Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Building an AI-based service with Rekognition, Polly and Lex
Next
Download to read offline and view in fullscreen.

3

Share

Download to read offline

Building Powerful IoT Apps with AWS IoT and Websockets

Download to read offline

Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Building Powerful IoT Apps with AWS IoT and Websockets

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dickson Yue, AWS Solutions Architect 9/15/2017 Building Powerful IoT apps with AWS IoT and Websockets AWS Startup Day – Hong Kong
  2. 2. Outline • MQTT recap • WebSockets: what and why? • Authentication and Authorization • Demo + Code
  3. 3. AWS IoT
  4. 4. Publish / Subscribe Standard Protocol Support MQTT, HTTP, WebSockets Long Lived Connections Receive signals from the cloud Secure by Default Connect securely via X509 Certs and TLS 1.2 Client Mutual Auth
  5. 5. MQTT PubSub Topic Subscriptions PUBLISH weather-station/echo-base/temperature SUBSCRIBE weather-station/echo-base/temperature weather-station/echo-base/# weather-station/+/temperature
  6. 6. Comparing protocols MQTT • Lightweight • Bidirectional HTTP • Broad support (browsers) • Request-reply Client Server Client Server
  7. 7. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No
  8. 8. WebSockets to the rescue GET wss://…/mqtt?X-Amz-Signature=… Connection: Upgrade Sec-WebSocket-Protocol: mqtt … Upgrade? OK HTTP/1.1 101 Switching Protocols Connection: Upgrade HTTP
  9. 9. WebSockets to the rescue HTTP MQTT SUBSCRIBE PUBLISH …
  10. 10. AWS IoT protocol comparison *Using WebSockets to upgrade HTTP connections to MQTT connections Capability MQTT HTTP Publish Yes Yes Subscribe Yes Yes*
  11. 11. Outline • MQTT recap • WebSockets: what and why? • Authentication and Authorization • Demo + Code
  12. 12. Securing AWS Resource Access
  13. 13. Authentication vs authorization Authentication: Prove your identity Authorization: Restrict access
  14. 14. Authentication for devices Device credentials • Private key (authenticate the device) • Certificate (register the device with IoT) • Root CA cert (authenticate IoT)
  15. 15. Authentication for devices Administrator CreateCertificate Generate CSR Generate Private Key Certificate
  16. 16. Connect through MQTT libary import paho.mqtt.client as mqtt def init(): global client try: client = mqtt.Client() client.on_connect = on_connect client.on_message = on_message client.clientid = clientid client.tls_set( "../../certs/root.pem", certfile="../../certs/grove-cert.pem", keyfile="../../certs/grove-privateKey.pem", tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None ) client.connect("data.iot.us-east-1.amazonaws.com", 8883, 10) client.loop_forever() except: print "Mqtt Unexpected error:", sys.exc_info()[0]
  17. 17. HTTP curl --tlsv1.2 --cacert root.pem --cert pi01-cert.pem --key pi01-privateKey.pem -X POST -d "{ "serialNumber": "G030JF053216F1BS", "clickType": "SINGLE", "batteryVoltage": "2000mV" }" "https://a1omffl4uase1e.iot.us-east- 1.amazonaws.com:8443/topics/iotbutton/virtualButton?qos=1"
  18. 18. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No Certificate Auth Yes Yes Sig V4 Auth No Yes
  19. 19. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes No Certificate Auth Yes Yes Sig V4 Auth No Yes
  20. 20. AWS IoT protocol comparison Capability MQTT HTTP Publish Yes Yes Subscribe Yes Yes* Certificate Auth Yes Yes Sig V4 Auth Yes* Yes *Using WebSockets to upgrade HTTP connections to MQTT connections
  21. 21. Authenticated • End-users sign in • Customize user-specific policy in AWS IoT • Users cannot access AWS IoT until IoT policy is attached Cognito Identities in AWS IoT Unauthenticated • No sign-in (anonymous) • Use IAM role policy and policy variables to restrict access • No user-specific policy in AWS IoT
  22. 22. Unauthenticated end-users
  23. 23. Unauthenticated access for end-users Amazon Cognito Get Credentials AssumeRole
  24. 24. Connect through JavaScript var region = c.AWS.region; //'ap-northeast-1' var iotEndpoint = c.AWS.iotEndpoint; var identityPoolId = c.AWS.identityPoolId; AWS.config.region = region; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: identityPoolId }); AWS.config.credentials.get(function(){ var signedUrl = getSignedUrl(); initClient(signedUrl); }); var requestUrl = 'wss://' + host + canonicalUri + '?' + canonicalQuerystring; //Unauthenticated
  25. 25. Unauthenticated access for end-users Amazon Cognito Get Credentials AssumeRole AWS STS AWS IAM permissions role temporary security credentials
  26. 26. Unauthenticated access for end-users Amazon Cognito AWS STS AWS IAM permissions role WebSocket Connect temporary security credentials Allowed? Yes!
  27. 27. User-specific policies { "Effect": "Allow", "Action": ["iot:Publish", "iot:Subscribe"] "Resource": [ "arn:*:topic/home/123_aws_ave", "arn:*:topicfilter/home/123_aws_ave" ] } { "Effect": "Allow", "Action": ["iot:Publish", "iot:Subscribe"] "Resource": [ "arn:*:topic/home/456_iot_ln", "arn:*:topicfilter/home/456_iot_ln" ] } Policy for Alice, Bob: Policy for Chuck:
