3.

Session Agenda – AWS IoT Core • 10:00a - 11:00a – AWS Loft Introduction and
Logistics – Overview and Shadows • 11:00a – 12:30p – Labs 1 & 2 (Getting Started
and Shadows) • 12:30p – 1:30p – Security and Rules Engine • 1:30p – 3:00p – Labs 3
& 4 (Security and Rules Engine)
4. Session Agenda – AWS Greengrass • 3:00p – 6:30p – AWS Loft Introduction and
Logistics – Overview of AWS Greengrass – Lab Preparation Tips – Greengrass Core
Bootcamp
5. IoT solutions are complex & multidimensional Connecting, communicating, securing
Devices & sensors Infrastructure providers, building blocks Connectivity &
infrastructure Incisive, actionable, predictive Analytics & insights Engage,
empower, delight Applications & services Business transformation, cultural change
Change management
6. Devices Sense & Act Cloud Storage & Compute Intelligence Insights & Logic →
Action Three pillars of IoT
7. IoT with AWS Enterprise Applications Enterprise Users Corp Apps Amazon
QuickSight Amazon EMR Amazon Redshift Amazon S3 Machine Learning AWS Lambda All AWS
IoT Partners Edge ARM, Broadcom, Digi, Expressif, Intel, MediaTek, Microchip, NXP,
ST, TI, Qualcomm, … Gateway Adlink Technology, Advantech, MachineShop, Samsung,
Technicolor, … ISV (Platform) Ayala, Bright Wolf, BSquare, C3IoT, Mnubo,
Salesforce, Splunk, Thinglogix, … Connectivity Amdocs, Asavie, AT&T, Eseye,
Soracom, TATA Communications, Telus, Verizon, … Consulting / SI Accenture, Aricent,
Clearscale, CTP, Luxoft, Mobiquity, Solstice, Storm Reply, Sturdy Networks, TCS,
Trek10, … Cloud Device Shadow Rules Engine AWS IoT Core Certificate Authority AWS
IoT Device Management AWS IoT Users Over-The-Air (OTA) Updates Analytics Data Store
Data Pipelines Templated Reports Batch Fleet Provisioning Real-Time Fleet Index &
Search AWS IoT Device Defender Ad-hoc & In- depth Analysis Risk Mitigation Monitor
Device Behavior Alerts Message Broker Audit Device Configurations Amazon Kinesis
AWS IoT Analytics AWS IoT 1-Click MQTT MQTT Endpoints Gateway/PLC Device Shadow
Lambda Functions Local Comms Long-range Comms Amazon FreeRTOS Certificate Authority
Local Resources IoT SDK OPC-UA MQTT Edge Users Cert WiFi MQTT Edge OTA OTA Amazon
FreeRTOS Integrated Client Snowball Edge AWS Greengrass MQT T AWS Greengrass
Message Broker ʥ A Protocol Adapter
8. IoT with AWS Enterprise Applications Amazon QuickSight Amazon EMR Amazon
Redshift Amazon S3 Machine Learning AWS Lambda All AWS Cloud Device Shadow Rules
Engine AWS IoT Core Certificate Authority AWS IoT Users Message Broker Endpoints
Local Comms Long-range Comms IoT SDK OPC-UA MQTT Edge
9. AWS IoT Core All in one service • Message Broker • Rules Engine • Certificate
Authority • Shadow • Unbundles pricing by charging for these components
independently Managed service • No installation • Automatic scaling • No pre-
provisioning • Redundant across AZ • Pay as you go Device shadow Rules Engine AWS
IoT Core Certificate Authority Message Broker
10. Overview • AWS IoT Core capabilities and related services, including:
Authentication and Authorization Devices & Device Shadows Message Broker Rules
Engine Other AWS Services Applications & API Corp Apps
11. 1 Authentication & Authorization (brief)
12. Authentication and Authorization Security is Job Zero • Mandatory
authentication • Device policies • IAM fine-grained access controls • Auditing and
logging Authentication • TLS 1.2 with X.509 certificates • HTTP/SigV4 • IAM Service
Roles Authorization • Device+Certificate+AWS IoT Policy • Cognito User+AWS IoT
Policy • IAM Policy/Roles
13. AWS IoT Authentication • X.509 certificates for devices – TLS 1.2, SHA-256 RSA
(or ECC), supported cipher suite • IAM users, groups, and roles – TLS 1.0+, SHA-256
RSA certificate validation, supported cipher suite • Amazon Cognito identities •
Federated identities
14. AWS IoT Authorization • AWS IoT Data Plane – Client certificate or Cognito
identity associated with an AWS IoT Policy – SigV4 with credentials associated with
an IAM policy • API Calls – SigV4 with credentials associated with an IAM policy –
Service roles allowing AWS IoT to access other AWS services
15. Authentication/Authorization Examples AWS IoT Device Credentials Establish TLS
1.2 Connection, request server certificate Sign connection with server certificate,
