IoT Apps with AWS IoT and Websockets

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
David Yanacek, Principal Engineer, AWS IoT
6/21/2016
IoT Apps with
AWS IoT and WebSockets

Outline
• MQTT recap
• WebSockets: what and why?
• Demo!
• Device SDK examples and code
• Authentication, authorization, and WebSockets

Publish / Subscribe
Standard Protocol Support
MQTT, HTTP, WebSockets
Long Lived Connections
Receive signals from the cloud
Secure by Default
Connect securely via X509 Certs
and TLS 1.2 Client Mutual Auth

MQTT PubSub Topic Subscriptions
PUBLISH
weather-station/echo-base/temperature
SUBSCRIBE
weather-station/echo-base/temperature
weather-station/echo-base/+
weather-station/+/temperature

Comparing protocols
MQTT
• Lightweight
• Bidirectional
HTTP
• Broad support (browsers)
• Request-reply
Client Server Client Server

AWS IoT protocol comparison
Capability MQTT HTTP
Publish Yes Yes
Subscribe Yes No

Comparing authentication schemes
Certificates
• Provisioned for devices
• Secured in hardware TPMs
SigV4
• Provisioned for applications
• EC2 instance roles
(applications)
• Cognito identity pools
(humans)

Publish Yes Yes
Subscribe Yes No
Certificate Auth Yes Yes
Sig V4 Auth No Yes

WebSockets to the rescue
GET wss://…/mqtt?X-Amz-Signature=…
Connection: Upgrade
Sec-WebSocket-Protocol: mqtt
…
Upgrade?
OK
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
HTTP

WebSockets to the rescue
HTTP
MQTT
SUBSCRIBE
PUBLISH
…

Publish Yes Yes
Subscribe Yes Yes*
Certificate Auth Yes Yes
Sig V4 Auth Yes* Yes
*Using WebSockets to upgrade HTTP connections to MQTT connections

AWS IoT ShapeUp! architecture
Amazon
Cognito
Amazon
S3
Amazon
DynamoDB
IoT
ruleIoT
policy
IoT
topic
AWS
Lambda
IoT
shadow

Amazon
DynamoDB
IoT
rule
IoT
topic
Amazon
Cognito
Amazon
S3
AWS
Lambda
IoT
policy
IoT
shadow
Sign-in and
registration

IoT
policy
Amazon
Cognito
Amazon
S3
Amazon
DynamoDB
IoT
rule
IoT
topic
AWS
Lambda
IoT
shadow
Match making,
gameplay

Connecting over WebSockets
# Grab and install the Device SDK
git clone https://github.com/aws/aws-iot-device-sdk-js.git
cd aws-iot-device-sdk-js
npm install
# Configure your environment
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
# Run the examples
node examplesdevice-example.js --protocol wss --test-mode 1
node examplesdevice-example.js --protocol wss --test-mode 2

device-example.js
test-mode 1 test-mode 2
SUBSCRIBE topic_1 SUBSCRIBE topic_2

device-example.js
test-mode 1 test-mode 2
PUBLISH topic_2
PUBLISH topic_2
PUBLISH topic_1
PUBLISH topic_1

// Connect to AWS IoT
const device = deviceModule({
region: ‘us-west-2’,
protocol: ‘wss’,
port: 443,
host: ‘YOURENDPOINT.data.iot.us-west-2.amazonaws.com’ });
// Subscribe to your own topic
device.subscribe('topic_1');
// Publish a message to the other topic every second
var timeout = setInterval(function() {
device.publish('topic_2', JSON.stringify({
foo: ‘bar’
}));
}, 1000);
// Print the messages you receive
device.on('message', function(topic, payload) {
console.log('message', topic, payload.toString());
});

Authentication vs authorization
Authentication:
Prove your identity
Authorization:
Restrict access

Authentication for devices
Device credentials
• Private key (authenticate the device)
• Certificate (register the device with IoT)
• Root CA cert (authenticate IoT)

Authentication for devices
Administrator
CreateCertificate
Generate CSR
Generate
Private Key
Certificate

Authentication for end-users
Amazon
Cognito
Sign in
Get AWS Creds
(Verify)
WebSocket Connect

