AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. As an IoT developer, you will want to interact with AWS services like Kinesis, Lambda, and Amazon Machine Learning to get the most from your IoT application. In this session, we will do a deep dive on how to define rules in the Rules Engine, or retrieve the last known and desired state of device using Device Shadows, learn about the use cases and benefits of AWS Greengrass, and routing data from devices to AWS services to leverage the entire cloud for your Internet of Things application.
5. Key takeaways
• Messaging
• Be careful with wide fan out
• No message ordering guarantees
• Avoid large fan in
• WebSockets for Amazon Cognito authentication
• Rules
• Send data to multiple data stores at the same time
• Manage device lifecycle events
• Shadows
• Designed for the real world: poor connectivity, out of order messages
• Fine-grained control over software rollouts
• Not ideal for storing time-series analytics data
• Security
• One cert per device
• Set fine-grained permissions for devices and Amazon Cognito users
• Naming conventions can simplify policy management
8. AWS IoT Telemetry & Analytics
1. Connect devices
2. Send data
3. Collect and store the data
4. Do something with the data
9. AWS IoT Telemetry & Analytics
DEVICE GATEWAY
Communicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORIZATION
Secure with mutual
authentication and encryption
RULES ENGINE
Transform messages
based on rules and
route to AWS services
AWS services
- - - - -
3P Services
10. 1) Connect the devices
1. Provision a certificate
2. Attach policy
3. Connect over MQTT
21. Different data scenarios
Want to run a lot of queries constantly?
Use Amazon Kinesis Firehose to write into
Amazon Redshift
Need fast lookups, e.g., in Rules or Lambda functions?
Write into DynamoDB, add indexes if necessary
Have a need for heavy queries but not always-on?
Use Firehose and S3, process with Amazon EMR or Athena.
22. Takeaways
• Avoid single “firehose” MQTT consumer architecture
• Rules route data into the rest of AWS at scale
• Fork data into multiple data stores simultaneously
• Avoid the device shadow for analytics
35. AWS IoT Shadow - Simple yet powerful
{
"state" : {
“desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
} },
"version" : 10
}
Thing
Report its current state to one or multiple shadows
Retrieve its desired state from shadow
Mobile App
Set the desired state of a device
Get the last reported state of the device
Delete the shadow
Shadow
Shadow reports delta, desired and reported
states along with metadata and version
36. Device Shadows and versioning
Sprinkler
Control
logic
on (version=1)
off (version=2)
Device
Gateway
off (version=2)
on (version=1)
(old message ignored by device)
37. Takeaways
• Plan for devices losing connectivity
• Send devices’ commands through shadows
• Query device state through shadows
• Version numbers control concurrency
41. Using Cognito with IoT
DEVICE SHADOW
Persistent thing state
during intermittent
connections
APPLICATIONS
AMAZON
COGNITO
PERMISSIONS APIs
Configure device and
Cognito User permissions
end-user
(farmer)
42. end-user
(farmer)
Using Cognito with IoT
DEVICE SHADOW
Persistent thing state
during intermittent
connections
APPLICATIONS
AMAZON
COGNITO
PERMISSIONS APIs
Configure device and
Cognito User permissions
43. Policy for Cognito with IoT
aws iot attach-principal-policy --policy-name farm-sensors
--principal us-east-1:xxxx-yyyy-zzzz
Cognito Identity = us-east-1:xxxx-yyyy-zzzz
You will need a trusted entity to attach the Cognito principal to an IoT policy
• Only needed for iot-data plane calls such as DeleteThingShadow,
UpdateThingShadow, GetThingShadow, Connect, Publish, and Subscribe
• Can use API Gateway, Cognito Sync Triggers, or other techniques for
attaching the Cognito principal ID to the IoT Policy
44. Overall Cognito “pairing” workflow
1. Create a Cognito identity pool
2. Customer signs in using mobile app
3. Associate their user with their “farm”
4. Create a scope-down policy in IoT for their user
5. Attach that policy to their Cognito user in IoT
45. Managing fine-grained permissions
• One “farm owner” needs permissions to many shadows
• "arn:aws:iot:…:thing/sprinkler123abc"
• "arn:aws:iot:…:thing/sprinkler456def"
• …
• Listing each is tedious
46. Best practice: Thing name prefixing
• Prefix thing name with logical owner
• sensor123abc -> macdonald-sensor123abc
• IAM policies support wildcards
• "arn:aws:iot:…:thing/sensor123abc"
• "arn:aws:iot:…:thing/sensor123abc"
• "arn:aws:iot:…:thing/sensor456def"
• …
• "arn:aws:iot:…:thing/macdonald-*"
47. Takeaways: Cognito authorization
• Cognito enables secure human control over IoT devices
• IoT scope-down policy supports fine-grained control
• Naming conventions simplify policy management
54. Handling lifecycle events
SELECT
status,
topic(2) as deviceId,
timestamp() as time,
isCrash
FROM lifecycle/#
WHERE status='offline'
- Look up mobile push ID for device owner
- Send SNS mobile push
AWS Lambda function
55. Delayed lifecycle events
SELECT
status,
