by Gavin Adams, Sr. IoT Specialist SA AWS
Join us for AWS IoT day at the AWS San Francisco Loft. AWS IoT enables you to easily connect and manage millions of devices securely. You can gather data from, run sophisticated analytics on, and take actions in real-time on your diverse fleet of IoT devices from edge to the cloud. You will build IoT applications with AWS IoT experts. AWS IoT provides edge-based software and cloud-based services so you can easily build IoT applications. Edge-based software, including AWS Greengrass, enables you to securely connect devices, gather data and take intelligent actions locally even when Internet connectivity is down. Cloud-based services, including AWS IoT Core, allow you to quickly onboard large and diverse fleets, maintain fleet health, and keep fleets secure.
2. Housekeeping
• Administrative access to:
– your laptop?
– AWS account (needed for both sessions)
– Credits will cover all exercises, as long as you clean up the
resources
• Our Commitment…
3. Session Agenda – AWS IoT Core
• 10:00a - 11:00a
– AWS Loft Introduction and Logistics
– Overview and Shadows
• 11:00a – 12:30p
– Labs 1 & 2 (Getting Started and Shadows)
• 12:30p – 1:30p
– Security and Rules Engine
• 1:30p – 3:00p
– Labs 3 & 4 (Security and Rules Engine)
9. AWS IoT Core
All in one service
• Message Broker
• Rules Engine
• Certificate Authority
• Shadow
• Unbundles pricing by charging for these
components independently
Managed service
• No installation
• Automatic scaling
• No pre-provisioning
• Redundant across AZ
• Pay as you go
Device
shadow
Rules
Engine
AWS IoT
Core
Certificate
Authority
Message
Broker
10. Overview
• AWS IoT Core capabilities and related services, including:
Authentication and Authorization
Devices & Device Shadows
Message Broker
Rules Engine
Other AWS Services
Applications & API
Corp Apps
12. Authentication and Authorization
Security is Job Zero
• Mandatory authentication
• Device policies
• IAM fine-grained access controls
• Auditing and logging
Authentication
• TLS 1.2 with X.509 certificates
• HTTP/SigV4
• IAM Service Roles
Authorization
• Device+Certificate+AWS IoT Policy
• Cognito User+AWS IoT Policy
• IAM Policy/Roles
13. AWS IoT Authentication
• X.509 certificates for devices
– TLS 1.2, SHA-256 RSA (or ECC), supported cipher suite
• IAM users, groups, and roles
– TLS 1.0+, SHA-256 RSA certificate validation, supported cipher
suite
• Amazon Cognito identities
• Federated identities
14. AWS IoT Authorization
• AWS IoT Data Plane
– Client certificate or Cognito identity associated with an AWS IoT
Policy
– SigV4 with credentials associated with an IAM policy
• API Calls
– SigV4 with credentials associated with an IAM policy
– Service roles allowing AWS IoT to access other AWS services
15. Authentication/Authorization Examples
AWS IoT
Device
Credentials
Establish TLS 1.2 Connection, request server certificate
Sign connection with server certificate, request client certificate
Validate server certificate, sign response with client certificate
Connection authenticated, AWS IoT policy
associated to client certificate applied
Username: alice
Password: redQueen!
Establish HTTPS Connection, request server certificate
Sign connection with server certificate, wait for message (REST API)
Validate server certificate, sign response with credentials (Cognito or IAM/STS)
Connection authenticated, IAM policy associated
with access key/secret key used, or AWS IoT
policy for Cognito identities
Credentials
Note: MQTT and HTTP can use cert or SigV4 on auth mechanism
17. Device Gateway
Based on MQTT 3.1.1.1
• Native MQTT, MQTT+Websockets, HTTP
• QoS 0 & 1
• Single clientId connection
Integration
• Services use native format
• Policy defines access
• Last Will & Testament
• Reserved topics ($aws/#)
• Lifecycle events
Message Format
• (Nested) JSON
• Binary
18. Topics
• Ephemeral
• Publish/Subscribe
– Devices Publish to individual topics
– Devices Subscribe to one or topics and hierarchies
– Published messages and subscribed responses are metered for billing
• Wildcards
– Single level (+)
• myhome/groundfloor/+/temperature
• Returns temperature messages for all groundfloor things
• Only between topic levels
– Multi-level (#)
• myhome/groundfloor/#
• Returns all messages for all groundfloor things and subtopics
20. Messages and Pricing
• $1 per million messages, 5,120 byte size
• Device connectivity $0.08/million minutes, PING
messages are not billed at >= 30 seconds
• Rules Engine $0.15/million invocations, 5K
message size
• Device Shadow/Registry Updates $1.25/million
updates, 1K size
• Message can be binary, but the Rules Engine can
only act on JSON payload
22. Rules Engine
Tasks
• SQL-like syntax to write rules
• Augment or filter data
• Save data to other services
• Send data to Amazon Machine Learning
• Make predictions based on ML model
Services Supported
• Amazon DynamoDB
• Amazon S3
• Amazon SNS
• Amazon SQS
• Amazon Kinesis
• Amazon Elasticsearch
• AWS Lambda
• and more...
