AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the lifecycle of an IoT thing and the mechanisms used by AWS IoT to manage things. These mechanisms can be used to securely build and provision things, manage deployment, manage thing health, and integrate with other AWS services. And when the life of the thing has come to an end, we will show you how to retire the thing, keeping your solution secure. Learning Objectives: • Common IoT Thing Management Issues • AWS IoT Security and Access Control Mechanisms Who Should Attend: • Technical Decision Makers, Developers, Makers

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham,
Chief Evangelist (EMEA),
Amazon Web Services
@IanMmmm
27 October 2016
The Life of an AWS IoT Thing

2. Topics for this session
Getting Started: What is AWS IoT
Device prototyping
Creating device keys & certificates
Register certificates on first use
Attaching policies to certificates
The AWS IoT Thing Registry
Communicating with Things
Store & retrieve device state with the Device Shadow

3. Getting started: What is AWS IoT?

4. AWS: hyperscale infrastructure for connected devices
Amazon SNS
Mobile Push
and Notifications
AWS Lambda
Run Code in
Response to Events
Amazon DynamoDB
Predictable and Scalable
NoSQL Data Store
Amazon Kinesis
Streaming Analytics
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage
APIs
Amazon Cognito
User Identity and Data
Synchronization

5. IoT isn’t new to AWS with previous customer success
Amazon SNS
Mobile Push
and Notifications
Amazon
DynamoDB
Predictable and
Scalable NoSQL
Data Store
AWS Lambda
Run Code in
Response to Events
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon
API Gateway
Build, Deploy, &
Manage APIs
Amazon Kinesis
Streaming Analytics
Amazon Cognito
User Identity and
Data Synchronization

6. AWS IoT: simplify & accelerate IoT development
Amazon SNS
Mobile Push
and Notifications
Amazon
DynamoDB
Predictable and
Scalable NoSQL
Data Store
AWS Lambda
Run Code in
Response to Events
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon
API Gateway
Build, Deploy, &
Manage APIs
Amazon Kinesis
Streaming Analytics
Amazon Cognito
User Identity and
Data Synchronization
AWS IoT
Connect Devices to
the Cloud

7. AWS IoT
“Securely connect one or one billion devices to AWS,
so they can interact with applications and other devices”

8. AWS IoT
Message Broker
AWS-grade security
Rules engine
Device Shadows
Device Registry
Managed Platform
Seamless integration
with all of AWS

9. AWS IoT

10. Device prototyping

11. Get Started with the AWS IoT Device SDK
C SDK
(Ideal for embedded
OS)
JavaScript SDK
(Ideal for Embedded
Linux Platforms)
Arduino Library
(Arduino Yun)
Mobile SDK
(Android and iOS)
Python SDK Java SDK
https://aws.amazon.com/blogs/iot/introducing-aws-iot-device-sdks-for-java-and-python/

12. Prototyping with the Raspberry Pi
• Raspberry Pi hardware
• Electronics Starter Kits
• One examples is the SunFounder 37 modules Sensor Kit v2.0 for
Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board &
Jump Wires
• Example tutorial
• Raspberry Pi Sense Hat (optional fun)
• https://www.raspberrypi.org/products/sense-hat/

13. Setting up the Raspberry Pi GPIO & Sense Hat
Your own electronics/sensor build
C (for embedded C)
http://wiringpi.com
Python Wrapper Module for WiringPI
https://github.com/WiringPi/WiringPi-Python
For the Sense Hat
Python Module
https://github.com/RPi-Distro/python-sense-hat

14. Official IoT Starter Kits, Powered by AWS
Dragonboard 410c
(by Arrow)
Beaglebone Green
(by Seeed Studio)
Seeeduino Cloud
(by Seeed Studio)
Intel Edison
(by Seeed Studio)
MediaTek LinkIt One
(by Seeed Studio)
Broadcom BCM4343W
(by Avnet)
Marvell EasyConnect
(By Marvell)
Renesas RX63N
(by Micrium)
Microchip WCM
(by Microchip)
Ti Launchpad
(By Ti)

15. Prototype Thing
Thing Shadow
State Sync
MQTT Topics
Pub/Sub
Messaging

16. Production Thing
Thing Shadow
State Sync
MQTT Topics
Pub/Sub
Messaging

17. Creating device keys & certificates

18. AWS IoT security: authentication and authorization
AUTHENTICATION
Secure with mutual
authentication and encryption
AUTHENTICATION
AUTHORIZATION
Secure with mutual
authentication and encryption

19. Securing and identifying Things
- Secure Bi-Directional Pipe
- Anonymous
- Secure Bi-Directional Pipe
- Anonymous

20. Securing and Identifying Things: Mutual Auth TLS
- Secure Bi-Directional Pipe
- Anonymous
- Secure Bi-Directional Pipe
- Mutual Proof of Identity

