AWS IoT Device Defender

Creating an IAM account

This technique explains establishing an IAM user for yourself and adding that user to a group with administrative permissions from an attached managed policy.

To make an administrator user for yourself and add it to an administrators group (console).

1. Choose Root user and enter your AWS account email address to log in to the IAM console as the account owner. Enter your password on the following page.
    
2. Select Users from the navigation pane, then Add Users.
    
3. Enter Administrator as the user name.
    
4. AWS Management Console access is checked by default. Then, under Custom password, type your new password in the text field.
    
5. (Optional) When a new user initially signs in, AWS needs them to create a new password. You can uncheck the box next to To allow a new user to reset their password after signing in; the user must generate a new password at the next sign-in.
    
6. Next, select Permissions.
    
7. Select Add user to a group under Set permissions.
    
8. Select Create a group.
    
9. Type Administrators in the Group name field in the Create group dialogue box.
    
10. To filter the table contents, click Filter policies, then AWS managed - job function.
     
11. Select the AdministratorAccess check box in the policy list. After that, select Create group.
     
12. Return to the list of groups and tick the box for your new group. If necessary, choose Refresh to view the group in the list.
     
13. Next, select Tags.
     
14. (Optional) Attach tags as key-value pairs to the user to add metadata. See Tagging IAM Entities in the IAM User Guide for additional information on using tags in IAM.
     
15. To see the list of group memberships to be added to the new user, select Next: Review. Choose to Create a user when you're ready to go.

You can repeat this process to add more groups and users and grant access to your AWS account resources to your users. See Access management and Example policies for information on using policies to limit user permissions to specific AWS resources.

Audit Guide

This section explains how to set up a recurring audit, set up alarms, evaluate audit results, and resolve audit issues.

Enable Audit Checks

You enable audit checks in the following method, which looks at account and device settings and policies to ensure security protections. We'll show you how to allow all audit checks in this guide, but you can choose which ones you want.

The monthly audit fee is based on the number of devices (fleet devices connected to AWS IoT). Adding or eliminating audit checks does not affect your monthly fee using this tool.

1. Expand Defend in the AWS IoT console's navigation pane and select Get started with an audit.
    
2. The Get Started with Device Defender Audit page walks you through the procedures to enable audit inspections. Select Next after you've reviewed the screen.
    
3. You enable audit checks in the following method, which looks at account and device settings and policies to ensure security protections. We'll show you how to allow all audit checks in this guide, but you can choose which ones you want. The monthly audit fee is based on the number of devices (fleet devices connected to AWS IoT). Adding or eliminating audit checks does not affect your monthly fee using this tool.
    
4. Expand Defend in the AWS IoT console's navigation pane and select Get started with an audit. The Get Started with Device Defender Audit page walks you through the procedures to enable audit inspections. Select Next after you've reviewed the screen.
    
5. Select Enable audit on the Configure SNS (optional) screen. See Enable SNS Notifications if you want to enable SNS notifications (optional).
    
6. You'll be routed to Audit Schedules.

View Audit Results

The steps below will show you how to view the audit results. The audit findings from the audit checks put up in the Enable audit checks instruction are shown in this tutorial.

To see the audit findings

1. Expand Defend, select Audit, and then Results in the AWS IoT console's navigation pane.
    
2. If you have any non-compliant checks, the Summary will tell you.
    
3. Choose the name of the audit check you want to look into.
    
4. Use the question marks to help you figure out how to make non-compliance checks compliant. To make the "Logging disabled" check compatible, follow Enable logging (optional).

ML Detect

Using machine learning (ML) to develop predicted behavior models based on previous metric data from your devices, you create an ML Detect Security Profile in this Getting Started guide. You may keep track of the progress of the ML model while it is being built with ML Detect. You can view and explore alarms on an ongoing basis after the ML model is made and address identified flaws.

Enable ML Detect

The processes below describe how to configure ML Detect in the console.

1. First, ensure that your devices generate the minimum number of data points necessary by ML. Determine the minimum requirements for continuing model training and refreshment. Make sure your Security Profile is associated with a target, which can be a thing or a thing group, for data collection to begin.
    
2. Expand Defend in the navigation pane of the AWS IoT console. Select Detect, Security profiles, Create security profiles and Create ML anomaly Detect profiles from the drop-down menu.
    