request client certificate Validate server certificate, sign response with client
certificate Connection authenticated, AWS IoT policy associated to client
certificate applied Username: alice Password: redQueen! Establish HTTPS Connection,
request server certificate Sign connection with server certificate, wait for
message (REST API) Validate server certificate, sign response with credentials
(Cognito or IAM/STS) Connection authenticated, IAM policy associated with access
key/secret key used, or AWS IoT policy for Cognito identities Credentials Note:
MQTT and HTTP can use cert or SigV4 on auth mechanism
16. 2 Message Broker
17. Device Gateway Based on MQTT 3.1.1.1 • Native MQTT, MQTT+Websockets, HTTP • QoS
0 & 1 • Single clientId connection Integration • Services use native format •
Policy defines access • Last Will & Testament • Reserved topics ($aws/#) •
Lifecycle events Message Format • (Nested) JSON • Binary
18. Topics • Ephemeral • Publish/Subscribe – Devices Publish to individual topics –
Devices Subscribe to one or topics and hierarchies – Published messages and
subscribed responses are metered for billing • Wildcards – Single level (+) •
myhome/groundfloor/+/temperature • Returns temperature messages for all groundfloor
things • Only between topic levels – Multi-level (#) • myhome/groundfloor/# •
Returns all messages for all groundfloor things and subtopics
19. Topic Variables (Fan-in Example) home/ac/AAA/temperature
home/ac/BBB/temperature home/ac/CCC/temperature home/ac/DDD/temperature Device: AAA
Device: BBB Device: CCC Device: DDD PUB: home/ac/clientId/temperature SUB: home/ac/
+/temperature
20. Messages and Pricing • $1 per million messages, 5,120 byte size • Device
connectivity $0.08/million minutes, PING messages are not billed at >= 30 seconds •
Rules Engine $0.15/million invocations, 5K message size • Device Shadow/Registry
Updates $1.25/million updates, 1K size • Message can be binary, but the Rules
Engine can only act on JSON payload
21. 3 Rules Engine (brief)
22. Rules Engine Tasks • SQL-like syntax to write rules • Augment or filter data •
Save data to other services • Send data to Amazon Machine Learning • Make
predictions based on ML model Services Supported • Amazon DynamoDB • Amazon S3 •
Amazon SNS • Amazon SQS • Amazon Kinesis • Amazon Elasticsearch • AWS Lambda • and
more...
23. Rules Engine • SQL-like query language – SELECT * FROM 'topic/structure' WHERE
temperature > 35 • Actions – Send message to other services – Score results against
machine learning – Republish message or modifications to other topics
24. 4 Developers
25. Developers Application Development • AWS IoT SDK • AWS SDK’s • Authentication &
Authorization • Cross account access • Lifecycle events • Monitoring •
Troubleshooting Corporate Applications
26. 5 Devices & Shadows
27. Endpoints Cloud Device shadow Rules Engine AWS IoT Core Certificate Authority
Local Comms Long-range Comms IoT SDK AWS Amazon QuickSight Amazon EMR Amazon
Redshift Amazon S3 Machine Learning MQTT IoT Users AWS Lambda All AWS IoT with AWS
Things Message Broker
28. Example – Sending a Command Device Applications
29. Example – Sending a Command Device Shadow Applications
30. 6 Shadow Workflow
31. 1. Device publishes current state 2. Persist to JSON data store 3. App requests
device’s current state 4. App requests change the state 5. Device shadow syncs
updated state 6. Device publishes current state 7. Device shadow confirms state
change AWS IoT Core Device Shadow Flow
32. AWS IoT Core Device Shadow { "state" : { "desired" : { "lights": { "color":
"RED" }, "engine" : "ON" }, "reported" : { "lights" : { "color": "GREEN" },
"engine" : "ON" }, "delta" : { "lights" : { "color": "RED" } } }, "version" : 10,
"timestamp" : 28034023492, "clientToken": "UniqueClientToken" } Device Report its
current state to one or multiple shadows Retrieve its desired state from shadow
Mobile app Set the desired state of a device Get the last reported state of the
device Delete the shadow Shadow Shadow reports delta, desired and reported states
along with metadata and version
33. AWS IoT Core Shadow Delta Sensor Reported Desired Delta LED1 RED YELLOW LED1 =
Yellow TEMP = 60F ACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4 TEMP 83F 60F
