© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ian Massingham, Chief Evangelist (EMEA), Amazon Web Services @IanMmmm

27 October 2016

The Life of an AWS IoT Thing

Topics for this session

Getting Started: What is AWS IoT Device prototyping Creating device keys & certificates Register certificates on first use Attaching policies to certificates The AWS IoT Thing Registry Communicating with Things Store & retrieve device state with the Device Shadow

Getting started: What is AWS IoT?

AWS: hyperscale infrastructure for connected devices

Amazon SNS Mobile Push

and Notifications

AWS Lambda Run Code in

Response to Events

Amazon DynamoDB Predictable and Scalable

NoSQL Data Store

Amazon Kinesis Streaming Analytics

Amazon Redshift Petabyte-Scale

Data Warehouse

…and more

Amazon API Gateway Build, Deploy, and Manage

APIs

Amazon Cognito User Identity and Data

Synchronization

IoT isn’t new to AWS with previous customer success

Amazon SNS Mobile Push

and Notifications

Amazon DynamoDB

Predictable and Scalable NoSQL

Data Store

AWS Lambda Run Code in

Response to Events

Amazon Redshift Petabyte-Scale

Data Warehouse

…and more

Amazon API Gateway

Build, Deploy, & Manage APIs

Amazon Kinesis Streaming Analytics

Amazon Cognito User Identity and

Data Synchronization

AWS IoT: simplify & accelerate IoT development

Amazon SNS Mobile Push

and Notifications

Amazon DynamoDB

Predictable and Scalable NoSQL

Data Store

AWS Lambda Run Code in

Response to Events

Amazon Redshift Petabyte-Scale

Data Warehouse

…and more

Amazon API Gateway

Build, Deploy, & Manage APIs

Amazon Kinesis Streaming Analytics

Amazon Cognito User Identity and

Data Synchronization

AWS IoT Connect Devices to

the Cloud

AWS IoT

“Securely connect one or one billion devices to AWS, so they can interact with applications and other devices”

AWS IoT

Message Broker

AWS-grade security

Rules engine

Device Shadows

Device Registry

Managed Platform

Seamless integration with all of AWS

AWS IoT

Device prototyping

Get Started with the AWS IoT Device SDK

C SDK (Ideal for embedded

OS)

JavaScript SDK (Ideal for Embedded

Linux Platforms)

Arduino Library (Arduino Yun)

Mobile SDK (Android and iOS)

Python SDK Java SDK

https://aws.amazon.com/blogs/iot/introducing-aws-iot-device-sdks-for-java-and-python/

Prototyping with the Raspberry Pi

• Raspberry Pi hardware

• Electronics Starter Kits • One examples is the SunFounder 37 modules Sensor Kit v2.0 for

Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board & Jump Wires

• Example tutorial

• Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/

Setting up the Raspberry Pi GPIO & Sense Hat

Your own electronics/sensor build C (for embedded C)

http://wiringpi.com Python Wrapper Module for WiringPI

https://github.com/WiringPi/WiringPi-Python

For the Sense Hat Python Module

https://github.com/RPi-Distro/python-sense-hat

Official IoT Starter Kits, Powered by AWS

Dragonboard 410c (by Arrow)

Beaglebone Green (by Seeed Studio)

Seeeduino Cloud (by Seeed Studio)

Intel Edison (by Seeed Studio)

MediaTek LinkIt One (by Seeed Studio)

Broadcom BCM4343W (by Avnet)

Marvell EasyConnect (By Marvell)

Renesas RX63N (by Micrium)

Microchip WCM (by Microchip)

Ti Launchpad (By Ti)

Prototype ThingThing Shadow

State Sync

MQTT Topics

Pub/Sub Messaging

Production ThingThing Shadow

State Sync

MQTT Topics

Pub/Sub Messaging

Creating device keys & certificates

AWS IoT security: authentication and authorization

AUTHENTICATION Secure with mutual

authentication and encryption

AUTHENTICATION AUTHORIZATION

Secure with mutual authentication and encryption

Securing and identifying Things

- Secure Bi-Directional Pipe - Anonymous

- Secure Bi-Directional Pipe - Anonymous

Securing and Identifying Things: Mutual Auth TLS

- Secure Bi-Directional Pipe - Anonymous

- Secure Bi-Directional Pipe - Mutual Proof of Identity

AWS IoT security

Demo: AWS IoT Console Creating certificates & keys

Key & certificate creation with the AWS CLI

Getting keys & certificates onto your devices

Getting keys & certificates onto your devices

• Simple at the device prototyping stage • Copy or flash them (& the CA cert) onto your device

