I am setting up an IoT device using this library (https://github.com/odelot/aws-mqtt-websockets) to connect to the AWS IoT service. I have it working and it works well, however, I have a bit of a question about the device's use of an AWS user's secret key.
In order to set up the library, you create an IAM user with only IoT permissions, then generate a key and secret and load that onto the IoT device. The IoT device then uses that information to connect through the library to the AWS IoT MQTT service.
I was always taught to NEVER put a secret key onto a client facing device. So, I am wondering
- Is this secure / how so?
- Do I need to create a new IAM user for every account?
- Is this common practice?
- Would a service such as Cognito be better?