Download - The Lifecycle of an AWS IoT Thing
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham, Chief Evangelist (EMEA), Amazon Web Services @IanMmmm
27 October 2016
The Life of an AWS IoT Thing
Topics for this session
Getting Started: What is AWS IoT Device prototyping Creating device keys & certificates Register certificates on first use Attaching policies to certificates The AWS IoT Thing Registry Communicating with Things Store & retrieve device state with the Device Shadow
Getting started: What is AWS IoT?
AWS: hyperscale infrastructure for connected devices
Amazon SNS Mobile Push
and Notifications
AWS Lambda Run Code in
Response to Events
Amazon DynamoDB Predictable and Scalable
NoSQL Data Store
Amazon Kinesis Streaming Analytics
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway Build, Deploy, and Manage
APIs
Amazon Cognito User Identity and Data
Synchronization
IoT isn’t new to AWS with previous customer success
Amazon SNS Mobile Push
and Notifications
Amazon DynamoDB
Predictable and Scalable NoSQL
Data Store
AWS Lambda Run Code in
Response to Events
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, & Manage APIs
Amazon Kinesis Streaming Analytics
Amazon Cognito User Identity and
Data Synchronization
AWS IoT: simplify & accelerate IoT development
Amazon SNS Mobile Push
and Notifications
Amazon DynamoDB
Predictable and Scalable NoSQL
Data Store
AWS Lambda Run Code in
Response to Events
Amazon Redshift Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, & Manage APIs
Amazon Kinesis Streaming Analytics
Amazon Cognito User Identity and
Data Synchronization
AWS IoT Connect Devices to
the Cloud
AWS IoT
“Securely connect one or one billion devices to AWS, so they can interact with applications and other devices”
AWS IoT
Message Broker
AWS-grade security
Rules engine
Device Shadows
Device Registry
Managed Platform
Seamless integration with all of AWS
AWS IoT
Device prototyping
Get Started with the AWS IoT Device SDK
C SDK (Ideal for embedded
OS)
JavaScript SDK (Ideal for Embedded
Linux Platforms)
Arduino Library (Arduino Yun)
Mobile SDK (Android and iOS)
Python SDK Java SDK
https://aws.amazon.com/blogs/iot/introducing-aws-iot-device-sdks-for-java-and-python/
Prototyping with the Raspberry Pi
• Raspberry Pi hardware
• Electronics Starter Kits • One examples is the SunFounder 37 modules Sensor Kit v2.0 for
Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires
• Example tutorial
• Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/
Setting up the Raspberry Pi GPIO & Sense Hat
Your own electronics/sensor build C (for embedded C)
http://wiringpi.com Python Wrapper Module for WiringPI
https://github.com/WiringPi/WiringPi-Python
For the Sense Hat Python Module
https://github.com/RPi-Distro/python-sense-hat
Official IoT Starter Kits, Powered by AWS
Dragonboard 410c (by Arrow)
Beaglebone Green (by Seeed Studio)
Seeeduino Cloud (by Seeed Studio)
Intel Edison (by Seeed Studio)
MediaTek LinkIt One (by Seeed Studio)
Broadcom BCM4343W (by Avnet)
Marvell EasyConnect (By Marvell)
Renesas RX63N (by Micrium)
Microchip WCM (by Microchip)
Ti Launchpad (By Ti)
Prototype ThingThing Shadow
State Sync
MQTT Topics
Pub/Sub Messaging
Production ThingThing Shadow
State Sync
MQTT Topics
Pub/Sub Messaging
Creating device keys & certificates
AWS IoT security: authentication and authorization
AUTHENTICATION Secure with mutual
authentication and encryption
AUTHENTICATION AUTHORIZATION
Secure with mutual authentication and encryption
Securing and identifying Things
- Secure Bi-Directional Pipe - Anonymous
- Secure Bi-Directional Pipe - Anonymous
Securing and Identifying Things: Mutual Auth TLS
- Secure Bi-Directional Pipe - Anonymous
- Secure Bi-Directional Pipe - Mutual Proof of Identity
AWS IoT security
Demo: AWS IoT Console Creating certificates & keys
Key & certificate creation with the AWS CLI
Getting keys & certificates onto your devices
Getting keys & certificates onto your devices
• Simple at the device prototyping stage • Copy or flash them (& the CA cert) onto your device
• More complex in volume manufacturing • Still copying or flashing keys & certs, but the numbers
increase
• Use AWS SDKs/CLI to automate key & certificate creation. Provide keys & certificates to your device manufacturing partners
Register on first use
https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Just-in-Time Registration of Device Certificates
Register your CA Cert with
AWS IoT
Sign device certs with your CA cert
$aws/events/certificates/registered/<caCertificateID>
{"certificateId":"<certificateID>","caCertificateId":"<caCertificateId>","timestamp":"<timestamp>","certificateStatus":"PENDING_ACTIVATION","awsAccountId":“<awsAccountId>",
}
AWS IoT MQTT Endpoint
New certificate state set to PENDING_ACTIVATION
AWS IoT Rule invokes AWS Lambda function
AWS Lambda function activates certificate & attaches policy
New certificate state set to ACTIVE
Attaching policies to certificates
Attaching policies to devices
AWS IoT policies are JSON documents. They follow the same conventions as IAM policies.