• More complex in volume manufacturing • Still copying or flashing keys & certs, but the numbers

increase

• Use AWS SDKs/CLI to automate key & certificate creation. Provide keys & certificates to your device manufacturing partners

Register on first use

https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/

Just-in-Time Registration of Device Certificates

Register your CA Cert with

AWS IoT

Sign device certs with your CA cert

$aws/events/certificates/registered/<caCertificateID>

{"certificateId":"<certificateID>","caCertificateId":"<caCertificateId>","timestamp":"<timestamp>","certificateStatus":"PENDING_ACTIVATION","awsAccountId":“<awsAccountId>",

}

AWS IoT MQTT Endpoint

New certificate state set to PENDING_ACTIVATION

AWS IoT Rule invokes AWS Lambda function

AWS Lambda function activates certificate & attaches policy

New certificate state set to ACTIVE

Attaching policies to certificates

Attaching policies to devices

AWS IoT policies are JSON documents. They follow the same conventions as IAM policies.

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iot:Publish"],"Resource":["arn:aws:iot:us-east-1:123456789012:topic/foo/bar"]},{"Effect":"Allow","Action":["iot:Connect"],"Resource":["*"]}]}

http://docs.aws.amazon.com/iot/latest/developerguide/authorization.html

Policy Actions

iot:Publishiot:Subscribeiot:Recieveiot:Connectiot:UpdateThingShadowiot:GetThingShadowiot:DeleteThingShadow

Attaching policies to certificates (devices)

$awsiotcreate-policy--policy-name<value>\\--policy-document<JSONpolicydocument>

$awsiotattach-principle-policy\\--policy-name<value>\\--principal<certificateARN>

The AWS IoT Thing Registry

AWS IoT Registry

THING REGISTRY Identity and Management of

your things

REGISTRY Identity and Management of

your things

AWS IoT Registry

• Static attributes associated to Thing • Firmware version • Serial Numbers • Device Type • Device Group • Device Description • Sensor description

• Support and Maintenance • Reference Manual URL • Part # reference

• Reference to external support system

AWS IoT Registry: Create & List Things

http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html

$awsiotcreate-thing--thing-name"MyLightBulb"--attribute-payload"{\"attributes\":{\"wattage\":\"75\",\”model\":\"123\"}}"{"thingArn":"arn:aws:iot:eu-west-1:554625704737:thing/MyLightBulb","thingName":"MyLightBulb"}$awsiotlist-things{"things":[{"attributes":{"model":"123","wattage":"75"},"version":1,"thingName":"MyLightBulb"}]}

AWS IoT Registry: Search for Things

http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html

$awsiotlist-things--attribute-name"wattage"--attribute-value“75"{"things":[{"thingTypeName":"StopLight","attributes":{"model":"123","wattage":"75"},"version":3,"thingName":"MyLightBulb"},{"thingTypeName":"LightBulb","attributes":{"model":"123","wattage":"75"},"version":1,"thingName":"MyRGBLight"}]}

AWS IoT Registry: Thing Types

http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html

Thing types allow you to store description and configuration information that is common to all things associated with the same thing type. For example, you can define a LightBulb thing type. All things associated with the LightBulb thing type share a set of attributes.

awsiotcreate-thing-type--thing-type-name"LightBulb"\\--thing-type-properties"thingTypeDescription=lightbulbtype,searchableAttributes=wattage,model"

Communicating with Things

AWS IoT Message Broker

DEVICE GATEWAY Communicate with devices via

MQTT and HTTP

AWS IoT Message Broker

MQTT

MQTT vs HTTPS:

• 93x faster throughput • 11.89x less battery to send • 170.9x less battery to receive • 50% less power to keep connected • 8x less network overhead

Source: http://stephendnicholas.com/archives/1217

• OASIS standard protocol (v3.1.1) • Lightweight, pub-sub, transport protocol

that is useful for connected devices • MQTT is used on oil rigs, connected

trucks, and many more sensitive and resource-sensitive scenarios

• Customers have needed to build, maintain, and scale a broker to use MQTT with cloud applications

AWS IoT Message Broker : managed service

Highly Scalable Device Gateway

Millions of devices sending billions of messages

SubscribersPublishers

AWS IoT Rules Engine

RULES ENGINE Transform messages

based on rules and route to AWS Services

AWS IoT Rules Engine

Simple & familiar syntax - SQL Statement to define topic filter - Optional WHERE clause - Advanced JSON support

Functions improve signal : noise - String manipulation (regex support) - Mathematical operations - Context-based helper functions - Crypto support - UUID, Timestamp, rand, etc.

