Posted On: Oct 22, 2024
Amazon IoT Core, a managed cloud service that lets customers securely connect and manage Internet of Things (IoT) devices to the cloud at scale, announces three new authentication and authorization capabilities for domain configurations. Devices no longer need to use Transport Layer Security (TLS) Application Layer Protocol Negotiation (ALPN) extension to determine authentication type and application protocol and authentication. In addition, X.509 client certificates can now be used in custom authorizers both with and without the MQTT Connect message.
The ability to configure authentication type and application protocol purely based on the TLS Server Name Indication (SNI) extension makes it simpler to connect devices to the cloud without requiring the use of the TLS ALPN extension. This allows customers to migrate their existing device fleets to Amazon IoT Core without updating device firmware or use Amazon Web Services-specific TLS ALPN string, by assigning the authentication type and protocol to an endpoint for all supported TCP-ports of this custom domain. Building on this feature, we offer two additional authentication capabilities. With Custom Authentication with X.509 Client Certificates, customers can authenticate IoT devices using X.509 certificates and then add custom authentication logics as an additional layer of security check to determine if devices are allowed to connect. Finally, Custom Client Certificate Validation allows customers to validate X.509 client certificate based on a customer-defined Lambda function. For example, customers can build their own certificate revocation checks, such as via Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL), before allowing a client to connect to Amazon IoT Core.
All three capabilities are available in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD. Visit the developer guide to learn more about this feature.