topic(2) as deviceId,
timestamp() as time,
isCrash
FROM lifecycle/#
Device Status Time
sensor-123 connected 11:30
…
- Double-check the status in DynamoDB
- Send SNS push notification if still offline
- Store update device status in DynamoDB
- If offline: enqueue an SQS message with
DelaySeconds
AWS Lambda function
SQS Message (15 minutes later)
Amazon
DynamoDB
59. Last Will and Testament (LWT)
CONNECT message parts:
Protocol: MQTT 3.1.1
ClientId: abc
KeepAlive: 60 seconds
LastWill PUBLISH message:
Topic: foo/bar
QoS: 1
Payload: {"foo": "bar"}
60. Takeaways: lifecycle management
• Use automatic lifecycle events
• Use LWT for lifecycle events
• SQS delayed messages and DynamoDB can reduce
false positives
62. AWS IoT
Data storage
& analytics
Administration
Sensors
Actuators
Connected Farm
Control
automation
63. AWS IoT
DEVICE SDK
Set of client libraries to
connect, authenticate, and
exchange messages
DEVICE GATEWAY
Communicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORIZATION
Secure with mutual
authentication and encryption
RULES ENGINE
Transform messages
based on rules and
route to AWS services
AWS services
- - - - -
3P services
DEVICE SHADOW
Persistent thing state
during intermittent
connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRY
Identity and management of
your things
64. Key takeaways
• Messaging
• Be careful with wide fan out
• No message ordering guarantees
• Avoid large fan-in
• WebSockets for Cognito authentication
• Rules
• Send data to multiple data stores at the same time
• Manage device lifecycle events
• Shadows
• Designed for the real world: poor connectivity, out of order messages
• Fine-grained control over software rollouts
• Not ideal for storing time-series analytics data
• Security
• One cert per device
• Set fine-grained permissions for devices and Cognito users
• Naming conventions can simplify policy management
66. AWS Marketplace – IoT Software on AWS
EDGE, GATEWAY AND
CONNECTIVITY
DEVELOPMENT
PLATFORMS & TOOLS
DATA ANALYTICS AND
MACHINE LEARNING
IoT HARDWARE
AND SENSORS
aws.amazon.com/mp/iot
67. Working with system
integrator Pinacl, Newport
used the Davra
ConnecThing.io IoT platform
from AWS Marketplace to
connect sensors and create a
unified city dashboard.
Newport wanted to implement
IoT proofs of concept to
improve flood control, waste
management, and air quality
measurement—without
buying and managing costly
server infrastructure.
• Deployment in weeks
instead of months
• Ability to start with just a
few sensors and scale up
as needed
• Freedom to experiment at
low cost and risk
“ Pinacl presented a smart city solution with the Davra
ConnecThing.io platform from AWS Marketplace in
record time. We were able to complete a full evaluation
ahead of schedule and quickly see our smart city
initiative, the Newport Intelligence Hub, coming to light.
Shaun Powell, Digital Lead, Newport City Council
CHALLENGE SOLUTION BENEFITS
About Newport
Newport is a vibrant city of more
than 300,000 in Wales, UK,
seeking to invigorate its
economy and improve quality of
life for citizens and visitors using
forward-thinking technology.
Company: Newport City Council
Industry: Government
Country: Wales, UK
Councilors: 50
Website: www.newport.gov.uk
Newport, Wales Deploys Innovative Smart City
Technology in Weeks with IoT Platform from
AWS Marketplace
68. Thank you!
Kudos to Daniel Austin, Brett Francis, Olewale
Oladehin, and especially David Yanacek!
71. Firmware topic (don’t do this)
• Have all devices subscribe to a topic
• Publish updated binaries to this topic
SUBSCRIBE sensor/firmware
SUBSCRIBE sensor/firmware
SUBSCRIBE sensor/firmware
PUBLISH sensor/firmware
01100100 01101111 00100000
01101110 01101111 01110100
00100000 01100100 01101111
00100000 01110100 01101000
01101001 01110011
72. Firmware topic (don’t do this)
Pros:
• Sending an update is easy
Cons:
• Large messages not supported
• Offline devices miss updates
• No control over rollout
73. Firmware version shadow (don’t do this)
• One thing shadow for the current firmware version
• All devices subscribe to shadow updates
• Messages include a CloudFront download URL
SUBSCRIBE
$aws/shadow/firmware-thing
PUBLISH $aws/shadow/firmware-thing
{
"desired": {
"version": “123.45"
"url": “https://abc123.cloudfront.net/newversion"
}
}
SUBSCRIBE
$aws/shadow/firmware-thing
74. Firmware version shadow (don’t do this)
Pros:
• Sending an update is easy
• Offline devices eventually see updates
• Bulk download happens through CloudFront
Cons:
• No control over rollout
• Shadow protocol is chatty
75. Firmware in device shadows
• Set each device’s shadow to its desired firmware version
• Devices subscribe to their own shadow
• Messages include a CloudFront download URL
77. Firmware in device shadows
Pros:
• Full control over rollout / rollback
• Offline devices eventually see updates
• Bulk download happens through CloudFront
Cons:
• Sending updates requires sending multiple messages
78. Takeaway
• Be careful with wide fan out to millions of devices
• Wide fan out is supported, but won’t be instant
• Encourage safe device management