Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Lifecycle of an AWS IoT Thing

7,212 views

Published on

AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the lifecycle of an IoT thing and the mechanisms used by AWS IoT to manage things. These mechanisms can be used to securely build and provision things, manage deployment, manage thing health, and integrate with other AWS services. And when the life of the thing has come to an end, we will show you how to retire the thing, keeping your solution secure.

Learning Objectives:
• Common IoT Thing Management Issues
• AWS IoT Security and Access Control Mechanisms

Who Should Attend:
• Technical Decision Makers, Developers, Makers

Published in: Technology

The Lifecycle of an AWS IoT Thing

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ian Massingham, Chief Evangelist (EMEA), Amazon Web Services @IanMmmm 27 October 2016 The Life of an AWS IoT Thing
  2. 2. Topics for this session Getting Started: What is AWS IoT Device prototyping Creating device keys & certificates Register certificates on first use Attaching policies to certificates The AWS IoT Thing Registry Communicating with Things Store & retrieve device state with the Device Shadow
  3. 3. Getting started: What is AWS IoT?
  4. 4. AWS: hyperscale infrastructure for connected devices Amazon SNS 
 Mobile Push 
 and Notifications AWS Lambda Run Code in Response to Events Amazon DynamoDB Predictable and Scalable NoSQL Data Store Amazon Kinesis Streaming Analytics Amazon Redshift Petabyte-Scale 
 Data Warehouse …and more Amazon API Gateway Build, Deploy, and Manage APIs Amazon Cognito User Identity and Data Synchronization
  5. 5. IoT isn’t new to AWS with previous customer success Amazon SNS 
 Mobile Push 
 and Notifications Amazon DynamoDB Predictable and Scalable NoSQL Data Store AWS Lambda Run Code in Response to Events Amazon Redshift Petabyte-Scale 
 Data Warehouse …and more Amazon API Gateway Build, Deploy, & Manage APIs Amazon Kinesis Streaming Analytics Amazon Cognito User Identity and Data Synchronization
  6. 6. AWS IoT: simplify & accelerate IoT development Amazon SNS 
 Mobile Push 
 and Notifications Amazon DynamoDB Predictable and Scalable NoSQL Data Store AWS Lambda Run Code in Response to Events Amazon Redshift Petabyte-Scale 
 Data Warehouse …and more Amazon API Gateway Build, Deploy, & Manage APIs Amazon Kinesis Streaming Analytics Amazon Cognito User Identity and Data Synchronization AWS IoT Connect Devices to the Cloud
  7. 7. AWS IoT “Securely connect one or one billion devices to AWS, 
 so they can interact with applications and other devices”
  8. 8. AWS IoT Message Broker AWS-grade security Rules engine Device Shadows Device Registry Managed Platform Seamless integration with all of AWS
  9. 9. AWS IoT
  10. 10. Device prototyping
  11. 11. Get Started with the AWS IoT Device SDK C SDK (Ideal for embedded OS) JavaScript SDK (Ideal for Embedded Linux Platforms) Arduino Library (Arduino Yun) Mobile SDK (Android and iOS) Python SDK Java SDK https://aws.amazon.com/blogs/iot/introducing-aws-iot-device-sdks-for-java-and-python/
  12. 12. Prototyping with the Raspberry Pi • Raspberry Pi hardware
 • Electronics Starter Kits • One examples is the SunFounder 37 modules Sensor Kit v2.0 for Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires • Example tutorial • Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/
  13. 13. Setting up the Raspberry Pi GPIO & Sense Hat Your own electronics/sensor build C (for embedded C) http://wiringpi.com Python Wrapper Module for WiringPI https://github.com/WiringPi/WiringPi-Python For the Sense Hat Python Module https://github.com/RPi-Distro/python-sense-hat
  14. 14. Official IoT Starter Kits, Powered by AWS Dragonboard 410c (by Arrow) Beaglebone Green (by Seeed Studio) Seeeduino Cloud (by Seeed Studio) Intel Edison (by Seeed Studio) MediaTek LinkIt One (by Seeed Studio) Broadcom BCM4343W (by Avnet) Marvell EasyConnect (By Marvell) Renesas RX63N (by Micrium) Microchip WCM (by Microchip) Ti Launchpad (By Ti)
  15. 15. Prototype Thing Thing Shadow State Sync MQTT Topics Pub/Sub Messaging
  16. 16. Production Thing Thing Shadow State Sync MQTT Topics Pub/Sub Messaging
  17. 17. Creating device keys & certificates
  18. 18. AWS IoT security: authentication and authorization AUTHENTICATION Secure with mutual authentication and encryption AUTHENTICATION AUTHORIZATION Secure with mutual authentication and encryption
  19. 19. Securing and identifying Things - Secure Bi-Directional Pipe - Anonymous - Secure Bi-Directional Pipe - Anonymous
  20. 20. Securing and Identifying Things: Mutual Auth TLS - Secure Bi-Directional Pipe - Anonymous - Secure Bi-Directional Pipe - Mutual Proof of Identity
  21. 21. AWS IoT security
