Integration: AWS IoT Device Defender Violation Event

AWS IoT Device Defender is a security service that allows you to audit the configuration of your devices, monitor connected devices to detect abnormal behavior and mitigate security risks

Preparing an IAM Role

Before Device Defender can publish messages to SNS, you must create an IAM role as described in the AWS Documentation. Replace arn:aws:sns:region:account-id:your-topic-name with the SNS topic ARN.

Creating a Security Profile

A security profile defines a set of expected behaviors for devices in your account and specifies the actions to take when an anomaly is detected. Let’s create one:

1. Open the AWS IoT Console.
2. Navigate to Security Profiles and create a Rule-based anomaly Detect profile.
   
3. Set a Name and define the condition that is regarded as abnormal. E.g., if you expect a sensor to report data every 5 minutes (or 12 times per hour), receiving data only 10 times per hour might be an issue if it happens two times in a row.
   
4. Configure the SNS topic you created and select the IAM Role you created in preparation above.
   
5. Attach the security profile to things to monitor.
   
6. Last but not least, confirm your settings and save.
   

Sample Alert

As soon as a thing violates a security profile, you should receive an alert in Slack or Microsoft Teams: