getting started with aws iot

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

John Chang 張書源

Ecosystem Solutions Architect

May 2016

AWS IoT 服務入門

Things are NOT static assets

AWS IoT

new: EU (Frankfurt) Region Available

US-EAST (N. Virginia)

US-WEST (Oregon)

EU (Dublin)

* EU (Frankfurt)

Asia Pacific (Tokyo)

Routing noise

Device Gateway

Publish / Subscribe

Standard Protocol Support

MQTT, HTTP, WebSockets

Long Lived Connections

Receive signals from the cloud

Secure by Default

Connect securely via X509 Certs

and TLS 1.2 Client Mutual Auth

Sensor messages

Standard protocol support

MQTT, HTTP, WebSockets

Topic/channel

Message routing hierarchy

Control over full tree

Payload (JSON)

Customer-defined JSON payload

Finding the signals

Extracting the value from messages

• Filter messages with certain criteria

• Move messages to other topics

• Move messages to other systems

• Transform the payload of messages

• Predict messages based on trends

• React based on messages

Rules Engine

AWS IoT SQL reference

SELECT DATA FROM TOPIC WHERE FILTER

• Like scanning a database table

• Default source is an MQTT topic

EXAMPLES:

• FROM mqtt(‘my/topic’)

• FROM mqtt(‘my/wildcard/+/topic’)

• FROM (‘my/topic’)

Rules engine

• Familiar SQL syntax

• SELECT * FROM topic WHERE filter

• Functions

• String manipulation (regex support)

• Mathematical operations

• Context based helper functions

• Crypto support

• UUID, timestamp, rand, etc.

• Execute simultaneous actions

new: Rules engine features

• Versioning

• 2016-10-08 – Original version

• 2016-03-23-beta – Beta version released on specific date

• beta – Latest beta version (breaking changes!)

• lts – Latest long-term support version, automatically updated{

"sql": "expression",

"ruleDisabled": false,

"awsIotSqlVersion": "2015-03-23-beta",

"actions": [{

"republish": {

"topic": "my-mqtt-topic",

"roleArn": "arn:aws:iam::123456789012:role/my-iot-role"

}

}]}

new: Rules engine features

• JSON collections

• get(array, int) – get item at index of array

• get(string, int) – get character at position of string

• get(object, key) – get value of key

• SUB SELECT from collections

• SELECT (SELECT v FROM e WHERE n = 'temperature') as

temperature FROM 'topic'

new: Elasticsearch Integration

new: Predict Function

Basic flow for using prediction

• Generate data

• Use AWS IoT rule to forward to S3

• Build your Amazon Machine Learning model using S3

data source

• Enable real-time predications in Amazon ML

• Use AWS IoT rule to validate predicted value from real-

time prediction endpoint in Amazon ML

• Add other actions

Predictive Maintenance blog:

http://bit.ly/aws-iot-aml-blog

AWS IoT device shadow

AWS IoT Device Shadow

1. Device publishes current state

2. Persist JSON data store

3. App requests device’s current state

4. App requests change the state5. Device shadow syncs

updated state

6. Device publishes current state 7. Device shadow confirms state change

AWS IoT device shadow flow

AWS IoT device shadow: Simple yet powerful

{

"state" : {

“desired" : {

"lights": { "color": "RED" },

"engine" : "ON"

},

"reported" : {

"lights" : { "color": "GREEN" },

"engine" : "ON"

},

"delta" : {

"lights" : { "color": "RED" }

} },

"version" : 10

}

Device

Report its current state to one or multiple shadows

Retrieve its desired state from shadow

Mobile App

Set the desired state of a device

Get the last reported state of the device

Delete the shadow

Shadow

Shadow reports delta, desired, and reported

states along with metadata and version

Security

AWS security operating principles

Separation of duties

Different personnel across service lines

Least privilege

Securing devices

TLS mutual authentication

• Create CSR

• Create X.509 certificate from CSR

• Activate the certificate

• Create policy

• Attach policy to certificate

* Certificate must be issued by AWS IoT

new: Bring your own certificate

• Use certificates issued by your own CA

• Existing certificate issuance infrastructure

• Use certificates already on board

• Limited Internet connectivity from assembly/manufacturing

locations

• Seamless provisioning of devices

• 8 new API calls to support management of certificates

Example publish/subscribe policy

"Effect": "Allow",

"Action": [

"iot:Publish"

],

"Resource": [

"arn:aws:iot:us-east-1:123456789012:topic/foo"

]

},

{

"Effect": "Deny",

"Action": [

”iot:Subscribe"

],

"Resource": [

"arn:aws:iot:us-east-1:123456789012:topic/bar"

]

Allow access to

topic/foo

Deny access

topic/bar

AWS IoT policies

• Effect

• Allow or Deny

• Action

• "iot:Publish" - MQTT publish

• "iot:Subscribe" - MQTT subscribe

• "iot:UpdateThingShadow" - Update a thing shadow

• "iot:GetThingShadow" - Retrieve a thing shadow

• "iot:DeleteThingShadow - Delete a thing shadow

• Resource

• Client

• Topic ARN or topic filter ARN

Securing AWS resource access

Creating the trust relationship with AWS IoT

P P

PRole

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {

"Service": “iot.amazonaws.com”

},

"Action": "sts:AssumeRole"

}

]

}

Securing AWS resource access

Securing user access

• WebSockets support Signature Version 4

authentication

• IAM roles and policies

• Amazon Cognito identity pools

• Anonymous access to iot:Subscribe

• Use your own application-level authentication patterns

Device SDKs

Device SDK support

• Based on open standards like Eclipse Paho

• C

• Arduino (Yun)

• iOS (Swift)

• Android

• WebSocket support

• NodeJS

• JS SDK for statically hosted site (WebSockets)

Summary

• AWS IoT

• New Region launch (EU – Frankfurt)

• New Rules engine features

• Elasticsearch

• Amazon ML prediction function

• New Bring your own certificates

Same room after this:

Building end-to-end AWS IoT Solutions next!

Thank you