IoT policy denies device connection after certificate rotation, causing edge device offline status

nancy713 · June 30, 2025, 4:07pm

We implemented quarterly certificate rotation for our IoT device fleet as part of security hardening. After rotating certificates for 200 edge devices, they all started receiving policy denial errors when attempting to connect to AWS IoT Core.

Error from device logs:


Connection denied: Not authorized
Policy evaluation failed for certificate
Certificate ARN: arn:aws:iot:us-east-1:123456:cert/new-cert-id

The certificate rotation process completed successfully according to AWS IoT Console - new certificates show as ACTIVE and old ones are INACTIVE. However, IoT policy attachment seems to still reference the old certificate ARNs. Device ARN mapping might not have updated properly during rotation. Has anyone encountered policy attachment issues post-rotation? We need devices back online quickly.

charles_api · July 18, 2025, 9:26am

Nina makes a great point about multiple attachments. Also check your IoT policy itself - if it has explicit certificate ARN references in Condition blocks, those will break after rotation. Policies should use thing-based conditions like ${iot:Connection.Thing.ThingName} instead of hardcoded certificate ARNs for rotation-friendly policies.

james_api · July 5, 2025, 3:22pm

We assumed the policy would automatically attach to new certificates since they’re associated with the same Thing names. So we need to manually attach policies to all 200 new certificates? Is there a batch operation for this or do we script it?

daniel_397 · July 14, 2025, 4:05am

You’ll need to script it using AWS CLI or SDK. The policy attachment is to the certificate principal, not the Thing. When you rotate certificates, the new certificate gets a new ARN, so the policy attachment breaks. I’ve built automation for this using Python and boto3. Loop through your Things, get the new certificate ARN for each, then attach the policy. Takes about 10 minutes to process 200 devices with proper error handling and rate limiting.

joshua_ace · August 4, 2025, 6:18am

Here’s the comprehensive solution addressing all three focus areas:

Certificate Rotation Process: Proper certificate rotation requires these sequential steps:

Create new certificate and keep old one ACTIVE initially
Attach new certificate to Thing while old cert remains attached
Attach IoT policy to new certificate
Update device with new certificate credentials
Verify device connects successfully with new cert
Only then detach old certificate and mark INACTIVE

The script for step 3 (policy attachment):

for cert_arn in $(cat new_cert_arns.txt); do
  aws iot attach-policy \
    --policy-name DevicePolicy \
    --target $cert_arn
done

IoT Policy Attachment: Your policy must use dynamic references, not static certificate ARNs. Update your policy to use Thing-based conditions:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "iot:Connect",
    "Resource": "arn:aws:iot:region:account:client/${iot:Connection.Thing.ThingName}"
  }]
}

To fix your current situation, attach the policy to all new certificates:

aws iot list-thing-principals --thing-name device-001
# Identify new certificate ARN
aws iot attach-policy --policy-name YourPolicyName \
  --target arn:aws:iot:region:account:cert/new-cert-id

Device ARN Mapping: Verify and fix Thing-to-certificate mappings. List all principals for a Thing:

aws iot list-thing-principals --thing-name device-001

If old certificate is still attached, detach it:

aws iot detach-thing-principal \
  --thing-name device-001 \
  --principal arn:aws:iot:region:account:cert/old-cert-id

Immediate Recovery Steps:

List all Things and their current certificate attachments
For each Thing, identify the new certificate ARN
Attach your IoT policy to each new certificate ARN
Verify policy attachment: `aws iot list-attached-policies --target cert-arn
Test device connection with new certificate
Once confirmed working, detach and deactivate old certificates

Automation for Future Rotations: Create a rotation script that handles all steps atomically:

Generates new certificate
Attaches to Thing (keeping old cert attached)
Copies all policy attachments from old to new cert
Updates device configuration
Validates connection
Only then removes old cert

This prevents the connection outage you’re experiencing. The key insight is that policy attachments are certificate-specific, not Thing-specific, so rotation must explicitly transfer them.

gauravadmin · August 1, 2025, 2:38am

I’ve seen this exact scenario multiple times. The issue is that certificate rotation in AWS IoT is not a single atomic operation - it’s a multi-step process that requires careful orchestration.

isabella344 · July 18, 2025, 1:29am

There’s also the device ARN mapping issue to consider. When you rotate certificates, the Thing-to-certificate attachment might not update if you didn’t explicitly detach the old certificate first. Check if your Things still have both old and new certificates attached. AWS IoT allows multiple certificates per Thing, but policy evaluation uses the certificate presented during connection. If the device is trying to use the new cert but the Thing attachment still prioritizes the old one, you’ll get policy denials. Verify the attachment status for both old and new certificates on a sample device.

daniel_397 · June 30, 2025, 6:06pm

Certificate rotation doesn’t automatically transfer policy attachments in AWS IoT. You need to explicitly attach the IoT policy to each new certificate. The old certificate’s policy attachment remains with the old cert even after it’s marked INACTIVE. Did you run attach-policy commands for all new certificates after rotation?

Topic		Views
Device certificate rotation fails due to security policy, blocks device reconnection Google Cloud IoT question , x509 , iam-policy , gcloud-cli , security-pol , device-mgmt , gcpiot-24 , cert-rotation-fail , device-offline	4	May 11, 2025
Device certificate rotation fails for IoT devices registered in IBM Cloud IoT Platform with TLS mutual auth IBM Cloud question , iot-services , security , rest-api , iot-platform , ic-2020 , tls , certificate-rotation , device-management	6	August 4, 2025
Security policy blocks MQTT device connections after certificate rotation IBM Watson IoT question , security , connectivity , certificate-rotation , x509-certificate , mqtt , tls-handshake , security-pol , wiot-24	6	September 23, 2025
Edge device goes offline after certificate rotation in gateway management, blocking data flow SAP IoT question , security , edge-compute , certificates , tls , x509 , gateway-mgmt , sapiot-24 , cert-rotation	5	August 9, 2025
Automated IoT policy rotation reduces security risk across manufacturing fleet AWS IoT use-case , compliance-audit , lambda , security-policy , cloudwatch , awsiot-24 , iot-core , iiot-support , policy-rotation	5	February 16, 2025
Edge device certificate rotation vs. token renewal for security workflows Oracle IoT Cloud discussion , automation , compliance , asset-mgmt , security-policy , certificates , device-management , edge-security , oiot-22	7	August 16, 2025
Automated certificate rotation alerts for edge devices using Greengrass v2 Lambda components AWS IoT use-case , automation , iam , lambda , security-policy , reduced-downtime , gg-v2 , certificate-mgmt , greengrass-v2	6	September 30, 2025
Device connection blocked by security policy after X.509 certificate renewal for edge gateway Oracle IoT Cloud question , admin-console , x509 , security-pol , device-mgmt , device-offline , oiot-23 , cert-block , trust-anchor	6	June 23, 2025
Security policy encryption key rotation fails silently leaving devices unable to authenticate Oracle IoT Cloud question , compliance-audit , security , encryption , key-rotation , data-ingestion , security-pol , device-authentication , oiot-22	4	December 30, 2024

IoT policy denies device connection after certificate rotation, causing edge device offline status

Related topics