AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
-
Upload
amazon-web-services -
Category
Technology
-
view
918 -
download
0
Transcript of AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
![Page 1: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jan Metzner, Anton Shmagin, AWS
Kerry Maletsky, Microchip/Atmel
November 30, 2016
IOT302
IoT SecurityThe New Frontiers
@janmetzner @y0na75
![Page 2: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/2.jpg)
What to expect from the session
• System, transport and thing security
• Fine-grained authorization
• Thing management
• Pub/sub data access
• AWS services integration
• Incident response
• End-to-end IoT security (demo)
![Page 3: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/3.jpg)
Idea for this talk started from the quote …
“ Every IoT security article:
• IoT is big
• IoT security is bad
• Consequences are scary
• Change default settings
• Buy my product
• Problem not solved …“
Dr. Sarah Cooper
June 2, 2016
![Page 4: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/4.jpg)
All things around us are getting connected
![Page 5: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/5.jpg)
Things will proliferate
2013 2015 2016 2020
Vertical Industry
Generic Industry
Consumer
AutomotiveMany
Some
Lots
![Page 6: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/6.jpg)
Many devices are not enforcing security
Mirai bot default passwords
![Page 7: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/7.jpg)
Connected ≠ smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
![Page 8: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/8.jpg)
Not a typical apocalyptic IoT talk
![Page 9: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/9.jpg)
IoT security needs to be effective yet simple
“ … pilots and race car drivers were
willing to put on almost anything to
keep them safe in case of a crash,
but regular people in cars don't want
to be uncomfortable even for a
minute. “
Nils Bohlin
![Page 10: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/10.jpg)
Multiple attack vectors
![Page 11: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/11.jpg)
System, transport, and thing security
System
Transport
Thing
Ris
k
![Page 12: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/12.jpg)
Typical SoC
SoM
SoC
CPU/MCU
Memory
Baseband
Location
WLAN
BLE
LPWAN
NFCHW
Crypto
![Page 13: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/13.jpg)
Connectivity options
Direct Gateway
Satellite Wi-Fi Cellular LPWAN Bluetooth Other
IEEE 802.15.4
ZigBee
Z-Wave
Thread
![Page 14: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/14.jpg)
AWS IoT
![Page 15: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/15.jpg)
Incident response in AWS IoT
![Page 16: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/16.jpg)
Incident response in AWS IoT
CWE Executes Lambda
Function to invalidate certificate
![Page 17: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/17.jpg)
Time to connect someTHING …
![Page 18: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/18.jpg)
One service, three protocols
MQTT + Mutual
Auth TLS
Websocket + AWS
Auth
HTTPS + AWS
Auth
Server auth TLS + cert TLS + cert TLS + cert
Client auth TLS + cert AWS credentials
(API keys)
AWS credentials
(API keys)
Confidentiality TLS TLS TLS
Protocol MQTT HTTP/WS HTTP
Communication
modelPub/sub Pub/sub REST
Identification AWS ARNs AWS ARNs AWS ARNs
Authorization AWS policy AWS policy AWS policy
![Page 19: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/19.jpg)
Authentication
Certificate/private key
AWS IAM (user/role: API keys)
Amazon Cognito (role: API keys)
AWS IAM (role: API keys)
Things
Users
AWS services
![Page 20: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/20.jpg)
Authorization – IAM policies
IAM
unauthenticated
or authenticated
role
Amazon
Cognito
AWS credentials (services)
Temporary AWS credentials (users)
Third-party
service
AWS
service
![Page 21: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/21.jpg)
Authorization – IoT policies
Fine-grained access for each device with a single policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": "arn:aws:iot:eu-west-1:1234567890:client/${iot:Certificate.Subject.CommonName.1}",
"Effect": "Allow”
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}",
"arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}/*”
],
"Effect": "Allow”
} ]
}
![Page 22: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/22.jpg)
Authorization – IoT policies
Fine-grained access with registry variables
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Connect",
"Resource": ”*",
"Effect": "Allow”,
"Condition":{ "Bool":{ "iot:Connection.Thing.IsAttached ":["true"] } }
}, {
"Action": "iot:Publish",
"Resource": [
"arn:aws:iot:eu-west-1:1234567890:topic/
${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}"
],
"Effect": "Allow”
} ]
}
![Page 23: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/23.jpg)
Birth of a device
![Page 24: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/24.jpg)
Strong thing identity
Manufacturing line
Provisioning of the Identities
retrieved from AWS IoTData connection
Create certificate (from CSR)
![Page 25: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/25.jpg)
Strong thing identity
AWS-generated key pairCreateKeysAndCertificate()
Customer-generated key pairCreateCertificateFromCSR(CSR)
CS
R
CS
R
CS
R
![Page 26: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/26.jpg)
BYOB? Better - BYOC
![Page 27: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/27.jpg)
Customer’s certificate authority
Manufacturing line
Provisioning of the Identities
signed with customer’s CAData connection
async registration
![Page 28: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/28.jpg)
CS
R
Bring your own certificate (BYOC)Customers
Hardware
Security
Module
(HSM)
![Page 29: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/29.jpg)
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/wo-jitr.mov
![Page 30: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/30.jpg)
“Look ma, no hands!”
