Explore Caylent’s Activities at AWS re:Invent

Security Profile of IoT Devices

Trek10 Team Trek10 Team

IoT

Learn how IoT devices differ from traditional IT systems in risk and behavior, and explore key security practices — including authentication, monitoring, and AWS IoT tools — to protect connected devices from threats and unauthorized access.

This blog was originally written and published by Trek10, which is now part of Caylent.

Internet of Things (IoT) devices have a different risk profile than traditional IT infrastructure and, therefore, require a different approach towards security. The AWS IoT suite of services includes solutions to monitor behavior, enforce compliance, and remediate incidents with this distinction in mind.

Let's start by analyzing the two primary tasks of IoT device applications: telemetry publishing and system actuation.

  • Telemetry publishing consists of reporting IoT device data, which includes sensor readings as well as any logs, errors, and events necessary for the functioning of the IoT ecosystem.
  • System actuation consists of any action by the device, whether it's physical such as controlling a servo for positional control or virtual such as downloading a firmware update from a private endpoint. These actions can happen in response to an internal state change or an explicit instruction from an ecosystem backend such as AWS IoT.

Figure 1: Example of telemetry publishing and system actuation.

IoT Devices vs. Typical IT Infrastructure

Unlike traditional application servers, well-designed IoT devices generally do not send requests to servers, query databases directly, nor have high network throughput (In this post, we define IoT devices as computing platforms whose hardware intended for a limited number of low-power applications. Mini-PCs and single-board computers, which could act as regular servers, are therefore excluded from this analysis). Instead, they typically operate in a publish-subscribe messaging pattern where the device can play either the publisher or subscriber role.

Furthermore, because IoT Devices tend to be resource-constrained, they generally hold only the amount of data necessary to publish their telemetry and to perform actuation functions. All this means that locally storing values for things such as available memory, battery levels, and sensor readings is often limited by the IoT device's capabilities. Instead, an IoT ecosystem often relies on gateway devices and its backend to preserve state information.

The following table lists some of the activities carried out by both IoT devices and traditional IT infrastructure, and it provides some examples of how each of the two could handle each activity:

Table 1: Example activities and how IoT Devices/Traditional IT infrastructure handle them differently.

With this contrast in mind, we begin to sense that the threats to IoT Device Software likely have a different profile than threats to traditional IT infrastructure. Typical threats follow a pattern in which an attacker gaining access to one point in the system works his or her way into other parts of it to steal from or corrupt data stores. Although that is certainly still a risk, some of the more immediate and more likely concerns with IoT device software look like the following:

  • Telemetry stream data theft such as intercepting a camera feed.
  • Integration of the IoT device into botnets.
  • Command-and-control of the IoT device and its actuation systems.

There are two critical security practices for IoT device software that address these concerns:

  • The first is that all devices in a given fleet must have authentication credentials that authorize them to perform only their intended actions.
  • The second is that mechanisms to monitor device behavior and to automatically respond to incidents should be in place.

AWS IoT-Specific Security Tools

Let's unpack those two practices and see how AWS IoT services help us fulfill them...

Authentication and Limited Permissions

When a device connects to a backend, it should verify that the server is who it says that it is through the use of a server certificate. In an IoT context, it is also crucial that the server authenticates the device as one which is allowed to communicate with backend services. For these reasons, AWS IoT requires TLS mutual authentication for all communications with IoT devices.

During TLS client authentication, AWS IoT requests the IoT device's certificate and validates it against a registry for the AWS account. It then sends the client a challenge to verify that it holds the correct private key matching the public key found in the certificate. Reciprocally, the device verifies the identity of the server through its presented server certificate by referencing the CA certificate pre-loaded into the device.

Figure 2: Sequence Diagram showcasing TLS mutual authentication.

Behavior Monitoring and Incident Response

Mechanisms to monitor device operations and to respond to incidents should be in place to promptly thwart potential attackers. AWS IoT has a native risk mitigation solution known as Device Defender, which consists of device monitoring and behavior auditing to detect unusual behavior. It enables enforcement of consistent security policies across all devices and provides means to integrate solutions that quickly respond to incidents when devices are compromised.

