardDuty to send findings to Amazon CloudWatch Events with log groups in CloudWatch Logs as the target. For more information about this, see Creating custom responses to GuardDuty findings with Amazon CloudWatch Events in the Amazon GuardDuty documentation. | AWS administrator |
Set up Security Hub. | Set up Security Hub and enable the CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices standards. For more information about this, see Automated response and remediation in the AWS Security Hub documentation. | AWS administrator |
Set up Amazon Detective. | Set up Detective to facilitate analysis of security findings For more information about this, see Setting up Amazon Detective in the Amazon Detective documentation. | AWS administrator |
Set up Amazon Athena and AWS Glue. | Set up Athena and AWS Glue to query the AWS service logs that conduct security incident investigations. For more information about this, see Querying AWS service logs in the Amazon Athena documentation. | AWS administrator |
Related resources