23. Rules Engine
• SQL-like query language
– SELECT * FROM 'topic/structure' WHERE temperature > 35
• Actions
– Send message to other services
– Score results against machine learning
– Republish message or modifications to other topics
31. 1. Device publishes current state
2. Persist to JSON data store
3. App requests device’s current state
4. App requests change the state
5. Device shadow syncs
updated state
6. Device publishes current state 7. Device shadow confirms state change
AWS IoT Core Device Shadow Flow
32. AWS IoT Core Device Shadow
{
"state" : {
"desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
}
},
"version" : 10,
"timestamp" : 28034023492,
"clientToken": "UniqueClientToken"
}
Device
Report its current state to one or multiple shadows
Retrieve its desired state from shadow
Mobile app
Set the desired state of a device
Get the last reported state of the device
Delete the shadow
Shadow
Shadow reports delta, desired and reported
states along with metadata and version
42. Device Shadow Considerations
• Max Device Shadow size is 8KB
• AWS Shadow Data Types:
– String
– Number
– Boolean
– Null
– JSON object
– Array
43. Devices & Shadows
Devices are Constrained
• Limited resources (CPU, RAM, etc.)
• Fixed hardware capabilities
• Intermittent connectivity
Markets
• Consumer
• Embedded
• Industrial/Utility
• Agriculture
Shadows
• States: Reported, Desired, Delta, Timestamp
• Available all the time
44. Typical Device Characteristics
• One or more sensors
• Telemetry and/or actuation
• Firmware with connectivity
• Communicates with
defined message format
• Can operate without
connection to IoT services 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 1 0
1 0 1 0 1 0 0 1 1 0 1 0 1 0 1
0 1 1 0 1 0 1 0 1 0 1 1 0 1 0
1 0 0 1 0 0 1 0
45. Device Shadows
• Publishes reported
state
• Listens for updates
(acts on desired state)
• Tracks reported and
desired states by
timestamp and versions
• Accessible via API or
topics
• Reads reported
state
• Publishes new
values (becomes
desired state)
Topics: $aws/things/myDevice/shadow/...
48. Labs
• Lab guides at: http://loft.baah.io
• Virtual Things
• Node-RED (https://nodered.org)
• Created via CloudFormation
– Do not delete stack until end of first workshop, it’s used for other
modules
49. Node-RED Environment
Created during first lab
virtual private
cloud
Amazon
EC2
Complete Lab
Your Laptop
Root
certificate
IoT
certificate
IoT Private
Key
AWS IoT
55. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Network
Security
Identity &
Access
Control
Customer applications & content
You get to define
your controls IN
the Cloud
AWS takes care
of the security
OF the Cloud
You
AWS and You Share Responsibility for Security
Inventory &
Config
Data
Encryption
56. AWS Identity and Access Management (IAM)
• Enables you to control who can do what in your AWS account
• Users, groups, roles, and permissions
• Control
– Centralized
– Fine-grained - APIs, resources, and AWS Management Console
• Security
– Secure (deny) by default
– Multiple users, individual security credentials and permissions
57. • {
• "Statement":[{
• "Effect":"effect",
• "Principal":"principal",
• "Action":"action",
• "Resource":"arn",
• "Condition":{
• "condition":{
• "key":"value" }
• }
• }
• ]
• }
JSON-formatted documents
Contain a statement (permissions)
that specifies:
• Which actions a principal can
perform
• Which resources can be accessed
Principal
Action
Resource
Condition
You can have multiple statements and
each statement is comprised of PARC.