3. Do the following on the Set basic configurations page.

• Select your target device groupings under Target.
• Enter a name for your Security Profile under the Security profile name.
• (Optional) You may add a short description for the ML profile under Description.
• Select the metrics you want to track under Selected metric behaviors in Security Profile.
• Choose Next when you're finished.
  
  4. Set an SNS subject for alert notifications when a device breaches a behavior in your profile on the Set SNS (optional) page. Select an IAM role for publishing to the selected SNS topic.
•   If you don't already have an SNS role, take the procedures below to create one with the necessary permissions and trust connections.
• Go to the IAM console page. Choose Roles from the navigation pane, then Create role.
• Select AWS Service under Select kind of trusted entity. Then, choose a use case, select IoT, and then select IoT - Device Defender Mitigation Actions under Select your use case. Choose Next: Permissions when you're finished.
• Ensure AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction is chosen under Attached permissions policies, and then choose Next: Tags.
• You can add any tags you'd want to link with your role under Add tags (optional). Choose Next: Review when you're finished.
• Give your role a name under Review, and make sure AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction is checked under Permissions and AWS service: iot.amazonaws.com is checked under Trust relationships. Choose to Create the function when you're finished.
  
  5. You may adjust your ML behavior settings on the Edit Metric Behavior page. You may change your ML behavior settings on the Edit Metric Behavior page.
  6. Choose Next when you're finished.
  7. Verify the behaviors you want machine learning to track on the Review configuration screen, then click Next.
  8. You're taken to the Security Profiles page after creating your Security Profile, where the newly generated Security Profile displays.

Monitor your ML model status

You can track your ML models' progress during their initial training period by following the instructions below.

1. Expand Defend in the AWS IoT console's navigation pane, then click Detect, Security profiles.
    
2. Select the Security Profile you want to review from the Security Profiles page. Then select Behaviors and Machine Learning training.
    
3. Check the training progress of your ML models on the Behaviors and ML training page. When your model is set to Active, it will begin making Detect decisions based on your usage and update your profile daily.

Review your ML Detect alarms

You may view and explore alerts identified by your ML models after generating and being ready for data inference.

1. Expand Defend in the AWS IoT console's navigation pane, then click Detect, Alarms.
    
2. You may also check details about your devices that are no longer in alarms by going to the History tab. To gain more information, go to Manage > Things, choose the item you want to learn more about, and then go to Defender stats. From the Active tab, you can browse the Defender stats graph and investigate anything that has raised the alarm. The chart, in this case, reveals a surge in message size, which set off the alarm. The alarm was later cleared, as you can see.

Audit Commands

Manage audit settings

To configure audit settings for your account, use UpdateAccountAuditConfiguration. You can use this command to enable the checks you want to be auditable, set up optional notifications, and adjust permissions. With DescribeAccountAuditConfiguration, you may check these parameters. To delete your audit settings, use DeleteAccountAuditConfiguration. Because all checks are disabled by default, this restores all default values and effectively disables audits.

UpdateAccountAuditConfiguration

For this account, configures or reconfigure the Device Defender audit settings. How to send audit notifications and which audit checks are enabled or disabled are among the options.

Synopsis:

aws iot  update-account-audit-configuration \

    [--role-arn <value>] \

    [--audit-notification-target-configurations <value>] \

    [--audit-check-configurations <value>]  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

DescribeAccountAuditConfiguration

Gets information about this account's Device Defender audit settings. How to send audit notifications and which audit checks are enabled or disabled are among the options.

Synopsis:

aws iot  describe-account-audit-configuration  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

DeleteAccountAuditConfiguration

For this account, restores the default settings for Device Defender audits. Any configuration data you entered is erased, and all audit checks are turned off.

Synopsis:

aws iot  delete-account-audit-configuration \

    [--delete-scheduled-audits | --no-delete-scheduled-audits]  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

CreateScheduledAudit

Creates a scheduled audit that runs at a set interval of time.

Synopsis

aws iot  create-scheduled-audit \

    --frequency <value> \

    [--day-of-month <value>] \

    [--day-of-week <value>] \

    --target-check-names <value> \

    [--tags <value>] \

    --scheduled-audit-name <value>  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

ListScheduledAudits

All of your scheduled audits are listed here.