  22. 22. Demo: AWS IoT Console Creating certificates & keys
  23. 23. Key & certificate creation with the AWS CLI
  24. 24. Getting keys & certificates onto your devices
  25. 25. Getting keys & certificates onto your devices • Simple at the device prototyping stage • Copy or flash them (& the CA cert) onto your device • More complex in volume manufacturing • Still copying or flashing keys & certs, but the numbers increase • Use AWS SDKs/CLI to automate key & certificate creation. Provide keys & certificates to your device manufacturing partners
  26. 26. Register on first use
  27. 27. https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/ Just-in-Time Registration of Device Certificates Register your CA Cert with AWS IoT Sign device certs with your CA cert $aws/events/certificates/ registered/<caCertificateID> { "certificateId": "<certificateID>", "caCertificateId": "<caCertificateId>", "timestamp": "<timestamp>", "certificateStatus": "PENDING_ACTIVATION", "awsAccountId": “<awsAccountId>", } AWS IoT MQTT Endpoint New certificate state set to PENDING_ACTIVATION AWS IoT Rule invokes AWS Lambda function AWS Lambda function activates certificate & attaches policy New certificate state set to ACTIVE
  28. 28. Attaching policies to certificates
  29. 29. Attaching policies to devices AWS IoT policies are JSON documents. They follow the same conventions as IAM policies. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action":["iot:Publish"], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/foo/bar"] }, { "Effect": "Allow", "Action": ["iot:Connect"], "Resource": ["*"] }] } http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html Policy Actions iot:Publish iot:Subscribe iot:Recieve iot:Connect iot:UpdateThingShadow iot:GetThingShadow iot:DeleteThingShadow
  30. 30. Attaching policies to certificates (devices) $ aws iot create-policy --policy-name <value> --policy-document <JSON policy document> $ aws iot attach-principle-policy --policy-name <value> --principal <certificate ARN>
  31. 31. The AWS IoT Thing Registry
  32. 32. AWS IoT Registry THING REGISTRY Identity and Management of your things REGISTRY Identity and Management of your things
  33. 33. AWS IoT Registry • Static attributes associated to Thing • Firmware version • Serial Numbers • Device Type • Device Group • Device Description • Sensor description • Support and Maintenance • Reference Manual URL • Part # reference • Reference to external support system
  34. 34. AWS IoT Registry: Create & List Things http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html $ aws iot create-thing --thing-name "MyLightBulb" --attribute-payload "{"attributes": {"wattage":"75", ”model":"123"}}" { "thingArn": "arn:aws:iot:eu-west-1:554625704737:thing/MyLightBulb", "thingName": "MyLightBulb" } $ aws iot list-things { "things": [ { "attributes": { "model": "123", "wattage": "75" }, "version": 1, "thingName": "MyLightBulb" } ] }
  35. 35. AWS IoT Registry: Search for Things http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html $ aws iot list-things --attribute-name "wattage" --attribute-value “75" { "things": [ { "thingTypeName": "StopLight", "attributes": { "model": "123", "wattage": "75" }, "version": 3, "thingName": "MyLightBulb" }, { "thingTypeName": "LightBulb", "attributes": { "model": "123", "wattage": "75" }, "version": 1, "thingName": "MyRGBLight" } ] }
  36. 36. AWS IoT Registry: Thing Types http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html Thing types allow you to store description and configuration information that is common to all things associated with the same thing type. For example, you can define a LightBulb thing type. All things associated with the LightBulb thing type share a set of attributes. aws iot create-thing-type --thing-type-name "LightBulb" --thing-type-properties "thingTypeDescription=light bulb type, searchableAttributes=wattage,model"
  37. 37. Communicating with Things
  38. 38. AWS IoT Message Broker DEVICE GATEWAY Communicate with devices via MQTT and HTTP
  39. 39. AWS IoT Message Broker
  40. 40. MQTT MQTT vs HTTPS: • 93x faster throughput • 11.89x less battery to send • 170.9x less battery to receive • 50% less power to keep connected • 8x less network overhead Source: http://stephendnicholas.com/archives/ 1217 • OASIS standard protocol (v3.1.1) • Lightweight, pub-sub, transport protocol that is useful for connected devices • MQTT is used on oil rigs, connected trucks, and many more sensitive and resource-sensitive scenarios • Customers have needed to build, maintain, and scale a broker to use MQTT with cloud applications
  41. 41. AWS IoT Message Broker : managed service Highly Scalable Device Gateway Millions of devices sending billions of messages Subscribers Publishers