AWS IoT Rules Engine basics

SELECT * FROM ‘things/thing-2/color’ WHERE color = ‘red’

AWS IoT Rules Engine’s flexibility

SELECT *, clientId() as MQTTClientId FROM 'one/rule' WHERE

startsWith(topic(2), 'IME33') AND (state = 'INIT' OR hydro_temp > surface_temp)","actions": [{

"republish": {"topic": "controllers/

${substring(topic(3), 3, 5)}",}]

http://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html

AWS IoT Rules Engine

Complex Evaluations Respond to the fleet, not just a single unit. Dozens of functions() available.

Multiple / Simultaneous Actions Sometimes a situation requires you to take many actions.

AWS IoT Rules Engine actions

RULES ENGINE Transform messages

based on rules and route to AWS Services

AWS Services - - - - -

3P ServicesAWS Services

- - - - - 3P Services

1. AWS Services (Direct Integration)

Rules Engine

Actions

AWS IoT Rules Engine

LambdaSNS SQS

S3 Amazon KinesisDDB RDS

AmazonRedshift

Amazon Glacier

EC2

3. External Endpoints (via Lambda and SNS)

Rules Engine connects AWS IoT to External Endpoints and AWS Services.

2. Rest of AWS (via Amazon Kinesis, Lambda, S3, and more)

AWS IoT Rules Engine Actions

Rules Engine evaluates inbound messages published into AWS IoT, and transforms and delivers to the appropriate endpoint based on business rules.

External endpoints can be reached via Lambda and Simple Notification Service (SNS).

Invoke a Lambda function

Put object in an S3 bucket

Insert, Update, Read from a DynamoDB table

Publish to an SNS Topic or Endpoint

Publish to an Amazon Kinesis stream

Actions

Amazon Kinesis Firehose

Republish to AWS IoT

Store & retrieve device state with the Device Shadow

AWS IoT Thing Shadow

THING SHADOW Persistent thing state during

intermittent connectionsSHADOW

Persistent thing state during intermittent connections

APPLICATIONS

AWS IoT Device Shadows

AWS IoT Thing Shadow

Shadow

AWS IoT Shadow Flow

Shadow

Device SDK

1. Device Publishes Current State

2. Persist JSON Data Store

3. App requests device’s current state

4. App requests change the state5. Device Shadow syncs updated state

6. Device Publishes Current State 7. Device Shadow confirms state change

AWS IoT

AWS IoT Device Shadow - Simple Yet Powerful

{

"state" : {

“desired" : {

"lights": { "color": "RED" },

"engine" : "ON"

},

"reported" : {

"lights" : { "color": "GREEN" },

"engine" : "ON"

},

"delta" : {

"lights" : { "color": "RED" }

} },

"version" : 10

}

Thing

Report its current state to one or multiple shadows Retrieve its desired state from shadow

Mobile App

Set the desired state of a device Get the last reported state of the device Delete the shadow

Shadow

Shadow reports delta, desired and reported states along with metadata and version

AWS IoT Device Shadow Topics (MQTT)

Thing SDK makes it easy for you to build shadow functionality into your device so it can automatically synchronize the state with the device.

AWS IoT Thing Shadow

UPDATE: $aws/things/{thingName}/shadow/update DELTA: $aws/things/{thingName}/shadow/update/delta GET: $aws/things/{thingName}/shadow/get DELETE: $aws/things/{thingName}/shadow/delete

Sensor Reported Desired Delta

LED1 RED YELLOWLED1 = Yellow TEMP = 60FACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4

TEMP 83F 60F

Updating device firmware

AWS IoT – Device Management

S3 Holds Versioned Firmware Distributions Organize and secure your firmware binaries in S3

Message Broker notifies groups of the fleet using Topic Patterns Alert the fleet (or part of it) of the update, and send the URL to the S3 download

Firmware Update

Stored in S3

Event Hook -> Lambda

Publish to groups of devices

• Ability to update global or within a Region

• Rules Engine keeps state of updates and tracks progress in a DynamoDB Table

• Store Version in Registry Entry

Replacing/Retiring devices

Replacing/Retiring devices

Revoking Device Certificates

Then it’s just a matter of creating & deploying a new device & attaching the same policy to the new device’s certificate

$awsiotupdate-certificate--certificate-id<certificateId>--new-statusREVOKED

aws.amazon.com/iot/

Thank you!

Ian Massingham, Chief Evangelist (EMEA), Amazon Web Services @IanMmmm

Questions?