Learning Objectives: - Learn what core capabilities are necessary for a successful IoT cloud platform - Understand how the core capabilities work together - Learn what and how standards are beginning to take shape

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham,
Chief Evangelist (EMEA),
Amazon Web Services
@IanMmmm
Essential Capabilities of an IoT
Cloud Platform

2. Getting started: What is AWS IoT?

3. AWS: hyperscale infrastructure for connected devices
Amazon SNS
Mobile Push
and Notifications
AWS Lambda
Run Code in
Response to Events
Amazon DynamoDB
Predictable and Scalable
NoSQL Data Store
Amazon Kinesis
Streaming Analytics
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage
APIs
Amazon Cognito
User Identity and Data
Synchronization

4. IoT Applications : An Early Use Case for AWS

5. AWS IoT: simplify & accelerate IoT development
Amazon SNS
Mobile Push
and Notifications
Amazon DynamoDB
Predictable and
Scalable NoSQL
Data Store
AWS Lambda
Run Code in
Response to Events
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon
API Gateway
Build, Deploy, &
Manage APIs
Amazon Kinesis
Streaming Analytics
Amazon Cognito
User Identity and
Data Synchronization
AWS IoT
Connect Devices to
the Cloud

6. AWS IoT
“Securely connect one or one billion devices to AWS,
so they can interact with applications and other devices”

7. AWS IoT: Core Capabilities
Message Broker
AWS-grade security
Rules engine
Device Shadows
Device Registry
Managed Platform
Seamless integration
with all of AWS

8. AWS IoT

9. Many Successful IoT Deployments Running On AWS

10. Topics for this session
Security: Job Zero
Device SDKs
Communicating with Things
Process & act on device data
Store & query device metadata attributes
Store & retrieve device state with the Device Shadow
Support for edge computing capabilities

11. Security: Job Zero

14. http://192.168.1.200:8080 http://a.public.address:8080

16. WHERE DO BOTNETS COME FROM?

17. It doesn’t have to be this way

18. http://192.168.1.200:8080

19. Secure Communications with Things

20. Mutual TLS Authentication
TLS/SSL
MUTUAL TLS AUTHENTICATION

21. Public Key Cryptography Options
For same bits & level of security ECC keys are much smaller that RSA keys
Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits)
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 512
https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/

22. Communicating with non-things
(Humans)

23. How we implement this
MQTT + Mutual Authn TLS AWS Authn + HTTPS
Server Authn TLS + Cert TLS + Cert
Client Authn TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP

24. Strong Thing Identity

25. Strong Thing Identity
X.509 Certificates
https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/

26. Fine Grained Authorisation

27. AWS IoT
Data Plane
Control Plane
Service Access
Data Plane

28. Applying Permissions to Thing Management
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”ManageCerts",
"Action": [
"iot:CreateCertificateAndKeys",
"iot:CreateCertificateFromCsr",
"iot:DescribeCertificate",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:ListCertificates”
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RevokeOneThing",
"Action": [
"iot:UpdateCertificate"
],
"Effect": "Allow",
"Resource":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.42.54"
}
}
}
]
}

29. Allowing/Denying Access to MQTT Topics
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}, {
"Effect":"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/MyThing/shadow/*"
]
}
]
}

30. Creating certificates & keys

31. Key & certificate creation with the AWS CLI

32. Device Provisioning at Scale:
How do you getting keys &
certificates onto your devices?

33. Getting keys & certificates onto your devices
• Simple at the device prototyping stage
• Copy or flash them (& the CA cert) onto your device
• More complex in volume manufacturing
• Still copying or flashing keys & certs, but the numbers increase
• Use AWS SDKs/CLI to automate key & certificate creation.
Provide keys & certificates to your device manufacturing partners

34. Register on first use

35. https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Just-in-Time Registration of Device Certificates
Register your
CA Cert with
AWS IoT
Sign device certs
with your CA cert
$aws/events/certificates/
registered/<caCertificateID>
{
"certificateId": "<certificateID>",
"caCertificateId": "<caCertificateId>",
"timestamp": "<timestamp>",
"certificateStatus": "PENDING_ACTIVATION",
"awsAccountId": “<awsAccountId>",
}
AWS IoT
MQTT Endpoint
New certificate state set to
PENDING_ACTIVATION
AWS IoT Rule invokes
AWS Lambda function
AWS Lambda function
activates certificate &
attaches policy
New certificate state set to
ACTIVE

