AWS recommends in here that each device should have its own separate device certificate to connect to MQTT endpoint on AWS IoT Core. One can control the status of certificates then to control the device’s connectivity to the endpoint. Furthermore, policies can be applied to what topics a device may subscribe/publish to after it is connected to the MQTT endpoint.