34. Building Blocks of the AWS IoT Core Device Shadow Device Shadow Topics Device
Shadow State Device Shadow Metadata
35. 7 Device Shadow Topics
36. AWS IoT Core Device Shadow Topics (MQTT) UPDATE: $aws/things/
{thingName}/shadow/update GET: $aws/things/{thingName}/shadow/get DELETE:
$aws/things/{thingName}/shadow/delete DELTA: $aws/things/
{thingName}/shadow/update/delta DOCUMENTS: $aws/things/
{thingName}/shadow/update/documents
37. UPDATE Shadow Topics (MQTT) PUBLISH : $aws/things/{thingName}/shadow/update
{ "state": { "desired" : { ”speed" : 65, "engine" : "ON" } } }
38. GET Shadow Topics (MQTT) PUBLISH : $aws/things/{thingName}/shadow/get SUBSCRIBE
: $aws/things/{thingName}/shadow/get/accepted { "state": { "reported": { "lights":
{ "color": "GREEN" } }, "metadata": { "reported": { "lights": { "color":
{ "timestamp": 789012 } } } }, "version": 10, "timestamp": 123456789 }
39. DELETE Shadow Topics (MQTT) PUBLISH: $aws/things/{thingName}/shadow/delete
40. DELTA Shadow Topics (MQTT) AWS IoT Publish: $aws/things/
{thingName}/shadow/update/delta { "state": { "desired": { "color": "RED” },
"reported": { "color": "GREEN” }, "delta": { "color": "RED"} … } }
41. 8 Device Shadow Considerations
42. Device Shadow Considerations • Max Device Shadow size is 8KB • AWS Shadow Data
Types: – String – Number – Boolean – Null – JSON object – Array
43. Devices & Shadows Devices are Constrained • Limited resources (CPU, RAM, etc.)
• Fixed hardware capabilities • Intermittent connectivity Markets • Consumer •
Embedded • Industrial/Utility • Agriculture Shadows • States: Reported, Desired,
Delta, Timestamp • Available all the time
44. Typical Device Characteristics • One or more sensors • Telemetry and/or
actuation • Firmware with connectivity • Communicates with defined message format •
Can operate without connection to IoT services 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 0 1 1 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1 1 0 1 0
1 0 0 1 0 0 1 0
45. Device Shadows • Publishes reported state • Listens for updates (acts on
desired state) • Tracks reported and desired states by timestamp and versions •
Accessible via API or topics • Reads reported state • Publishes new values (becomes
desired state) Topics: $aws/things/myDevice/shadow/...
46. Device Shadows reported: what current color? desired:(device not connected)
reported: 1 2 4 3 5
47. 9 Hands-on Labs
48. Labs • Lab guides at: http://loft.baah.io • Virtual Things • Node-RED
(https://nodered.org) • Created via CloudFormation – Do not delete stack until end
of first workshop, it’s used for other modules
49. Node-RED Environment Created during first lab virtual private cloud Amazon EC2
Complete Lab Your Laptop Root certificate IoT certificate IoT Private Key AWS IoT
50. Lab Errata Console Changes – Icons the same, names have changed
51. Labs (Continued) • Workshop Labs – 1-Getting Started – 2-Shadows If you need
help, please ask any of the AWS staff supporting the workshop
52. One-stop-shop for Information http://loft.baah.io
53. AWS IoT Core Workshop – Part 2 • Security! • Rules Engine • Labs 3 & 4
54. 10 AWS Security Overview (before there was AWS IoT there was AWS)
55. AWS Foundation Services Compute Storage Database Networking AWS Global
Infrastructure Regions Availability Zones Edge Locations Network Security Identity
& Access Control Customer applications & content You get to define your controls IN
the Cloud AWS takes care of the security OF the Cloud You AWS and You Share
Responsibility for Security Inventory & Config Data Encryption
56. AWS Identity and Access Management (IAM) • Enables you to control who can do
what in your AWS account • Users, groups, roles, and permissions • Control –
Centralized – Fine-grained - APIs, resources, and AWS Management Console • Security
– Secure (deny) by default – Multiple users, individual security credentials and
permissions
57. • { • "Statement":[{ • "Effect":"effect", • "Principal":"principal", •
"Action":"action", • "Resource":"arn", • "Condition":{ • "condition":{ •
"key":"value" } • } • } • ] • } JSON-formatted documents Contain a statement
(permissions) that specifies: • Which actions a principal can perform • Which
