essential capabilities of an iot cloud platform - aws online tech talks
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham,
Chief Evangelist (EMEA),
Amazon Web Services
@IanMmmm
Essential Capabilities of an IoT
Cloud Platform
Getting started: What is AWS IoT?
AWS: hyperscale infrastructure for connected devices
Amazon SNS
Mobile Push
and Notifications
AWS Lambda
Run Code in
Response to Events
Amazon DynamoDB
Predictable and Scalable
NoSQL Data Store
Amazon Kinesis
Streaming Analytics
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon API Gateway
Build, Deploy, and Manage
APIs
Amazon Cognito
User Identity and Data
Synchronization
IoT Applications : An Early Use Case for AWS
AWS IoT: simplify & accelerate IoT development
Amazon SNS
Mobile Push
and Notifications
Amazon DynamoDB
Predictable and
Scalable NoSQL
Data Store
AWS Lambda
Run Code in
Response to Events
Amazon Redshift
Petabyte-Scale
Data Warehouse
…and more
Amazon
API Gateway
Build, Deploy, &
Manage APIs
Amazon Kinesis
Streaming Analytics
Amazon Cognito
User Identity and
Data Synchronization
AWS IoT
Connect Devices to
the Cloud
AWS IoT
“Securely connect one or one billion devices to AWS,
so they can interact with applications and other devices”
AWS IoT: Core Capabilities
Message Broker
AWS-grade security
Rules engine
Device Shadows
Device Registry
Managed Platform
Seamless integration
with all of AWS
AWS IoT
Many Successful IoT Deployments Running On AWS
Topics for this session
Security: Job Zero
Device SDKs
Communicating with Things
Process & act on device data
Store & query device metadata attributes
Store & retrieve device state with the Device Shadow
Support for edge computing capabilities
Security: Job Zero
http://192.168.1.200:8080 http://a.public.address:8080
WHERE DO BOTNETS COME FROM?
It doesn’t have to be this way
http://192.168.1.200:8080
Secure Communications with Things
Mutual TLS Authentication
TLS/SSL
MUTUAL TLS AUTHENTICATION
Public Key Cryptography Options
For same bits & level of security ECC keys are much smaller that RSA keys
Symmetric Key Size (bits) RSA Key Size (bits) Elliptic Curve Key size (bits)
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 512
https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/
Communicating with non-things
(Humans)
How we implement this
MQTT + Mutual Authn TLS AWS Authn + HTTPS
Server Authn TLS + Cert TLS + Cert
Client Authn TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Strong Thing Identity
Strong Thing Identity
X.509 Certificates
https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Fine Grained Authorisation
AWS IoT
Data Plane
Control Plane
Service Access
Data Plane
Applying Permissions to Thing Management
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”ManageCerts",
"Action": [
"iot:CreateCertificateAndKeys",
"iot:CreateCertificateFromCsr",
"iot:DescribeCertificate",
"iot:UpdateCertificate",
"iot:DeleteCertificate",
"iot:ListCertificates”
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RevokeOneThing",
"Action": [
"iot:UpdateCertificate"
],
"Effect": "Allow",
"Resource":
"arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.42.54"
}
}
}
]
}
Allowing/Denying Access to MQTT Topics
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[ "iot:Connect" ],
"Resource":"*"
}, {
"Effect":"Allow",
"Action":[ "iot:Publish" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topic/$aws/things/MyThing/shadow/update"]
}, {
"Effect":"Allow",
"Action":[ "iot:Subscribe", "iot:Receive" ],
"Resource":[
"arn:aws:iot:us-east-1:123456972007:
topicfilter/$aws/things/MyThing/shadow/*"
]
}
]
}
Creating certificates & keys
Key & certificate creation with the AWS CLI
Device Provisioning at Scale:
How do you getting keys &
certificates onto your devices?
Getting keys & certificates onto your devices
• Simple at the device prototyping stage
• Copy or flash them (& the CA cert) onto your device
• More complex in volume manufacturing
• Still copying or flashing keys & certs, but the numbers increase
• Use AWS SDKs/CLI to automate key & certificate creation.