36. Device SDKs:
Abstract & Simplify Access to
Platform Features

37. Get Started with the AWS IoT Device SDK
C SDK
(Ideal for embedded
OS)
JavaScript SDK
(Ideal for Embedded
Linux Platforms)
Arduino Library
(Arduino Yun)
Mobile SDK
(Android and iOS)
Python SDK Java SDK
https://aws.amazon.com/blogs/iot/introducing-aws-iot-device-sdks-for-java-and-python/

38. Prototyping with the Raspberry Pi
• Raspberry Pi hardware
• Electronics Starter Kits
• One examples is the SunFounder 37 modules Sensor Kit v2.0 for
Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board &
Jump Wires
• Example tutorial
• Raspberry Pi Sense Hat (optional fun)
• https://www.raspberrypi.org/products/sense-hat/

39. Setting up the Raspberry Pi GPIO & Sense Hat
Your own electronics/sensor build
C (for embedded C)
http://wiringpi.com
Python Wrapper Module for WiringPI
https://github.com/WiringPi/WiringPi-Python
For the Sense Hat
Python Module
https://github.com/RPi-Distro/python-sense-hat

40. Official IoT Starter Kits, Powered by AWS
Dragonboard 410c
(by Arrow)
Beaglebone Green
(by Seeed Studio)
Seeeduino Cloud
(by Seeed Studio)
Intel Edison
(by Seeed Studio)
MediaTek LinkIt One
(by Seeed Studio)
Broadcom BCM4343W
(by Avnet)
Marvell EasyConnect
(By Marvell)
Renesas RX63N
(by Micrium)
Microchip WCM
(by Microchip)
Ti Launchpad
(By Ti)

41. Communicating with Things

42. AWS IoT Message Broker
DEVICE GATEWAY
Communicate with devices via
MQTT and HTTP

43. AWS IoT Message Broker

44. MQTT
MQTT vs HTTPS:
• 93x faster throughput
• 11.89x less battery to send
• 170.9x less battery to receive
• 50% less power to keep connected
• 8x less network overhead
Source:
http://stephendnicholas.com/archives/1217
• OASIS standard protocol (v3.1.1)
• Lightweight, pub-sub, transport protocol
that is useful for connected devices
• MQTT is used on oil rigs, connected
trucks, and many more sensitive and
resource-sensitive scenarios
• Customers have needed to build,
maintain, and scale a broker to use
MQTT with cloud applications

45. AWS IoT Message Broker : managed service
Highly Scalable
Device Gateway
Millions of devices
sending billions of
messages
Subscribers
Publishers

46. Process & act on device data

47. AWS IoT Rules Engine
RULES ENGINE
Transform messages
based on rules and route
to AWS Services

48. AWS IoT Rules Engine

49. Simple & familiar syntax
- SQL Statement to define topic filter
- Optional WHERE clause
- Advanced JSON support
Functions improve signal : noise
- String manipulation (regex support)
- Mathematical operations
- Context-based helper functions
- Crypto support
- UUID, Timestamp, rand, etc.
AWS IoT Rules Engine basics
SELECT * FROM ‘things/thing-2/color’
WHERE color = ‘red’

50. AWS IoT Rules Engine’s flexibility
SELECT *, clientId() as MQTTClientId
FROM 'one/rule'
WHERE
startsWith(topic(2), 'IME33') AND
(state = 'INIT' OR hydro_temp >
surface_temp)",
"actions":
[{
"republish": {
"topic":
"controllers/${substring(topic(3),
3, 5)}",
}]
http://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html

51. AWS IoT Rules Engine
Complex Evaluations
Respond to the fleet, not just a single unit. Dozens of functions() available.
Multiple / Simultaneous Actions
Sometimes a situation requires you to take many actions.

52. AWS IoT Rules Engine actions
RULES ENGINE
Transform messages
based on rules and route
to AWS Services
AWS Services
- - - - -
3P Services
AWS Services
- - - - -
3P Services

53. 1. AWS Services
(Direct Integration)
Rules Engine
Actions
AWS IoT Rules Engine
LambdaSNS SQS
S3
Amazon
Kinesis
DDB RDS
Amazon
Redshift
Amazon Glacier
EC2
3. External Endpoints
(via Lambda and SNS)
Rules Engine connects AWS
IoT to External Endpoints and
AWS Services.
2. Rest of AWS
(via Amazon Kinesis,
Lambda, S3, and more)

54. AWS IoT Rules Engine Actions
Rules Engine evaluates
inbound messages published
into AWS IoT, and transforms
and delivers to the appropriate
endpoint based on business
rules.
External endpoints can be
reached via Lambda and
Simple Notification Service
(SNS).
Put object in an S3 bucket
Insert into a DynamoDB table
Publish to an SNS Topic/Endpoint
Insert into an Amazon Kinesis stream
Actions
Persist via Amazon Kinesis Firehose
Republish to AWS IoT
Make a Machine Learning prediction
Invoke a Lambda function
Store in Amazon Elasticsearch cluster

