How does the AWS IoT security system utilize the keyPath, certPath, caPath to establish a secure connection?

Question

To send telemetry from a thing (say Sensor1) to AWS IoT Core endpoint, we need:

1. AWS IoT Certificate Authority Public Certificate
2. Certificate with appropriate policy and Sensor1 attached
3. Private key of certificate from point 2

    const deviceName = 'Sensor1'
    
    // Create the thingShadow object with argument data
    const device = awsIoT.device({
       keyPath: 'private.pem.key',
       certPath: 'certificate.pem.crt',
       caPath: '/home/ec2-user/environment/root-CA.crt',
       clientId: deviceName,
       host: endpointFile.endpointAddress
    });

I want to get a general understanding of how the security system utilizes the keyPath, certPath, caPath to establish a secure connection.

Answer 1

The certificates and private key are used to resolve three questions:

1. As a client, am I talking to the real AWS IoT server and not an imposter?
2. As the AWS IoT server, am I talking to a registered client and not an imposter?
3. Can the client and server communicate securely without someone listening in?

The certificates and private key are used to implement mutual TLS to resolve these questions. This allows the client to authenticate the AWS IoT server (question 1) as well as the server to authenticate the client (question 2). The certificates also enable a secure TLS communication channel between the client and server (problem 3)

For the client authenticating the AWS IoT server (from https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html):

When your device or other client attempts to connect to AWS IoT Core, the AWS IoT Core server will send an X.509 certificate that your device uses to authenticate the server. Authentication takes place at the TLS layer through validation of the X.509 certificate chain This is the same method used by your browser when you visit an HTTPS URL.

The client uses the certificate referenced by the caPath to validate the certificate that it receives from the server that it connects to.

For the AWS IoT server to authenticate the client (from https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html#x509-client-cert-basics):

AWS IoT authenticates client certificates using the TLS protocol's client authentication mode.

In TLS client authentication, AWS IoT requests an X.509 client certificate and validates the certificate's status and AWS account against a registry of certificates. It then challenges the client for proof of ownership of the private key that corresponds to the public key contained in the certificate.

The server authenticates the client by receiving the registered certificate referenced by certPath and by the client using the private key referenced by keyPath to sign a message that proves that the client holds the private key.