Provide keys & certificates to your device manufacturing partners
Register on first use
https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Just-in-Time Registration of Device Certificates
Register your
CA Cert with
AWS IoT
Sign device certs
with your CA cert
$aws/events/certificates/registered/<caCertificateID>
{"certificateId": "<certificateID>","caCertificateId": "<caCertificateId>","timestamp": "<timestamp>","certificateStatus": "PENDING_ACTIVATION","awsAccountId": “<awsAccountId>",
}
AWS IoT
MQTT Endpoint
New certificate state set to
PENDING_ACTIVATION AWS IoT Rule invokes
AWS Lambda function
AWS Lambda function
activates certificate &
attaches policy
New certificate state set to
ACTIVE
Device SDKs:
Abstract & Simplify Access to
Platform Features
Get Started with the AWS IoT Device SDK
C SDK
(Ideal for embedded
OS)
JavaScript SDK
(Ideal for Embedded
Linux Platforms)
Arduino Library
(Arduino Yun)
Mobile SDK
(Android and iOS)
Python SDK Java SDK
https://aws.amazon.com/blogs/iot/introducing-aws-iot-device-sdks-for-java-and-python/
Prototyping with the Raspberry Pi
• Raspberry Pi hardware
• Electronics Starter Kits• One examples is the SunFounder 37 modules Sensor Kit v2.0 for
Raspberry Pi 3, 2, Model B+ with 40-Pin GPIO Extension Board &
Jump Wires
• Example tutorial
• Raspberry Pi Sense Hat (optional fun) • https://www.raspberrypi.org/products/sense-hat/
Setting up the Raspberry Pi GPIO & Sense Hat
Your own electronics/sensor build
C (for embedded C)
http://wiringpi.com
Python Wrapper Module for WiringPI
https://github.com/WiringPi/WiringPi-Python
For the Sense Hat
Python Module
https://github.com/RPi-Distro/python-sense-hat
Official IoT Starter Kits, Powered by AWS
Dragonboard 410c
(by Arrow)
Beaglebone Green
(by Seeed Studio)
Seeeduino Cloud
(by Seeed Studio)
Intel Edison
(by Seeed Studio)
MediaTek LinkIt One
(by Seeed Studio)
Broadcom BCM4343W
(by Avnet)
Marvell EasyConnect
(By Marvell)
Renesas RX63N
(by Micrium)
Microchip WCM
(by Microchip)
Ti Launchpad
(By Ti)
Communicating with Things
AWS IoT Message Broker
DEVICE GATEWAYCommunicate with devices via
MQTT and HTTP
AWS IoT Message Broker
MQTT
MQTT vs HTTPS:
• 93x faster throughput
• 11.89x less battery to send
• 170.9x less battery to receive
• 50% less power to keep connected
• 8x less network overhead
Source:
http://stephendnicholas.com/archives/1217
• OASIS standard protocol (v3.1.1)
• Lightweight, pub-sub, transport protocol
that is useful for connected devices
• MQTT is used on oil rigs, connected
trucks, and many more sensitive and
resource-sensitive scenarios
• Customers have needed to build,
maintain, and scale a broker to use
MQTT with cloud applications
AWS IoT Message Broker : managed service
Highly Scalable
Device Gateway
Millions of devices
sending billions of
messages
SubscribersPublishers
Process & act on device data
AWS IoT Rules Engine
RULES ENGINETransform messages
based on rules and route
to AWS Services
AWS IoT Rules Engine
Simple & familiar syntax
- SQL Statement to define topic filter
- Optional WHERE clause
- Advanced JSON support
Functions improve signal : noise
- String manipulation (regex support)
- Mathematical operations
- Context-based helper functions
- Crypto support
- UUID, Timestamp, rand, etc.
AWS IoT Rules Engine basics
SELECT * FROM ‘things/thing-2/color’
WHERE color = ‘red’
AWS IoT Rules Engine’s flexibility
SELECT *, clientId() as MQTTClientId
FROM 'one/rule'
WHERE
startsWith(topic(2), 'IME33') AND
(state = 'INIT' OR hydro_temp >
surface_temp)",
"actions":
[{
"republish": {
"topic":
"controllers/${substring(topic(3),
3, 5)}",
}]
http://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html
AWS IoT Rules Engine
Complex Evaluations
Respond to the fleet, not just a single unit. Dozens of functions() available.
Multiple / Simultaneous Actions
Sometimes a situation requires you to take many actions.
AWS IoT Rules Engine actions
RULES ENGINETransform messages
based on rules and route
to AWS Services
AWS Services
- - - - -
3P Services
AWS Services
- - - - -
3P Services
1. AWS Services
(Direct Integration)
Rules Engine
Actions
AWS IoT Rules Engine
LambdaSNS SQS
S3Amazon
KinesisDDB RDS
Amazon
Redshift
Amazon Glacier
EC2
3. External Endpoints
(via Lambda and SNS)
Rules Engine connects AWS
IoT to External Endpoints and
AWS Services.
2. Rest of AWS
(via Amazon Kinesis,
Lambda, S3, and more)
AWS IoT Rules Engine Actions
Rules Engine evaluates
inbound messages published
into AWS IoT, and transforms
and delivers to the appropriate
endpoint based on business
rules.
External endpoints can be
reached via Lambda and
Simple Notification Service
(SNS).