resources can be accessed Principal Action Resource Condition You can have multiple
statements and each statement is comprised of PARC. IAM Policy specification basics
58. Principal – Examples • • An entity that is allowed or denied access to a
resource • Indicated by an Amazon Resource Name (ARN) • With IAM policies, the
principal element is implicit (i.e., the user, group, or role attached) <!--
Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or
accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":
{"AWS":"123456789012"} <!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} Principal Action
Resource Condition
59. Action – Examples • • Describes the type of access that should be allowed or
denied • You can find actions in the docs or use the policy editor to get a drop-
down list • Statements must include either an Action or NotAction element <!-- IAM
action --> "Action":"iam:ChangePassword" <!– Amazon S3 action -->
"Action":"s3:GetObject" <!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"] Principal Action Resource
Condition
60. Security in AWS IoT 11
61. Endpoints Cloud Rules Engine Certificate Authority IoT SDK MQTT IoT Users
Things Message Broker
62. Cloud Rules Engine AWS Amazon RedshiftAmazon IoT Users IoT with AWS Message
Broker
63. Device shadow Rules Engine AWS IoT Core Certificate Authority Long-range Comms
Amazon QuickSight Amazon EMR Amazon RedshiftAmazon S3 Machine Learning AWS Lambda
All AWS
64. Securing Devices 12
65. Securing devices
66. AWS IoT: Securely Connect Devices
67. TLS mutual authentication • Create CSR • Create X.509 certificate from CSR •
Activate the certificate • Create policy • Attach policy to certificate
68. Certificates and keys • Private key (authenticate the device) • Certificate
(register the device with IoT) • Root certificate authority (authenticate IoT)
69. AWS IoT Permissions • Control what a thing is allowed to do • Connect, publish,
subscribe, receive • Attach policy to certificates
70. AWS IoT Policies { "Effect": "Allow", "Action": "iot:Publish", "Resource":
[ "arn:*:topic/private-topic/${iot:ClientId}", "arn:*:topic/open-topic-
space/*" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource":
"arn:*:topicfilter/private-topic/${iot:ClientId}/*" }
71. Best Practice for Securing Devices • Each device should use a unique private
key and certificate • An IoT Policy should follow least privilege for permissions
72. Provisioning Certificates 13
73. Birth of a thing
74. Intermediate certificate authority locally provisioned async registration
75. Just-in-time registration AWS Lambda
76. Securing AWS Resources 14
77. Securing AWS resource access
78. Creating the trust relationship with AWS IoT P P P Role { "Version": "2012-10-
17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service":
“iot.amazonaws.com” }, "Action": "sts:AssumeRole" } ] }
79. Securing user access
80. Securing user access • WebSocket support SigV4 authentication • Use AssumeRole
with IAM • Use IoT policies with Cognito • Amazon Cognito identity pools –
Anonymous access to iot:Subscribe – Authenticated Cognito for fine grained
permissions and IoT Policies – Use your own application-level authentication
patterns
81. Cognito User and Federated Identities Cognito User Identities (Your User Pool)
User Sign-in1 Returns Access and ID Tokens 2 Cognito Federated Identities (Identity
Pool) Get AWS scoped credentials 3 Access to AWS Services 4 AWS IoT IoT Policy
82. Rules Engine Overview 14
83. Endpoints Cloud Device shadow Rules Engine AWS IoT Core Certificate Authority
Local Comms Long-range Comms IoT SDK AWS Amazon QuickSight Amazon EMR Amazon
Redshift Amazon S3 Machine Learning MQTT IoT Users AWS Lambda All AWS IoT with AWS
Things Message Broker
84. Example – Sending Event to AWS Services Lambda function Amazon Kinesis Firehose
payload: { "temp": 33, "wind": 1.02 } SELECT *, timestamp() as timestamp FROM
'pws/#' WHERE temp > 30 topic: pws/station123
85. Example – Sending Event to AWS Services Lambda function Amazon Kinesis Firehose
payload: { "temp": 33, "wind": 1.02 } SELECT *, timestamp() as timestamp FROM
'pws/#' WHERE temp > 30 topic: pws/station123 "context": {...}, "event": { "temp":
33, "wind": 1.02, "timestamp": 1000209900 } "deliveryStreamName&