55. Store & query device metadata
attributes

56. AWS IoT Thing Registry
THING REGISTRY
Identity and Management of
your things
REGISTRY
Identity and Management of
your things

57. AWS IoT Thing Registry
• Static attributes associated to Thing
• Firmware version
• Serial Numbers
• Device Type
• Device Group
• Device Description
• Sensor description
• Support and Maintenance
• Reference Manual URL
• Part # reference
• Reference to external support system

58. AWS IoT Thing Registry: Create & List Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$ aws iot create-thing --thing-name "MyLightBulb" --attribute-payload "{"attributes": {"wattage":"75", ”model":"123"}}"
{
"thingArn": "arn:aws:iot:eu-west-1:554625704737:thing/MyLightBulb",
"thingName": "MyLightBulb"
}
$ aws iot list-things
{
"things": [
{
"attributes": {
"model": "123",
"wattage": "75"
},
"version": 1,
"thingName": "MyLightBulb"
}
]
}

59. AWS IoT Registry: Search for Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$ aws iot list-things --attribute-name "wattage" --attribute-value “75"
{
"things": [
{
"thingTypeName": "StopLight",
"attributes": {
"model": "123",
"wattage": "75"
},
"version": 3,
"thingName": "MyLightBulb"
},
{
"thingTypeName": "LightBulb",
"attributes": {
"model": "123",
"wattage": "75"
},
"version": 1,
"thingName": "MyRGBLight"
}
]
}

60. AWS IoT Registry: Thing Types
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
Thing types allow you to store description and configuration
information that is common to all things associated with the same
thing type.
For example, you can define a LightBulb thing type. All things
associated with the LightBulb thing type share a set of attributes.
aws iot create-thing-type --thing-type-name "LightBulb"
--thing-type-properties "thingTypeDescription=light bulb type, searchableAttributes=wattage,model"

61. Device State Cache:
Asynchronously access device
state via the Thing Shadow

62. AWS IoT Thing Shadow
THING SHADOW
Persistent thing state during
intermittent connections
SHADOW
Persistent thing state during
intermittent connections
APPLICATIONS

63. AWS IoT Thing Shadows

64. AWS IoT Thing Shadow
Shadow

65. AWS IoT Shadow Flow
Shadow
Device SDK
1. Device Publishes Current State
2. Persist JSON Data Store
3. App requests device’s current state
4. App requests change the state
5. Device Shadow syncs
updated state
6. Device Publishes Current State
7. Device Shadow confirms state change
AWS IoT

66. AWS IoT Device Shadow - Simple Yet Powerful
{
"state" : {
“desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
} },
"version" : 10
}
Thing
Report its current state to one or multiple shadows
Retrieve its desired state from shadow
Mobile App
Set the desired state of a device
Get the last reported state of the device
Delete the shadow
Shadow
Shadow reports delta, desired and reported
states along with metadata and version

67. AWS IoT Device Shadow Topics (MQTT)
Thing SDK makes it easy for you to
build shadow functionality into your
device so it can automatically
synchronize the state with the device.
AWS IoT Thing Shadow
UPDATE: $aws/things/{thingName}/shadow/update
DELTA: $aws/things/{thingName}/shadow/update/delta
GET: $aws/things/{thingName}/shadow/get
DELETE: $aws/things/{thingName}/shadow/delete
Sensor Reported Desired Delta
LED1 RED YELLOW
LED1 = Yellow
TEMP = 60FACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4
TEMP 83F 60F

68. Support for edge computing
capabilities

69. Round-trip latency
Intermittent connectivity
Expensive bandwidth
Programming and updating embedded software needs specialized skills
Limited to what is on the device unless you rewrite or program the device
Challenges Of Devices Living On The Edge

70. AWS Greengrass
Embed Lambda Compute (& Other AWS Services) in Connected Devices
Preview Available Now
Use The Same AWS Programming Model In Devices And The Cloud

71. AWS Greengrass: Local Compute, Messaging & Data Caching
Local
compute
Local
data caching
Secure
communications
Local
messaging

72. AWS Greengrass: How It Works
Built into
devices at
manufacture
Install the
Greengrass
runtime
Lambda functions
on AWS & devices
Manage from
AWS Console
Same programming
model
Local
communication
and orchestration

73. Amazon Greengrass: Example Use Cases
Smart Homes Agriculture Manufacturing

74. aws.amazon.com/iot/

75. Thank you!
Ian Massingham,
Chief Evangelist (EMEA),
Amazon Web Services
@IanMmmm

76. Questions?