AWS Certified Security – Specialty — Question 386

A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics.

Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client’s privilege scope.

Which combination of actions should the company take to prevent this threat? (Choose two.)

Answer options

• A. In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.
• B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
• C. Apply an AWS IoT Core policy that allows “AWSIoTWirelessDataAccess” with the principal set to “client/${iot:Connection.Thing.ThingName}”.
• D. Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:ClientId}”.
• E. Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:Connection.Thing.ThingName}”.

Correct answer: A, E

Explanation

To prevent attackers from using arbitrary client IDs with injected characters, the company must enforce that the client ID matches the registered AWS IoT thing name. Option A establishes the thing name as the client ID in the app, while Option E enforces this on the server side by using the ${iot:Connection.Thing.ThingName} policy variable in the AWS IoT Core policy. Client-side validation (Option B) is ineffective because attackers control the compromised application code, and using ${iot:ClientId} (Option D) would still allow any arbitrary client ID to connect.