Put object in an S3 bucket
Insert into a DynamoDB table
Publish to an SNS Topic/Endpoint
Insert into an Amazon Kinesis stream
ActionsPersist via Amazon Kinesis Firehose
Republish to AWS IoT
Make a Machine Learning prediction
Invoke a Lambda function
Store in Amazon Elasticsearch cluster
Store & query device metadata
attributes
AWS IoT Thing Registry
THING REGISTRYIdentity and Management of
your things
REGISTRYIdentity and Management of
your things
AWS IoT Thing Registry
• Static attributes associated to Thing
• Firmware version
• Serial Numbers
• Device Type
• Device Group
• Device Description
• Sensor description
• Support and Maintenance
• Reference Manual URL
• Part # reference
• Reference to external support system
AWS IoT Thing Registry: Create & List Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$ aws iot create-thing --thing-name "MyLightBulb" --attribute-payload "{\"attributes\": {\"wattage\":\"75\", \”model\":\"123\"}}"{
"thingArn": "arn:aws:iot:eu-west-1:554625704737:thing/MyLightBulb","thingName": "MyLightBulb"
}$ aws iot list-things{
"things": [{
"attributes": {"model": "123", "wattage": "75"
}, "version": 1, "thingName": "MyLightBulb"
}]
}
AWS IoT Registry: Search for Things
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
$ aws iot list-things --attribute-name "wattage" --attribute-value “75"{
"things": [{
"thingTypeName": "StopLight", "attributes": {
"model": "123", "wattage": "75"
}, "version": 3, "thingName": "MyLightBulb"
}, {
"thingTypeName": "LightBulb", "attributes": {
"model": "123", "wattage": "75"
}, "version": 1, "thingName": "MyRGBLight"
}]
}
AWS IoT Registry: Thing Types
http://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html
Thing types allow you to store description and configuration
information that is common to all things associated with the same
thing type.
For example, you can define a LightBulb thing type. All things
associated with the LightBulb thing type share a set of attributes.
aws iot create-thing-type --thing-type-name "LightBulb" \\--thing-type-properties "thingTypeDescription=light bulb type, searchableAttributes=wattage,model"
Device State Cache:
Asynchronously access device
state via the Thing Shadow
AWS IoT Thing Shadow
THING SHADOWPersistent thing state during
intermittent connections
SHADOWPersistent thing state during
intermittent connections
APPLICATIONS
AWS IoT Thing Shadows
AWS IoT Thing Shadow
Shadow
AWS IoT Shadow Flow
Shadow
Device SDK
1. Device Publishes Current State
2. Persist JSON Data Store
3. App requests device’s current state
4. App requests change the state5. Device Shadow syncs
updated state
6. Device Publishes Current State7. Device Shadow confirms state change
AWS IoT
AWS IoT Device Shadow - Simple Yet Powerful
{"state" : {
“desired" : {"lights": { "color": "RED" },"engine" : "ON"
},"reported" : {
"lights" : { "color": "GREEN" },"engine" : "ON"},"delta" : {
"lights" : { "color": "RED" }} },
"version" : 10}
Thing
Report its current state to one or multiple shadows
Retrieve its desired state from shadow
Mobile App
Set the desired state of a device
Get the last reported state of the device
Delete the shadow
Shadow
Shadow reports delta, desired and reported
states along with metadata and version
AWS IoT Device Shadow Topics (MQTT)
Thing SDK makes it easy for you to
build shadow functionality into your
device so it can automatically
synchronize the state with the device.
AWS IoT Thing Shadow
UPDATE: $aws/things/{thingName}/shadow/update
DELTA: $aws/things/{thingName}/shadow/update/delta
GET: $aws/things/{thingName}/shadow/get
DELETE: $aws/things/{thingName}/shadow/delete
Sensor Reported Desired Delta
LED1 RED YELLOW
LED1 = Yellow
TEMP = 60FACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4
TEMP 83F 60F
Support for edge computing
capabilities
Round-trip latency
Intermittent connectivity
Expensive bandwidth
Programming and updating embedded software needs specialized skills
Limited to what is on the device unless you rewrite or program the device
Challenges Of Devices Living On The Edge
AWS GreengrassEmbed Lambda Compute (& Other AWS Services) in Connected Devices
Preview Available Now
Use The Same AWS Programming Model In Devices And The Cloud
AWS Greengrass: Local Compute, Messaging & Data Caching
Local
compute
Local
data caching
Secure
communications
Local
messaging
AWS Greengrass: How It Works
Built into
devices at
manufacture
Install the
Greengrass
runtime
Lambda functions
on AWS & devices
Manage from
AWS Console
Same programming
model
Local
communication
and orchestration
Amazon Greengrass: Example Use Cases
Smart Homes Agriculture Manufacturing
aws.amazon.com/iot/
Thank you!
Ian Massingham,
Chief Evangelist (EMEA),
Amazon Web Services
@IanMmmm
Questions?