  28. 28. Fine-grained access control SUB home/456_iot_ln SUB home/123_aws_ave/# PUB home/123_aws_ave/light_1/on SUB home/123_aws_ave/# PUB home/123_aws_ave/door_1/open Alice Bob Chuck
  29. 29. Fine-grained access control PUB home/123_aws_ave/door_1/open SUB home/123_aws_ave/# PUB home/123_aws_ave/light_1/on SUB home/123_aws_ave/# PUB home/123_aws_ave/door_1/open Alice Bob Chuck
  30. 30. Policy variables for Cognito users AWS IAM PUBLISH foo/us-east-1:abcdef-my-cognito-id temporary security credentials { "Effect": "Allow", "Action": "iot:Publish", "Resource": [ "arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}" ] }
  31. 31. Policy variables for Cognito users { "Effect": "Allow", "Action": "iot:Publish", "Resource": [ "arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}" ] } AWS.config.region = 'us-east-1'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID' }); AWS.config.credentials.get(function(err)) { if (err) { return; } var cognitoId = AWS.config.credentials.identityId; mqttClient.connect(...); mqttClient.publish('foo/' + cognitoId); }); permissions role
  32. 32. Outline • MQTT recap • WebSockets: what and why? • Authentication and Authorization • Demo + Code
  33. 33. http://bit.ly/awsiotws
  34. 34. Authentication for end-users
  35. 35. Configuring Cognito with AWS IoT UnauthenticatedAuthenticated
  36. 36. Authenticated access for end-users Amazon Cognito Get Credentials temporary security credentials AWS STSAWS IAM permissions role temporary security credentials
  37. 37. Connect through JavaScript var region = c.AWS.region; //'ap-northeast-1' var iotEndpoint = c.AWS.iotEndpoint; var identityPoolId = c.AWS.identityPoolId; AWS.config.region = region; AWS.config.credentials = new AWS.CognitoIdentityCredentials( { IdentityPoolId: c.AWS.identityPoolId, Logins: {'graph.facebook.com': fbresponse.authResponse.accessToken } }); AWS.config.credentials.get(function(){ var signedUrl = getSignedUrl(); initClient(signedUrl); }); var requestUrl = 'wss://' + host + canonicalUri + '?' + canonicalQuerystring; //Authenticated //After fb.login
  38. 38. Connect through JavaScript function initClient(requestUrl) { var clientId = String(Math.random()).replace('.', ''); var client = new Paho.MQTT.Client(requestUrl, clientId); mqttClient = client; var connectOptions = { onSuccess: function() { client.subscribe(topiclightbulb); client.subscribe(topicgrove); }, useSSL: true, timeout: 3, mqttVersion: 4, onFailure: function() { console.error('connect failed'); } }; client.connect(connectOptions); client.onConnectionLost = onConnectionLost; client.onMessageArrived = onMessageArrived; } //Subscribe topics //Subscribe topics
  39. 39. Authenticated access for end-users Amazon Cognito AWS STS AWS IAM permissions role WebSocket Connect temporary security credentials Allowed? Yes! IoT topic IoT shadow IoT policy
  40. 40. Authenticated access for end-users Amazon Cognito AWS STS AWS IAM permissions role WebSocket Connect temporary security credentials Allowed? Yes! IoT topic IoT shadow IoT policy Create, Attach Policy for Alice, Bob, and Chuck
  41. 41. Authenticated • End-users sign in • Customize user-specific policy in AWS IoT • Users cannot access AWS IoT until IoT policy is attached Cognito Identities in AWS IoT Unauthenticated • No sign-in (anonymous) • Use IAM role policy and policy variables to restrict access • No user-specific policy in AWS IoT
  42. 42. Chicken and egg: when to attach the policy? • Users cannot connect until they have a policy in IoT • Policy cannot be attached without knowing the user’s CognitoId Solution: attach a policy when the user first connects!
  43. 43. On-demand registration Amazon Cognito AWS Lambda CONNECT Access denied New User (already signed in) Get Credentials temporary security credentials (no policy for user)
  44. 44. On-demand registration (continued) Amazon Cognito AWS Lambda Register()Create, Attach Policy New User IoT policy CONNECT OK! context.identity.cognitoIdentityId
  45. 45. Lambda Code – Attach Principal Policy 'use strict'; var AWS = require('aws-sdk'); AWS.config.region = 'us-east-1'; var iot = new AWS.Iot(); exports.handler = (event, context, callback) => { var cognitoid = ‘'; if (typeof context.identity !== 'undefined') { cognitoid = context.identity.cognitoIdentityId; var params = { policyName: 'cognito-user-access', /* required */ principal: cognitoid /* required */ }; iot.attachPrincipalPolicy(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response }); } };
  46. 46. What permissions to attach? • Start with minimal permissions • Dynamically generate or attach your policy base on user
  47. 47. Wrapping up • WebSockets makes IoT interactive • Authentication for humans is different than devices • Use Lambda to drive user registration, pairing • Getting started with the AWS IoT Device SDK is easy • AWS IoT WebSockets, Rules Engine, Shadow and Lambda makes server-less applications easy
  48. 48. Thank you! Dickson Yue
  • YonghoKim28

    Oct. 3, 2018
  • AniuZeng

    Nov. 24, 2017
  • liaoyong412

    Sep. 28, 2017

Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track

Views

Total views

4,572

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

79

Shares

0

Comments

0

Likes

3

×