IAM Policy specification basics
58. Principal – Examples
•
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
Principal
Action
Resource
Condition
59. Action – Examples
•
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
Principal
Action
Resource
Condition
71. Best Practice for Securing Devices
• Each device should use a unique private key and
certificate
• An IoT Policy should follow least privilege for
permissions
80. Securing user access
• WebSocket support SigV4 authentication
• Use AssumeRole with IAM
• Use IoT policies with Cognito
• Amazon Cognito identity pools
– Anonymous access to iot:Subscribe
– Authenticated Cognito for fine grained permissions and IoT
Policies
– Use your own application-level authentication patterns
81. Cognito User and Federated Identities
Cognito User
Identities
(Your User Pool)
User
Sign-in1
Returns Access
and ID Tokens
2
Cognito Federated
Identities
(Identity Pool)
Get AWS scoped
credentials
3
Access
to AWS Services
4
AWS IoT IoT Policy
91. Format of an AWS IoT SQL Statement
• SELECT – What values to include for Action
• FROM – What topic structure to act upon
• WHERE – Logic to determine if the statement
should execute
SELECT *, timestamp() as timestamp FROM 'pws/#' WHERE temp > 30
92. SQL Example 1
SELECT *, newuuid() as uniqueId FROM 'a/b'
• Process messages in the a/b topic,
• Select entire message and create new attribute and
value,
• Action: Write object to S3, where key is ${uniqueId}
93. SQL Example 2
SELECT * FROM 'factory/+/pump_status'
WHERE machinelearning_predict( 'vibration-model',
'arn:aws:iam::123456789012:role/my-iot-aml-role',
*).predictedLabel=1
• Action: Republish to topic: factory/maint_required
94. SQL Example 3
Incoming Payload:
{
"sensor":
{
"temp": 78.2,
"humid": 42.5
},
"bat_stat": "ok"
}
SELECT (sensor.temp – 32) * 5/9 as celsius, sensor.humid as humid,
upper(bat_stat) as battery, timestamp() as timestamp
FROM 'a/b'
• Action: Send to Elasticsearch indexed on timestamp key/value
96. Support Actions for Messages
• cloudwatchAlarm to change a CloudWatch alarm
• cloudwatchMetric to capture a CloudWatch metric
• dynamoDB to write data to a DynamoDB database
• dynamoDBv2 to write data to a DynamoDB database
• elasticsearch to write data to a Amazon Elasticsearch Service domain
• firehose to write data to an Amazon Kinesis Firehose stream
• kinesis to write data to a Kinesis stream
• lambda to invoke a Lambda function
• s3 to write data to a Amazon S3 bucket
• sns to write data as a push notification
• sqs to write data to an SQS queue
• republish to republish the message on another MQTT topic
• salesforce to write a message to a Salesforce IoT Cloud Input Stream
• New: Call Lambda function in SQL SELECT or WHERE clauses to enrich data
97. Understanding Action Components
• Creating an Action - Permissions
– iam:PassRole on your account to pass a role to the rules engine
– IAM Role with permissions required on target service
– For Lambda, addition of permissions on the resource-based
policy (iam:PassRole not required)
• Service Unique Parameters
– E.g., S3 bucket and key; Kinesis stream and partition key
• Service Payload Access/Timing
98. Action Examples
• Persist Data to S3:
– bucket: S3 bucket to which to write data - mybucket
– cannedacl: Canned ACL for created objects –
bucket-owner-full-control
– key: path to the object where data is written –
${timestamp()-foo}
• Stream Data to Kinesis:
– stream: Kinesis stream to which to write data – my_stream
– partitionKey: Used to determine which shard to write data -
${newuuid()}
• Republish
– watch out for recursive calls, infinite loops
99. Action Examples (continued)
• Process via Lambda
– Grant lambda:Invoke to source ARN of topic rule
– Lambda event object contains SELECT results
• Republish
– topic: AWS IoT topic to republish the message - foo/bar
– Watch out for recursive calls, infinite loops
– Republish of messages is metered for billing purposes
101. Rules Engine Considerations
• Consider Ordering and Overlap of Rules
• Enable CloudWatch Logs for Debugging
– Authorization
– WHERE clause matching
• Understand Deployment Considerations
– Updates effective immediately
102. Rules Engine Summary
• SELECTs messages FROM topic(s) and delivers
them to other AWS services
• Can transform or create new values
• Multiple actions can be associated with a rule
• Rule creation or modification takes effect
immediately, unless disabled
• IAM roles (or Lambda granted permissions)
required to access or invoke other services