For example, if a device sends excessive amounts of data over a given time window, a couple of automated actions could take place. First, instructions could be sent to the device to shut off. Second, AWS IoT could revoke the device's certificate to disallow it further access to AWS resources.

Additionally, AWS IoT has native support for several levels of logging. Logs are placed into CloudWatch and can be relayed to other monitoring services such as DataDog for further real-time analysis. IoT Logs, a robust mutual authentication system, least-privilege permissions, configuration auditing, and anomaly detection can all work in combination to prevent, identify, remediate, and understand all manner of IoT cyber threats.

Prefer Tight Permissions and Remote Monitoring Over Complex Security Models

Defining boundaries and swiftly detecting policy violations should be prioritized over more involved security practices such as constant data encryption or security patch updates.

That is because IoT device fleets have diverse computational capabilities, operating systems, geographical locations, and lifecycles, all of which make fleet setup complex and prone to errors. Moreover, IoT devices are often limited in processing power and storage, and this hinders them from performing typical IT maintenance and security tasks. These devices can also use components (e.g., cellular modems) running software with known vulnerabilities, which are difficult—and often impossible—to update.

Note that I am not suggesting we forego all other standard security practices. Instead, we should apply as many security and reliability mechanisms as the IoT device can handle. Still, we should understand that the most reliable means to secure our IoT ecosystem is to enforce tight permissions and to respond to device misbehavior in real-time.

Conclusion

Internet of Things devices have a different risk profile and a different set of capabilities as those of traditional IT infrastructure. The primary threats to these devices are data stream breaches and unauthorized operation of its software, sensors, and actuators. To counteract these threats, AWS provides a series of tools to enforce permissions management, behavior monitoring, compliance enforcement, and incident detection. Together, these tools allow companies to swiftly put a stop to threats by giving them a thorough understanding of their IoT ecosystems' live operations.

1 In this post, we define IoT devices as computing platforms whose hardware intended for a limited number of low-power applications. Mini-PCs and single-board computers, which could act as regular servers, are therefore excluded from this analysis.

IoT
Trek10 Team

Trek10 Team

Founded in 2013, Trek10 helped organizations migrate to and maximize the value of AWS by designing, building, and supporting cloud-native workloads with deep technical expertise. In 2025, Trek10 joined Caylent, forming one of the most comprehensive AWS-only partners in the ecosystem, delivering end-to-end services across strategy, migration and modernization, product innovation, and managed services.

View Trek10's articles

Learn more about the services mentioned

Caylent Catalysts™

IoT

Connect, understand, and act on data from industrial devices at scale to improve uptime, efficiency, and reliability across manufacturing, energy, and utilities.

Caylent Services

Managed Services

Reliably Operate and Optimize Your AWS Environment

Caylent Services

Infrastructure & DevOps Modernization

Quickly establish an AWS presence that meets technical security framework guidance by establishing automated guardrails that ensure your environments remain compliant.

Accelerate your cloud native journey

Leveraging our deep AWS expertise

Get in touch

Related Blog Posts

Serverless Architectures: IoT

Explore how serverless architectures power IoT applications — from event‑driven design and scalability to AWS services like Lambda, IoT Core, and real‑time processing — for efficient, reliable connected systems.

IoT

Three Cost-Effective Design Patterns for AWS IoT Data Ingestion

Reduce AWS IoT data ingestion costs by 68% with Amazon Kinesis batching vs AWS Lambda alone. Compare Amazon SQS and Amazon Kinesis patterns for cost, retention, and propagation delay.

IoT

ARM-Based AWS Lambda with Graviton2: What Developers Need to Know

Two technical edge cases when migrating AWS Lambda to ARM/Graviton2: floating-point comparison precision and undefined C behavior with negative float casting. Learn migration considerations.

IoT
Cost Optimization
View all blog posts