  42. 42. AWS IoT Rules Engine RULES ENGINE Transform messages based on rules and route to AWS Services
  43. 43. AWS IoT Rules Engine
  44. 44. Simple & familiar syntax - SQL Statement to define topic filter - Optional WHERE clause - Advanced JSON support Functions improve signal : noise - String manipulation (regex support) - Mathematical operations - Context-based helper functions - Crypto support - UUID, Timestamp, rand, etc. AWS IoT Rules Engine basics SELECT * FROM ‘things/thing-2/color’ WHERE color = ‘red’
  45. 45. AWS IoT Rules Engine’s flexibility SELECT *, clientId() as MQTTClientId FROM 'one/rule' WHERE startsWith(topic(2), 'IME33') AND (state = 'INIT' OR hydro_temp > surface_temp)", "actions": [{ "republish": { "topic": "controllers/ ${substring(topic(3), 3, 5)}", }] http://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html
  46. 46. AWS IoT Rules Engine Complex Evaluations Respond to the fleet, not just a single unit. Dozens of functions() available. Multiple / Simultaneous Actions Sometimes a situation requires you to take many actions.
  47. 47. AWS IoT Rules Engine actions RULES ENGINE Transform messages based on rules and route to AWS Services AWS Services - - - - - 3P Services AWS Services - - - - - 3P Services
  48. 48. 1. AWS Services
 (Direct Integration) Rules Engine Actions AWS IoT Rules Engine LambdaSNS SQS S3 Amazon KinesisDDB RDS Amazon Redshift Amazon Glacier EC2 3. External Endpoints
 (via Lambda and SNS) Rules Engine connects AWS IoT to External Endpoints and AWS Services. 2. Rest of AWS
 (via Amazon Kinesis, Lambda, S3, and more)
  49. 49. AWS IoT Rules Engine Actions Rules Engine evaluates inbound messages published into AWS IoT, and transforms and delivers to the appropriate endpoint based on business rules. External endpoints can be reached via Lambda and Simple Notification Service (SNS). Invoke a Lambda function Put object in an S3 bucket Insert, Update, Read from a DynamoDB table Publish to an SNS Topic 
 or Endpoint Publish to an Amazon Kinesis stream Actions Amazon Kinesis Firehose Republish to AWS IoT
  50. 50. Store & retrieve device state with the Device Shadow
  51. 51. AWS IoT Thing Shadow THING SHADOW Persistent thing state during intermittent connections SHADOW Persistent thing state during intermittent connections APPLICATIONS
  52. 52. AWS IoT Device Shadows
  53. 53. AWS IoT Thing Shadow Shadow
  54. 54. AWS IoT Shadow Flow Shadow Device SDK 1. Device Publishes Current State 2. Persist JSON Data Store 3. App requests device’s current state 4. App requests change the state 5. Device Shadow syncs updated state 6. Device Publishes Current State 7. Device Shadow confirms state change AWS IoT
  55. 55. AWS IoT Device Shadow - Simple Yet Powerful { "state" : { “desired" : { "lights": { "color": "RED" }, "engine" : "ON" }, "reported" : { "lights" : { "color": "GREEN" }, "engine" : "ON" }, "delta" : { "lights" : { "color": "RED" } } }, "version" : 10 } Thing Report its current state to one or multiple shadows Retrieve its desired state from shadow Mobile App Set the desired state of a device Get the last reported state of the device Delete the shadow Shadow Shadow reports delta, desired and reported states along with metadata and version
  56. 56. AWS IoT Device Shadow Topics (MQTT) Thing SDK makes it easy for you to build shadow functionality into your device so it can automatically synchronize the state with the device. AWS IoT Thing Shadow UPDATE: $aws/things/{thingName}/shadow/update DELTA: $aws/things/{thingName}/shadow/update/delta GET: $aws/things/{thingName}/shadow/get DELETE: $aws/things/{thingName}/shadow/delete Sensor Reported Desired Delta LED1 RED YELLOW LED1 = Yellow TEMP = 60FACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4 TEMP 83F 60F
  57. 57. Updating device firmware
  58. 58. AWS IoT – Device Management S3 Holds Versioned Firmware Distributions Organize and secure your firmware binaries in S3 Message Broker notifies groups of the fleet using Topic Patterns Alert the fleet (or part of it) of the update, and send the URL to the S3 download Firmware Update Stored in S3 Event Hook -> Lambda Publish to groups of devices • Ability to update global or within a Region • Rules Engine keeps state of updates and tracks progress in a DynamoDB Table • Store Version in Registry Entry
  59. 59. Replacing/Retiring devices
  60. 60. Replacing/Retiring devices Revoking Device Certificates Then it’s just a matter of creating & deploying a new device & attaching the same policy to the new device’s certificate $ aws iot update-certificate --certificate-id <certificateId> --new-status REVOKED
  61. 61. aws.amazon.com/iot/
  62. 62. Thank you! Ian Massingham, Chief Evangelist (EMEA), Amazon Web Services @IanMmmm
  63. 63. Questions?

×