Just-in-time registration (JITR)
![Page 31: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/31.jpg)
Just-in-time registration
Manufacturing line
Provisioning of the Identities
signed with customer’s CAFirst data connection
JIT registration
![Page 32: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/32.jpg)
Just-in-time registration – ProvisioningCustomers
Hardware
Security
Module
(HSM) CS
R
CS
R
CS
R
![Page 33: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/33.jpg)
Just-in-time registration – CA registration
getRegistrationCode()
Customers
Hardware
Security
Module
(HSM) CS
R
CS
R
CS
R
registerCACertificate(CACert,RegCert)
![Page 34: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/34.jpg)
Just-in-time registration
Customers
Hardware
Security
Module
(HSM)
checkYourCRL()
updateCertificate(Cert, ACTIVE)
attachPrincipalPolicy(Cert, IoTPolicy)
updateERP()
Function handling
PENDING_ACTIVATION
State
![Page 35: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/35.jpg)
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/jitr.mov
![Page 36: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/36.jpg)
“I am better than that THING”
User access
![Page 37: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/37.jpg)
Unauthenticated (anonymous) user access
IAM
unauthenticated
role
Amazon
Cognito
![Page 38: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/38.jpg)
Authenticated user access
IAM
authenticated
role
Amazon
Cognito
IoT policy
per user
Identity
provider
![Page 39: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/39.jpg)
IoT security in the cloud scales
… and real hardware?
![Page 40: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/40.jpg)
Strong device security
Atmel/Microchip AWS-ECC508
Straightforward provisioning
and secure key storage
Crypto-operations offloading
for constrained hardware
![Page 41: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/41.jpg)
Live demo
Cesanta Mongoose IoT Firmware (mongoose-iot.com)
• Hardware agnostic: ESP8266, TI CC3200 and other
• Secure: SSL/TLS, Microchip ATECC508A crypto-chip support
• Develop in C, or JavaScript, or both
• Networking: MQTT, WebSocket, COAP, HTTP/ HTTPS and other
• Mongoose Embedded Web Server and Networking Library
Customers: NASA, Dell, Samsung, HP and many others
![Page 42: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/42.jpg)
Live demo
ATECC508A-AWS
ESP8266
![Page 43: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/43.jpg)
Live demo
Point your browser:
https://iot-security.cloud/demo
![Page 44: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/44.jpg)
Microchip/Atmel
ATECC508A-AWS
Encapsulate the entire provisioning
process into a turnkey IC
Focus design effort on customer
experience
Strong turnkey security
![Page 45: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/45.jpg)
Every device must have a Trustable Identity
Private key can never be revealed!!!
Authenticate every entity with which you communicate
Authentication Process must be trusted
IoT device identity requirements
![Page 46: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/46.jpg)
Perfect software exists in theory only
Never Mix Software
with Keys!
![Page 47: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/47.jpg)
Attackers don’t need physical access!
RowhammerModify DRAM state to gain kernel privileges
Acoustic CryptanalysisListen to component vibration across room, extract keys
http://www.tau.ac.il/~tromer/acoustic/
Timing Attack (First published in 1996)
Extract confidential data based on response delay
![Page 48: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/48.jpg)
Root of trust for
secure code
High security
key storage
Less code
= Lower cost
10x-100x faster
than MCU
ATECC508A-AWS
Get critical stuff out of the micro!
