How can we trust the AWS IoT Core?

Introduction

Today I will explain how connected devices can establish trust with the AWS IoT Core. To trust someone, we need to confirm their identity. The same is true in the ecosystem of connected devices.

AWS IoT Core exposes an MQTT Broker so devices can establish the MQTT connectivity.

What if some villain actor creates an MQTT Broker and tries to mislead devices? Is there a way to verify the real identity of the exposed endpoint?

Short answer: Yes, devices can verify the identity of the exposed endpoint and establish a connection only after they confirm that they are communicating with the AWS IoT Core.

Long answer: This is a very technical post. I describe how the verification process works and explain the usage of X.509 Certificates.

Step one - AWS IoT Core endpoint types

We use the AWS IoT data endpoint for communication between connected devices and AWS. This endpoint enables secure, bi-directional communication for devices.

There are two data endpoint types: iot:Data and iot:Data-ATS.

The iot:Data is a legacy endpoint, so I recommend using the iot:Data-ATS (ATS stands for Amazon Trust Services).

How can we obtain the AWS IoT data endpoint?

AWS IoT data endpoint is account and region-specific. We can obtain it using AWS CLI:

1

aws iot --region eu-west-1 describe-endpoint --endpoint-type iot:Data-ATS

Response:

1
2
3

{
  "endpointAddress": "a1pmmrdn6yc5il-ats.iot.eu-west-1.amazonaws.com"
}

We know the endpoint, but how can we verify its identity?

X.509 Certificates exposed by the AWS IoT data endpoint

To establish trust, we need to confirm the identity of the obtained endpoint.

We can check X.509 Certificates exposed by that endpoint using the following command:

1

openssl s_client -showcerts -connect a1pmmrdn6yc5il-ats.iot.eu-west-1.amazonaws.com:443

Truncated response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.iot.eu-west-1.amazonaws.com
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/CN=*.iot.eu-west-1.amazonaws.com
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
-----BEGIN CERTIFICATE-----
MIIGEDCCBPigAwIBAgIQAp6fLJKglZAxhN6akwasQzANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMjA5MDgwMDAwMDBaFw0yMzA5MDcy
MzU5NTlaMCgxJjAkBgNVBAMMHSouaW90LmV1LXdlc3QtMS5hbWF6b25hd3MuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC4ZRQfUTx4knRQbohmf
CWKXfJFtM2OW3L8k9PStGhNmmjgkjs/1ltCrQl7YY6Xy4rby/lVpWTS4d0NAgD66
ywFArmcYn+O4nWBR/J0Ig2KSyhT+d9VJhsf/JOSQXPMpBOEp4nYsO378lU6ce+ok
w7h0slSUnnqRh6PuKGnGy4IcxDfsM2UnLQ4cLy2CQq+uy1J8wfG2oZcuf5uy75k2
ZiXkGjqSUf1NV9Qhq6RdC0ftiGW20l6ZrqAzMJDMVTYdkbAPlAexrQsXoJioyKiQ
lLpdIbjuZHbiG8Dm3/iT6DTLgfIVJwAmd4bu8gAGnmWZOnOgoeuUHO5irb3n/RaU
MwIDAQABo4IDFjCCAxIwHwYDVR0jBBgwFoAUWaRmBlKge5WSPKOUByeWdFv5PdAw
HQYDVR0OBBYEFOPo/UpH+8Z3UQd/u9kh6FX6vyJCMEUGA1UdEQQ+MDyCG2lvdC5l
dS13ZXN0LTEuYW1hem9uYXdzLmNvbYIdKi5pb3QuZXUtd2VzdC0xLmFtYXpvbmF3
cy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLnNjYTFiLmFtYXpvbnRy

Let’s check the Certificate chain:

CN = *.iot.eu-west-1.amazonaws.com is the Common Name (CN) of the AWS IoT Core certificate.
CN = Amazon is an Intermediate Cetificate.
CN = Amazon Root CA 1 is the Root Certificate.

The chain looks as follows:

We can save those certificates using the following command:

1

(openssl s_client -showcerts -connect a1pmmrdn6yc5il-ats.iot.eu-west-1.amazonaws.com:443 & sleep 5) | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{if(/-----BEGIN CERTIFICATE-----/){a++}; out="cert_"a".pem"; print > out}'

Let’s review the certificate exposed by the AWS IoT Core:

1

openssl x509 -in cert_1.pem -text -noout

Response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:9e:9f:2c:92:a0:95:90:31:84:de:9a:93:06:ac:43
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
        Validity
            Not Before: Sep  8 00:00:00 2022 GMT
            Not After : Sep  7 23:59:59 2023 GMT
        Subject: CN=*.iot.eu-west-1.amazonaws.com

The Common Name (CN) of the issuer equals “Amazon”. We can review that intermediate certificate:

1

openssl x509 -in cert_2.pem -text -noout

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:7f:94:57:85:87:e8:ac:77:de:b2:53:32:5b:bc:99:8b:56:0d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Amazon, CN=Amazon Root CA 1
        Validity
            Not Before: Oct 22 00:00:00 2015 GMT
            Not After : Oct 19 00:00:00 2025 GMT
        Subject: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon

The intermediate certificate was signed by the Amazon Root CA 1 certificate.

The Amazon Root CA certificate

Now we need to obtain the Amazon Root CA 1 certificate. That certificate is publicly shared by Amazon, we can download it using the following command:

1

curl -L https://www.amazontrust.com/repository/AmazonRootCA1.pem > AmazonRootCA1.pem

Finally, we need to verify if that certificate was used to sign the chain of certificates exposed by the AWS IoT Core.

1

openssl verify -CAfile AmazonRootCA1.pem -untrusted cert_2.pem cert_1.pem

Response:

1

cert_1.pem: OK

A quick reminder:

• AmazonRootCA1.pem - the certificate we downloaded from the www.amazontrust.com
• cert_2.pem - the intermediate certificate
• cert_1.pem - the certificate exposed by the AWS IoT Core during connecting

We obtained the AmazonRootCA1 certificate from a trusted source and used it to verify certificates from a (potentially) untrusted endpoint.

That is why we need to put the AmazonRootCA1 certificate on every device connected to AWS IoT Core - devices use this certificate to establish trust during the connecting setup with the AWS IoT Core.

Summary

I know that was a deep-dive technical post, but I wanted to explain the very important topic of trust in the IoT system. I hope this was interesting for you.