21. AWS IoT security

22. Demo: AWS IoT Console
Creating certificates & keys

23. Key & certificate creation with the AWS CLI

24. Getting keys & certificates onto
your devices

25. Getting keys & certificates onto your devices
• Simple at the device prototyping stage
• Copy or flash them (& the CA cert) onto your device
• More complex in volume manufacturing
• Still copying or flashing keys & certs, but the numbers
increase
• Use AWS SDKs/CLI to automate key & certificate creation.
Provide keys & certificates to your device manufacturing
partners

26. Register on first use

27. https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Just-in-Time Registration of Device Certificates
Register your
CA Cert with
AWS IoT
Sign device certs
with your CA cert
$aws/events/certificates/
registered/<caCertificateID>
{
"certificateId": "<certificateID>",
"caCertificateId": "<caCertificateId>",
"timestamp": "<timestamp>",
"certificateStatus": "PENDING_ACTIVATION",
"awsAccountId": “<awsAccountId>",
}
AWS IoT
MQTT Endpoint
New certificate state set to
PENDING_ACTIVATION
AWS IoT Rule invokes
AWS Lambda function
AWS Lambda function
activates certificate &
attaches policy
New certificate state set to
ACTIVE

28. Attaching policies to certificates

29. Attaching policies to devices
AWS IoT policies are JSON documents. They follow the
same conventions as IAM policies.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iot:Publish"],
"Resource": ["arn:aws:iot:us-east-1:123456789012:topic/foo/bar"]
},
{
"Effect": "Allow",
"Action": ["iot:Connect"],
"Resource": ["*"]
}]
}
http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html
Policy Actions
iot:Publish
iot:Subscribe
iot:Recieve
iot:Connect
iot:UpdateThingShadow
iot:GetThingShadow
iot:DeleteThingShadow

30. Attaching policies to certificates (devices)
$ aws iot create-policy --policy-name <value>
--policy-document <JSON policy document>
$ aws iot attach-principle-policy
--policy-name <value>
--principal <certificate ARN>

31. The AWS IoT Thing Registry

32. AWS IoT Registry
THING REGISTRY
Identity and Management of
your things
REGISTRY
Identity and Management of
your things

33. AWS IoT Registry
• Static attributes associated to Thing
• Firmware version
• Serial Numbers
• Device Type
• Device Group
• Device Description
• Sensor description
• Support and Maintenance
• Reference Manual URL
• Part # reference
• Reference to external support system

34. AWS IoT Registry: Create & List Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$ aws iot create-thing --thing-name "MyLightBulb" --attribute-payload "{"attributes": {"wattage":"75", ”model":"123"}}"
{
"thingArn": "arn:aws:iot:eu-west-1:554625704737:thing/MyLightBulb",
"thingName": "MyLightBulb"
}
$ aws iot list-things
{
"things": [
{
"attributes": {
"model": "123",
"wattage": "75"
},
"version": 1,
"thingName": "MyLightBulb"
}
]
}

35. AWS IoT Registry: Search for Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$ aws iot list-things --attribute-name "wattage" --attribute-value “75"
{
"things": [
{
"thingTypeName": "StopLight",
"attributes": {
"model": "123",
"wattage": "75"
},
"version": 3,
"thingName": "MyLightBulb"
},
{
"thingTypeName": "LightBulb",
"attributes": {
"model": "123",
"wattage": "75"
},
"version": 1,
"thingName": "MyRGBLight"
}
]
}

36. AWS IoT Registry: Thing Types
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
Thing types allow you to store description and configuration
information that is common to all things associated with the
same thing type.
For example, you can define a LightBulb thing type. All
things associated with the LightBulb thing type share a set
of attributes.
aws iot create-thing-type --thing-type-name "LightBulb"
--thing-type-properties "thingTypeDescription=light bulb type, searchableAttributes=wattage,model"

37. Communicating with Things

38. AWS IoT Message Broker
DEVICE GATEWAY
Communicate with devices via
MQTT and HTTP

39. AWS IoT Message Broker

40. MQTT
MQTT vs HTTPS:
• 93x faster throughput
• 11.89x less battery to send
• 170.9x less battery to receive
• 50% less power to keep connected
• 8x less network overhead
Source: http://stephendnicholas.com/archives/
1217
• OASIS standard protocol (v3.1.1)
• Lightweight, pub-sub, transport protocol
that is useful for connected devices
• MQTT is used on oil rigs, connected
trucks, and many more sensitive and
resource-sensitive scenarios
• Customers have needed to build,
maintain, and scale a broker to use
MQTT with cloud applications

41. AWS IoT Message Broker : managed service
Highly Scalable
Device Gateway
Millions of devices
sending billions of
messages
Subscribers
Publishers