![Page 49: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/49.jpg)
Advanced Security Circuitry
Active shield, internal
encryption, randomization,
tampers, no JTAG, …
Strong attack defenses
Microprobe, Timing,
Emissions, Faults, Glitches,
Temperature
Standard Devices
Microchip
Security
Devices
What makes ATECC508A a vault?
![Page 50: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/50.jpg)
Keys never leave chip - No back
doors!
Software asks for keys to be used -
chip accelerates math using the key
Elliptic curve algorithm in hardware –
can’t exploit software bugs!
Comprehensive thing security
![Page 51: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/51.jpg)
Private key generated entirely inside the ATECC508A
• Completely random
• NEVER readable
• NEVER known by anybody
Certificates generated by world-class HSMs at Microchip
• Protected in State-of-the-art Secure Facilities
No special equipment or procedures required in the OEM factory
Secure in the factory
![Page 52: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/52.jpg)
Secure Facilities
24/7 camera monitored, locked
cages, network isolation, physical
access control
Hardware Secure Modules (HSM)
Highly secure computers, World
class certifications : FIPS 140-2,
CC EAL 4+, …
Microchip’s factory provisioning
![Page 53: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/53.jpg)
Reference design
• ARM® Cortex®-M4 microcontroller
• Wi-Fi® connectivity
• ATECC508A pre-configured for AWS IoT
• I/O module
• Root CA & Intermediate CA demo dongles
• FreeRTOS
• WolfSSL TLS 1.2
• MQTT client
• JSON library
• Example Application with 6 I/Os
Source code & Documentation on GitHub:
https://github.com/MicrochipTech/AWS-Secure-Insight
Easy to get started
![Page 54: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/54.jpg)
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM CA
Root CA
OEM’s AWS Account
Customer-Specific
Production Signers
1. OEM creates AWS IoT account, sets up OEM CA
Existing OEM capability, 3rd party Trusted CA, Microchip CA kit
2. OEM creates certificates for Microchip production signers
3. OEM registers production signer certificates into their AWS account
Easy OEM setup
![Page 55: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/55.jpg)
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM
Certificate
Root CA
1. Microchip ships ATECC508A
including certificates to board shop
2. IoT provisioning easy : assemble
ATECC508A into IoT product
3. Final product ships with little or no
cloud enrollment instructions or
actions needed
Zero touch provisioning - Manufacture
![Page 56: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/56.jpg)
IoT Device #NN
OEM AWS Account
Customer-Specific
Production Signers
Device #NN
Device certificate automatically transferred to
AWS and registered on first connection
Zero touch provisioning - Field
![Page 57: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/57.jpg)
IoT OEM
Root of
Trust
Root CA1. Development kits readily
available from distributors
2. Includes turnkey USB dongles
set up to model the OEM CA and
the Microchip production signers
3. Use to create demonstration
systems and alpha units for
testing and qualification
Signing USB Dongle
OEM Lab
OEM USB Dongle
Easy prototyping
![Page 58: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/58.jpg)
Secure Keys - Ultimate protection for keys
to prevent any software attack,
accelerate ECC up to 100x faster
Fast Design - Prototyping kits available now,
complete reference design on the web,
tiny package fits any system
Easy Manufacturing - Secure and seamless
manufacturing logistics. JITR means
Ready-to-Go with AWS out of the box
ATECC508A-AWS
Easily secure your AWS IoT device
![Page 59: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/59.jpg)
Straightforward off-band certificate
management
• Bring your own certificates
• Just in time registration
• ECC certificate support
![Page 60: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/60.jpg)
Fine-grained authorization at scale
• X.509 certificate policy variables
• Thing policy variables
![Page 61: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/61.jpg)
End-to-end security
• Zero touch secure provisioning
• Mobile carriers secure tunnels to VPC
![Page 62: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/62.jpg)
Now build a secure IoT solution!
Demos/resources from this session:
https://iot-security.cloud
![Page 63: AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)](https://reader035.fdocuments.in/reader035/viewer/2022081513/586f850e1a28ab54768b4f8f/html5/thumbnails/63.jpg)
Remember to complete
your evaluations!