Synopsis

aws iot  list-scheduled-audits \

    [--next-token <value>] \

    [--max-results <value>]  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

DescribeScheduledAudit

Gets details about an upcoming audit.

Synopsis

aws iot  describe-scheduled-audit \

    --scheduled-audit-name <value>  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

UpdateScheduledAudit

Updates the details of a planned audit, such as which checks are conducted and how often the audit occurs.

Synopsis

aws iot  update-scheduled-audit \

    [--frequency <value>] \

    [--day-of-month <value>] \

    [--day-of-week <value>] \

    [--target-check-names <value>] \

    --scheduled-audit-name <value>  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

DeleteScheduledAudit

Deletes a scheduled audit.

Synopsis:

aws iot  delete-scheduled-audit \

    --scheduled-audit-name <value>  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

Run On-Demand Audit

Use StartOnDemandAuditTask to specify the checks you want to perform and start an audit running right away.

StartOnDemandAuditTask

Starts an on-demand Device Defender audit.

Synopsis

aws iot  start-on-demand-audit-task \

    --target-check-names <value>  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

Manage Audit Instances

Get information about a given audit instance using DescribeAuditTask. If the Audit has already been completed, the findings show which checks failed and which succeeded, those that the system was unable to finish, and those that it is currently working on if the Audit is still ongoing.

ListAuditTasks can be used to locate audits performed over a specific time period. Stop an audit in progress using CancelAuditTask.

Check Audit Results

To see the audit findings, use ListAuditFindings. You can narrow the results by checking the type of check, a specific resource, or the audit date. You can use this information to address any issues that were discovered.

You can create mitigation plans and apply them to your audit findings.

Synopsis

aws iot  list-audit-findings \

    [--task-id <value>] \

    [--check-name <value>] \

    [--resource-identifier <value>] \

    [--max-results <value>] \

    [--next-token <value>] \

    [--start-time <value>] \

    [--end-time <value>]  \

    [--cli-input-json <value>] \

    [--generate-cli-skeleton]

Audit Finding Suppressions

When you do an audit, all non-compliant resources are reported. This means your audit reports will include results for help where you're attempting to resolve issues and non-compliant resources, such as tests or damaged devices. In subsequent audit runs, the Audit continues to disclose findings for resources that remain non-compliant, potentially adding undesirable information to your reports. Finding suppressions in audits lets you hide or filter out results for a set length of time until the resource is rectified or indefinitely for a resource associated with a test or malfunctioning device.

Working Of Audit Finding Suppressions

Your audit reports and alerts act differently when you generate an audit finding suppression for a non-compliant resource.

Your audit reports will now include a new section that lists all of the report's hidden findings. Suppressed findings will not be considered when determining whether or not an audit check is compliant. When using the describe-audit-task command in the command-line interface, a suppressed resource count is also returned for each audit check (CLI).

Suppressed findings aren't considered when determining whether or not an audit check is compliant. Each audit check notification AWS IoT Device Defender sends to Amazon CloudWatch, and Amazon Simple Notification Service includes a suppressed resource count (Amazon SNS).

Frequently Asked Questions

What are the most important features of the AWS IoT device defender?

AWS IoT Device Defender makes it simple to maintain and enforce IoT configurations, including assuring device identity, authorizing and authenticating devices, and encrypting device data. AWS IoT Device Defender regularly checks your devices' IoT configurations against a set of established security best practices.

Is it possible for a device connected to AWS IoT to receive messages from the cloud?

AWS IoT Core is a managed cloud platform that enables connected devices to interact with cloud applications and other devices simply and safely. AWS IoT Core can handle billions of devices and trillions of messages, and it can reliably and securely process and route those communications to AWS endpoints and other devices.

What is an IoT defender?

For IoT/OT environments, Microsoft Defender for IoT is a dedicated asset discovery, vulnerability management, and threat monitoring tool.

Conclusion

In this article, we learned about how AWS is used as an IOT device defender and better understand different functionalities. That's all from the article. I hope you all like it. 

I hope you all like this article. Want to learn more about Data Analysis? Here is an excellent course that can guide you in learning. You can also refer to our other courses like DSA and Machine Learning.

Check out this article - Components Of IOT

Happy Learning, Ninjas!