42. AWS IoT Rules Engine
RULES ENGINE
Transform messages
based on rules and route
to AWS Services

43. AWS IoT Rules Engine

44. Simple & familiar syntax
- SQL Statement to define topic filter
- Optional WHERE clause
- Advanced JSON support
Functions improve signal : noise
- String manipulation (regex support)
- Mathematical operations
- Context-based helper functions
- Crypto support
- UUID, Timestamp, rand, etc.
AWS IoT Rules Engine basics
SELECT * FROM ‘things/thing-2/color’
WHERE color = ‘red’

45. AWS IoT Rules Engine’s flexibility
SELECT *, clientId() as MQTTClientId
FROM 'one/rule'
WHERE
startsWith(topic(2), 'IME33') AND
(state = 'INIT' OR hydro_temp >
surface_temp)",
"actions":
[{
"republish": {
"topic": "controllers/
${substring(topic(3), 3, 5)}",
}]
http://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html

46. AWS IoT Rules Engine
Complex Evaluations
Respond to the fleet, not just a single unit. Dozens of functions() available.
Multiple / Simultaneous Actions
Sometimes a situation requires you to take many actions.

47. AWS IoT Rules Engine actions
RULES ENGINE
Transform messages
based on rules and route
to AWS Services
AWS Services
- - - - -
3P Services
AWS Services
- - - - -
3P Services

48. 1. AWS Services
(Direct Integration)
Rules Engine
Actions
AWS IoT Rules Engine
LambdaSNS SQS
S3 Amazon KinesisDDB RDS
Amazon
Redshift
Amazon Glacier
EC2
3. External Endpoints
(via Lambda and SNS)
Rules Engine connects AWS
IoT to External Endpoints and
AWS Services.
2. Rest of AWS
(via Amazon Kinesis,
Lambda, S3, and more)

49. AWS IoT Rules Engine Actions
Rules Engine evaluates inbound
messages published into AWS IoT,
and transforms and delivers to the
appropriate endpoint based on
business rules.
External endpoints can be reached
via Lambda and Simple Notification
Service (SNS).
Invoke a Lambda function
Put object in an S3 bucket
Insert, Update, Read from a
DynamoDB table
Publish to an SNS Topic
or Endpoint
Publish to an Amazon Kinesis
stream
Actions
Amazon Kinesis Firehose
Republish to AWS IoT

50. Store & retrieve device state
with the Device Shadow

51. AWS IoT Thing Shadow
THING SHADOW
Persistent thing state during
intermittent connections
SHADOW
Persistent thing state during
intermittent connections
APPLICATIONS

52. AWS IoT Device Shadows

53. AWS IoT Thing Shadow
Shadow

54. AWS IoT Shadow Flow
Shadow
Device SDK
1. Device Publishes Current State
2. Persist JSON Data Store
3. App requests device’s current state
4. App requests change the state
5. Device Shadow syncs
updated state
6. Device Publishes Current State
7. Device Shadow confirms state change
AWS IoT

55. AWS IoT Device Shadow - Simple Yet Powerful
{
"state" : {
“desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
} },
"version" : 10
}
Thing
Report its current state to one or multiple shadows
Retrieve its desired state from shadow
Mobile App
Set the desired state of a device
Get the last reported state of the device
Delete the shadow
Shadow
Shadow reports delta, desired and reported
states along with metadata and version

56. AWS IoT Device Shadow Topics (MQTT)
Thing SDK makes it easy for you to
build shadow functionality into your
device so it can automatically
synchronize the state with the device.
AWS IoT Thing Shadow
UPDATE: $aws/things/{thingName}/shadow/update
DELTA: $aws/things/{thingName}/shadow/update/delta
GET: $aws/things/{thingName}/shadow/get
DELETE: $aws/things/{thingName}/shadow/delete
Sensor Reported Desired Delta
LED1 RED YELLOW
LED1 = Yellow
TEMP = 60FACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4
TEMP 83F 60F

57. Updating device firmware

58. AWS IoT – Device Management
S3 Holds Versioned Firmware Distributions
Organize and secure your firmware binaries in S3
Message Broker notifies groups of the fleet using Topic Patterns
Alert the fleet (or part of it) of the update, and send the URL to the S3 download
Firmware Update
Stored in S3
Event Hook -> Lambda
Publish to groups of devices
• Ability to update global
or within a Region
• Rules Engine keeps
state of updates and
tracks progress in a
DynamoDB Table
• Store Version in Registry
Entry

59. Replacing/Retiring devices

60. Replacing/Retiring devices
Revoking Device Certificates
Then it’s just a matter of creating & deploying a new device
& attaching the same policy to the new device’s certificate
$ aws iot update-certificate --certificate-id <certificateId> --new-status REVOKED

61. aws.amazon.com/iot/

62. Thank you!
Ian Massingham,
Chief Evangelist (EMEA),
Amazon Web Services
@IanMmmm

63. Questions?