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iot:Publish"],"Resource":["arn:aws:iot:us-east-1:123456789012:topic/foo/bar"]},{"Effect":"Allow","Action":["iot:Connect"],"Resource":["*"]}]}
http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html
Policy Actions
iot:Publishiot:Subscribeiot:Recieveiot:Connectiot:UpdateThingShadowiot:GetThingShadowiot:DeleteThingShadow
Attaching policies to certificates (devices)
$awsiotcreate-policy--policy-name<value>\\--policy-document<JSONpolicydocument>
$awsiotattach-principle-policy\\--policy-name<value>\\--principal<certificateARN>
The AWS IoT Thing Registry
AWS IoT Registry
THING REGISTRY Identity and Management of
your things
REGISTRY Identity and Management of
your things
AWS IoT Registry
• Static attributes associated to Thing • Firmware version • Serial Numbers • Device Type • Device Group • Device Description • Sensor description
• Support and Maintenance • Reference Manual URL • Part # reference
• Reference to external support system
AWS IoT Registry: Create & List Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$awsiotcreate-thing--thing-name"MyLightBulb"--attribute-payload"{\"attributes\":{\"wattage\":\"75\",\”model\":\"123\"}}"{"thingArn":"arn:aws:iot:eu-west-1:554625704737:thing/MyLightBulb","thingName":"MyLightBulb"}$awsiotlist-things{"things":[{"attributes":{"model":"123","wattage":"75"},"version":1,"thingName":"MyLightBulb"}]}
AWS IoT Registry: Search for Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$awsiotlist-things--attribute-name"wattage"--attribute-value“75"{"things":[{"thingTypeName":"StopLight","attributes":{"model":"123","wattage":"75"},"version":3,"thingName":"MyLightBulb"},{"thingTypeName":"LightBulb","attributes":{"model":"123","wattage":"75"},"version":1,"thingName":"MyRGBLight"}]}
AWS IoT Registry: Thing Types
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
Thing types allow you to store description and configuration information that is common to all things associated with the same thing type. For example, you can define a LightBulb thing type. All things associated with the LightBulb thing type share a set of attributes.
awsiotcreate-thing-type--thing-type-name"LightBulb"\\--thing-type-properties"thingTypeDescription=lightbulbtype,searchableAttributes=wattage,model"
Communicating with Things
AWS IoT Message Broker
DEVICE GATEWAY Communicate with devices via
MQTT and HTTP
AWS IoT Message Broker
MQTT
MQTT vs HTTPS:
• 93x faster throughput • 11.89x less battery to send • 170.9x less battery to receive • 50% less power to keep connected • 8x less network overhead
Source: http://stephendnicholas.com/archives/1217
• OASIS standard protocol (v3.1.1) • Lightweight, pub-sub, transport protocol
that is useful for connected devices • MQTT is used on oil rigs, connected
trucks, and many more sensitive and resource-sensitive scenarios
• Customers have needed to build, maintain, and scale a broker to use MQTT with cloud applications
AWS IoT Message Broker : managed service
Highly Scalable Device Gateway
Millions of devices sending billions of messages
SubscribersPublishers
AWS IoT Rules Engine
RULES ENGINE Transform messages
based on rules and route to AWS Services
AWS IoT Rules Engine
Simple & familiar syntax - SQL Statement to define topic filter - Optional WHERE clause - Advanced JSON support
Functions improve signal : noise - String manipulation (regex support) - Mathematical operations - Context-based helper functions - Crypto support - UUID, Timestamp, rand, etc.
