AWS IoT is a managed cloud platform that can support billions of devices and trillions of messages, and can process and route those messages to AWS endpoints and to other devices reliably and securely.
In this session we look at patterns and architectures for developing connected applications using AWS IoT. We dive into demo applications that tie together physical IoT devices, web browsers, identity providers, and mobile devices to create smart, connected applications using Amazon Web Services.
Speaker: Adam Larter, Solutions Architect, Amazon Web Services
Featured Customer - Tekt Industries
2. What to Expect from Today’s Session
• Dive Deep on AWS IoT
• Patterns for Building IoT Applications
• Creating Applications using AWS IoT, Amazon Cognito,
AWS Lambda and Amazon API Gateway
• Customer Story
• A few Demonstrations and Audience Participation
12. AWS IoT
DEVICE SDK
Set of client libraries to
connect, authenticate and
exchange messages
DEVICE GATEWAY
Communicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORISATION
Secure with mutual
authentication and encryption
RULES ENGINE
Transform messages
based on rules and
route to AWS Services
AWS Services
- - - - -
3P Services
DEVICE SHADOW
Persistent thing state
during intermittent
connections
APPLICATIONS
AWS
IoT API
DEVICE REGISTRY
Identity and Management of
your things
18. AWS IoT – How do we Secure Communications?
• Mutual authentication X.509 certificate-based auth
Devices use certificate-based authentication
We assign policies to certificates
• AWS SigV4
Browsers use web sockets, connections signed using SigV4
We assign policies to the user principal
• Amazon Cognito simplifies signing SigV4 requests
SDK simplifies interfacing with Cognito to obtain limited-privilege
AWS credentials
19. AWS IoT – Securing Device Connections
IoT certificate
& private key IoT policyAWS IoT
IoT ‘Thing’
LightBulb
+
MQTT topics
Certificate provisioned
by device manufacturer
AWS IoT has the public key to
confirm the authenticity of the
certificate and the connection
between the Thing and the
AWS IoT service is encrypted
Based on the certificate presented
by the Thing, the associated IoT
Policy is applied to allow/deny
actions to resources (such as
publishing to certain MQTT topics)
20. AWS IoT Policies are attached to Principals
A Principal can be either a
certificate or a Cognito Identity
21. User ID
(Temp
Credentials)
End Users
Developer
Access
to AWS
Services
Cognito Identity
Broker
Login OAUTH/OpenID
Access Token
Cognito ID,
Temp
Credentials
AWS IoT
AWS
Management
Console
Access
Token
Pool ID
Role ARNs
Amazon Cognito Security Architecture
MQTT topics
IoT Policy
Your User Pools
released in
Public Beta
22. Amazon Cognito
Identity IoT policyAWS IoT
‘Bob’
+
MQTT topics
AWS IoT – securing browser connections
Authentication
performed by a public
or custom identity
provider
The web browser connects via
HTTP with SigV4-signed URL using
Cognito-supplied credentials and
then upgrades the connection
to use WebSockets
The administrator has previously
called "attach-principal-policy" to
associate the IoT policy with the
Cognito Identity Id
25. • Smart Hubs will have certificate/private key pre-installed.
• Customers should be able to associate one or more Smart Hubs
with their own login – all customers managed in one system.
• Smart Hubs should automatically detect the presence
of Smart Appliances.
• Smart Hubs should aggregate telemetry data from Smart
Appliances and make the telemetry available to the web portal.
• Manufacturer should be able to view information about the fleet
of Smart Hubs in the field, for continual service improvement.
Smart Hub Appliance System
27. This is how the
vendor manages the
fleet of Smart Hubs
Register on boot
Central
Smart Hub
repository
Vendor’s central management portal
for all Smart Hubs in the field
28. Bob
Bob registers his own
personal account in
the Smart Hub
management portal
Every customer has
their own log in
33. Bob
This ID is generated
on the Smart Hub and
shared with the user
via the web browser
The pairing code is also stored in the device shadow
IoT
shadow
50. Bob
AWS IoT
Websockets
connection
between AWS
IoT and the
browser
Bob sees the Kettle
telemetry on the web
portal via the Smart Hub
and AWS IoT;; he does not
directly connect to the
Kettle or Smart Hub!
51. Workflow for Smart Hub
START
Associate Smart Hub
to user account
END
Smart Hub discovers
nearby appliances and publishes state
Login to Smart Hub Appliance Manager
web app
Browser connects using WebSockets
and renders live telemetry
User requests Smart Hub to connect to
appliance via MQTT
Associate
Discover / Publish
Connect
Display
52. • Dual-core 500 MHz Atom CPU
• 4 GB storage
• 1GB RAM
• Yocto Linux
• WiFi 802.11 a/b/g/n
• Bluetooth 4.0
Intel Edison to Represent Devices
53. How we Would do this Before AWS IoT
Smart Hub
BLE detections
to Kinesis stream
Amazon
Kinesis
Kinesis records
to Lambda function
AWS
Lambda
Amazon DynamoDBCompanion
Web Application
Amazon SQS
Appliances
listing
Connect &
control
commands
MQTT
Kettle Appliance
BLESmart Hub would
need credentials
to connect to the
Kinesis & SQS
HTTP APIs
Heavy-weight
protocols
Inbound control
channel requires
constant polling
54. Amazon
Cognito
AWS IoT Amazon
DynamoDB
Amazon API GatewayAWS Lambda
BLE MQTT
Smart Hub
Toaster ApplianceKettle Appliance
Companion
Web Application
IoT Device
Shadow
MQTT
Architecture with AWS IoT
AWS Lambda
57. Pole-mounted IP67 solution
or indoor wall mount
Particulate Monitor
Integrated GPS
Solar Charging
Battery
Industrial SD Card
Dashboard
Sensor Data
Diagnostic Info
TLS 256-bit
AES Security
Organisation-level
user management
Senses temperature,
pressure, humidity, PM10,
PM2.5, UVA and UVB
Provides central point for
viewing and analysing
generated data
Environmental Monitor – Introduction
58. PM10
Particle Sensor
Pressure &
Temperature Sensor
Humidity Sensor
PM2.5
Particle Sensor
Microcontroller
Fan
GPS
Solar Charging &
Battery Pack
3G Adaptor
Intel Edison
Key Design Elements
59. • Modular design
• Pole or wall mounting
• Flow-through air ducting
• Integrated filters
• Indoor and outdoor variants
• Wi-Fi or cellular connection
• Solar panel or external DC powered
Sensor Hardware
60. • Live feeds from each sensor
• Configurable views
• Device management through
list or map interface
• User access control
• Alerts and diagnostics
• Web and global device settings
Dashboard
63. Yocto Linux running on Intel Edison
Device Software
(Embedded C)
AWS IoT
SDK
MRAA
library
AWS
IoT
MQTT WebSockets
Web Browser
Dashboard Software
(Node.js in Amazon S3 bucket)
Smoothie
Charts
Google
Maps API
AWS
SDK
Particulate Monitor Dashboard
Software
64. • Asset Tracking
• Visual sensor data representation
• Sensor Diagnostics
• Informatics firmware update on a per
target basis
• Power mode reconfiguration based
upon installation requirements
• Commissioning information for
service and maintenance
Heat Mapping
66. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
67. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training