Integration: AWS IoT Device Defender Violation Event
AWS IoT Device Defender is a security service that allows you to audit the configuration of your devices, monitor connected devices to detect abnormal behavior and mitigate security risks
Before Device Defender can publish messages to SNS, you must create an IAM role as described in the AWS Documentation. Replace
arn:aws:sns:region:account-id:your-topic-name with the SNS topic ARN.
A security profile defines a set of expected behaviors for devices in your account and specifies the actions to take when an anomaly is detected. Let’s create one:
- Open the AWS IoT Console.
- Navigate to Security Profiles and create a Rule-based anomaly Detect profile.
- Set a Name and define the condition that is regarded as abnormal. E.g., if you expect a sensor to report data every 5 minutes (or 12 times per hour), receiving data only 10 times per hour might be an issue if it happens two times in a row.
- Configure the SNS topic you created and select the IAM Role you created in preparation above.
- Attach the security profile to things to monitor.
- Last but not least, confirm your settings and save.
As soon as a thing violates a security profile, you should receive an alert in Slack or Microsoft Teams: