AWS recommends in here that each device should have its own separate device certificate to connect to MQTT endpoint on AWS IoT Core. One can control the status of certificates then to control the device's connectivity to the endpoint. Furthermore, policies can be applied to what topics a device may subscribe/publish to after it is connected to the MQTT endpoint.
My questions is:
Given the assumption that whatever I send to the AWS MQTT endpoint is already encrypted before it is sent, would it still be bad practice if instead of one separate certificate per device, I use only one certificate for all of my devices and then rely on manipulating AWS' pub/sub policies to restrict a device's freedom after connecting to the MQTT endpoint?
Is there an angle that I am missing here that makes using a single certificate for all devices a bad idea?
Device certificates are not to encrypt data, they are to identify the device.
If every device has it's own certificate you can revoke the certificate and disconnect that device if it is compromised, but if you reuse the certificate you have to replace the certificate in EVERY device.