Configuring Cognito with AWS IoT
UnauthenticatedAuthenticated

Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT

Choosing authenticated vs unauthenticated
Do you want
information about
the end-user?
Do you want to let
only certain users
use your app?
Use
authenticated
identities
Use either
authenticated or
unauthenticated
Do you want to
access IoT without
the user signing in?
Use
unauthenticated
identities
Yes
Yes
No
No
No Yes

IoT Policy Documents
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "arn:*:client/${www.amazon.com:user_id}"
}
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:*:topicfilter/private-topic/${iot:ClientId}/*"
}
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:*:topic/private-topic/${iot:ClientId}",
"arn:*:topic/open-topic-space/*"
]
}
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "*"
}

Attaching policy
• IAM User (Your AWS Console admin users)
• IAM EC2 Instance Role (Your EC2-based apps)
• IAM Lambda Role (Your Lambda-based apps)
• IAM Cognito Role (Cognito end-users)
• IoT Principal (Device certificates, Cognito users)

Unauthenticated access for end-users
Amazon
Cognito
AWS IAM
permissions
role
Administrator

AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID'
});
AWS.config.credentials.get(function(err)) {
if (err) {
console.log("ERROR: " + err);
return;
}
console.log("Cognito Id is: " + AWS.config.credentials.identityId);
});
Amazon
Cognito

Amazon
Cognito
Cet Credentials
AssumeRole
AWS STS
AWS IAM
permissions
role
temporary
security
credentials

Amazon
Cognito
AWS STS
AWS IAM
permissions
role
WebSocket Connect
temporary
security
credentials
Allowed?
Yes!

Policy variables for Cognito users
AWS IAM
permissions
role
PUBLISH foo/us-east-1:abcdef-my-cognito-id
temporary
security
credentials
Allowed?
Yes!

AWS IAM
PUBLISH foo/us-east-1:abcdef-my-cognito-id
temporary
security
credentials
{
"Effect": "Allow",
"Resource": [
"arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}"
]
}

{
"Effect": "Allow",
"Resource": [
"arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}"
]
}
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID'
});
AWS.config.credentials.get(function(err)) {
if (err) { return; }
var cognitoId = AWS.config.credentials.identityId;
mqttClient.connect(...);
mqttClient.publish('foo/' + cognitoId);
});
permissions
role

Fine-grained access control
SUB home/456_iot_ln
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck

Fine-grained access control
PUB home/123_aws_ave/light_1/on
Alice
Bob
Chuck

User-specific policies
{
"Effect": "Allow",
"Action": ["iot:Publish", "iot:Subscribe"]
"Resource": [
"arn:*:topic/home/123_aws_ave",
"arn:*:topicfilter/home/123_aws_ave"
]
}
{
"Effect": "Allow",
"Action": ["iot:Publish", "iot:Subscribe"]
"Resource": [
"arn:*:topic/home/456_iot_ln",
"arn:*:topicfilter/home/456_iot_ln"
]
}
Policy for Alice, Bob: Policy for Chuck:

Amazon
Cognito
AWS IAM
permissions
role
Administrator
Create, Attach
Policy for Alice,
Bob, and Chuck
Create Identity Pool
Create Role
IoT
policy
IoT
policy
IoT
policy

Chicken and egg: when to attach the policy?
• Users cannot connect until they have a policy in IoT
• Policy cannot be attached without knowing the user’s
CognitoId
Solution: attach a policy when the user first connects!

On-demand registration
Amazon
Cognito
AWS
Lambda
CONNECT
Access denied
New User
(already
signed in)
Get Credentials
temporary
security
credentials(no policy for user)

On-demand registration (continued)
Amazon
Cognito
AWS
Lambda
Register()Create, Attach
Policy
New User
IoT
policy
CONNECT
OK!

What permissions to attach?
• Shape Up! demo: everyone gets “user” access
• Only manually registered users get “control” access
• Start with minimal permissions

Wrapping up
• WebSockets makes IoT interactive
• Authentication for humans is different than devices
• Use Lambda to drive user registration, pairing
• Getting started with the AWS IoT Device SDK is easy
• AWS IoT WebSockets, Rules Engine, Shadow and
Lambda makes server-less applications easy

IoT Apps with AWS IoT and Websockets

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to IoT Apps with AWS IoT and Websockets

Similar to IoT Apps with AWS IoT and Websockets (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

IoT Apps with AWS IoT and Websockets