device provisioning options with aws...
TRANSCRIPT
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Philipp Sacha
Specialist Solutions Architect IoT, Amazon Web Services
Device Provisioning Options with AWS IoT
MQTT
AWS IoT 1-click
Endpoints Gateway/PLCCloud Enterprise
Applications
Device shadow
RulesEngine
AWS IoTCore
Certificate Authority
DeviceShadow
AWSGreengrass
LambdaFunctions
MessageRouter
Local Comms Long-range Comms
Amazon FreeRTOS
Certificate Authority
Local Resourc
es
OPC-UAAdapter
IoT SDK
AWS IoT Device Management
AWS IoTAnalytic
s
AWS
Enterprise Users
Corp AppsThe picture can't be displayed.
The picture can't be displayed.
AmazonQuickSigh
t
AmazonEMR
Amazon Redshift
AmazonS3
Machine Learning
OPC-UA
MQTT
MQTT
IoTUsers
EdgeUsers
IoT Partners
Cert
AWS Lambda
WiFi
All AWS
Over-the-air (OTA)
Updates
Analytics Data Store
Data Pipelines
Templated Reports
Local Resources
IoT with AWS
Batch Fleet Provisioning
Real-time Fleet Index &
Search
AWS IoTDevice
Defender
Ad-hoc & In-depth Analysis
Risk Mitigation
Edge
ARM, Broadcom, Digi, Expressif, Intel, MediaTek, Microchip, NXP, ST, TI, Qualcomm, …
Gateway
Adlink Technology,
Advantech, MachineShop, Technicolor, …
Detection Profiles
Alerts
Scheduled or Ad-hoc
Audit
MQTT
Platform
Ayala, Bright Wolf, BSquare, C3IoT, Mnubo, PTC ThingLogix,Splunk, …
Connectivity
Amdocs, Asavie, AT&T, Eseye, Soracom, TATA CommunicationsVerizon, …
Consulting / ISVs
Accenture, Aricent, ClearScale, CTP, Luxoft,Mobiquity, solstice, Storm Reply, Sturdy Networks, TCS, TrekIO, …
Things
OTA
OTA
Amazon FreeRTOS
Message Broker
IntegratedClient
Amazon
Kinesis
AWS IoT – Start ing To Explore…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
At Scale - How To Provis ion Devices?
Secure device connectivity
and messaging Devices
AWS IoT Core
Fleet onboarding, management and
SW updates
Architecture is developed…
How Do I onboard my devices???
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
When a Device i s Prov is ioned
• (Created in the device registry)•Device certificate registered with AWS IoT Core• (Certificate attached to the device)• IoT Policy attached to the device through:
• Certificate• Thing group
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• API Calls
• Single Device Provisioning
• Bulk Device Provisioning
• Just-in-Time Provisioning
• Just-in-Time RegistrationIoT topic rule Lambda
function
AWS IoT Provis ioning Opt ions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Device Onboarding – API
Using scripts with SDKs and call the API•create-thing•create-keys-and-certificate or register-certificate for BYOCA•create-policy•attach-principal-policy•attach-thing-principal
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Provis ioning Template"Parameters" : {
"ThingName" : { "Type" : "String" },
"SerialNumber" : { "Type" : "String" },
"Location" : { "Type" : "String","Default" : "WA“ },
"CSR" : { "Type" : "String“ }}
"Resources" : {"thing" : {
"Type" : "AWS::IoT::Thing","Properties" : {
"ThingName" : {"Ref" : "ThingName"},"AttributePayload" : {
"version" : "v1","serialNumber" : {"Ref" : "SerialNumber"}
},"ThingTypeName" : "lightBulb-versionA","ThingGroups" : ["v1-lightbulbs", {"Ref" : "Location"}]
}},
"certificate" : { "Type" : "AWS::IoT::Certificate", "Properties" : { "CertificateSigningRequest": {"Ref" : "CSR"}, "Status" : "ACTIVE" } }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Single/Bulk Device Prov is ioning
{"ThingName": "foo", "SerialNumber": "123", "CSR": "csr1"} {"ThingName": "bar", "SerialNumber": "456", "CSR": "csr2"}
• Parameters with device information are used in the provisioning template
• Single: on ”line” as parameter to register a thing• Bulk: multiple parameter lines in an S3 bucket
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Device Onboarding – J ITP
AWS IoT
Own CA
• Own CA required• Provisioning Template attached to own CA1. Device connects to AWS IoT, device certificate gets
registered2. JITP provisions device according to the provisioning
template
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Device Onboarding – J ITR
AWS IoT
1.Device connects to AWS IoT, device certificate gets registered
2.AWS IoT publishes message to $aws/events/certificates/registered/<caCertificateID>
3.Topic Rule is invoked4.Topic Rule calls Lambda Function as action5.Lambda provisions device
Topic Topic-rule
• Create thing• Activate Certificate• Create/Attach IoT Policy• Attach policy to certificate• Do more stuff…
1 2 3 4 5Own CA
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
J ITR vs . J ITPJITR JITPTopic rule and Lambda function. Code must be written and maintained
No code, only body template attached to CA
Provisioning more complex: Device connects, certificate registers with status PENDING_ACTIVATION, service sends MQTT message, rule triggers Lambda, Lambda does provisioning and optionally more stuff
Easy provisioning: Device connects, provisioning workflow run automatically
Flexible, different policies for different devices can be created/attached. Information from/to the provisioning process can be put/read from other systems, etc.
Static, same provisioning process for every device
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in the summit mobile app.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.