AWS IoT Rules Engine basics
SELECT * FROM ‘things/thing-2/color’ WHERE color = ‘red’
AWS IoT Rules Engine’s flexibility
SELECT *, clientId() as MQTTClientId FROM 'one/rule' WHERE
startsWith(topic(2), 'IME33') AND (state = 'INIT' OR hydro_temp > surface_temp)","actions": [{
"republish": {"topic": "controllers/
${substring(topic(3), 3, 5)}",}]
http://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html
AWS IoT Rules Engine
Complex Evaluations Respond to the fleet, not just a single unit. Dozens of functions() available.
Multiple / Simultaneous Actions Sometimes a situation requires you to take many actions.
AWS IoT Rules Engine actions
RULES ENGINE Transform messages
based on rules and route to AWS Services
AWS Services - - - - -
3P ServicesAWS Services
- - - - - 3P Services
1. AWS Services (Direct Integration)
Rules Engine
Actions
AWS IoT Rules Engine
LambdaSNS SQS
S3 Amazon KinesisDDB RDS
AmazonRedshift
Amazon Glacier
EC2
3. External Endpoints (via Lambda and SNS)
Rules Engine connects AWS IoT to External Endpoints and AWS Services.
2. Rest of AWS (via Amazon Kinesis, Lambda, S3, and more)
AWS IoT Rules Engine Actions
Rules Engine evaluates inbound messages published into AWS IoT, and transforms and delivers to the appropriate endpoint based on business rules.
External endpoints can be reached via Lambda and Simple Notification Service (SNS).
Invoke a Lambda function
Put object in an S3 bucket
Insert, Update, Read from a DynamoDB table
Publish to an SNS Topic or Endpoint
Publish to an Amazon Kinesis stream
Actions
Amazon Kinesis Firehose
Republish to AWS IoT
Store & retrieve device state with the Device Shadow
AWS IoT Thing Shadow
THING SHADOW Persistent thing state during
intermittent connectionsSHADOW
Persistent thing state during intermittent connections
APPLICATIONS
AWS IoT Device Shadows
AWS IoT Thing Shadow
Shadow
AWS IoT Shadow Flow
Shadow
Device SDK
1. Device Publishes Current State
2. Persist JSON Data Store
3. App requests device’s current state
4. App requests change the state5. Device Shadow syncs updated state
6. Device Publishes Current State 7. Device Shadow confirms state change
AWS IoT
AWS IoT Device Shadow - Simple Yet Powerful
{
"state" : {
“desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
} },
"version" : 10
}
Thing
Report its current state to one or multiple shadows Retrieve its desired state from shadow
Mobile App
Set the desired state of a device Get the last reported state of the device Delete the shadow
Shadow
Shadow reports delta, desired and reported states along with metadata and version
AWS IoT Device Shadow Topics (MQTT)
Thing SDK makes it easy for you to build shadow functionality into your device so it can automatically synchronize the state with the device.
AWS IoT Thing Shadow
UPDATE: $aws/things/{thingName}/shadow/update DELTA: $aws/things/{thingName}/shadow/update/delta GET: $aws/things/{thingName}/shadow/get DELETE: $aws/things/{thingName}/shadow/delete
Sensor Reported Desired Delta
LED1 RED YELLOWLED1 = Yellow TEMP = 60FACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4
TEMP 83F 60F
Updating device firmware
AWS IoT – Device Management
S3 Holds Versioned Firmware Distributions Organize and secure your firmware binaries in S3
Message Broker notifies groups of the fleet using Topic Patterns Alert the fleet (or part of it) of the update, and send the URL to the S3 download
Firmware Update
Stored in S3
Event Hook -> Lambda
Publish to groups of devices
• Ability to update global or within a Region
• Rules Engine keeps state of updates and tracks progress in a DynamoDB Table
• Store Version in Registry Entry
Replacing/Retiring devices
Replacing/Retiring devices
Revoking Device Certificates
Then it’s just a matter of creating & deploying a new device & attaching the same policy to the new device’s certificate
$awsiotupdate-certificate--certificate-id<certificateId>--new-statusREVOKED
aws.amazon.com/iot/
Thank you!
Ian Massingham, Chief Evangelist (EMEA), Amazon Web Services @IanMmmm
Questions?