© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kyle Roche, General Manager AWS IoT
28-Oct-2015
AWS IoTGetting Started
Introduction AWS IoT
Things are Becoming Connected
NowNot too long
from now Soon After
Source: Pretty much everyone
AWS IoT
- Fully Managed Service- Bi-Directional / Long Lived Connections- Security and Identity Schemes Built for Devices- Bridge to other AWS Services
AWS IoT - Console Interactive Tutorial
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and exchange messages
DEVICE GATEWAYCommunicate with devices
via MQTT and HTTP
AUTHENTICATIONAUTHORIZATION
Secure with mutual authentication and
encryption
RULES ENGINETransform messages based on rules and
route to AWS Services
AWS Services- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRYIdentity and Management of
your things
AWS IoT Device Registry
AWS IoT Device Registry
THING REGISTRYIdentity and Management of
your things
REGISTRYIdentity and Management of
your things
AWS IoT Device Registry
Device Metadata- Serial #- EIN / IMEI- ASIN- Support URLa
AWS IoT Device Registry (CLI)
kyleroche@Kyles-MacBook-Pro: aws iot list-things{ "things": [ { "attributes": { "ASIN": "B006LPJZ1S", "EIN": "SDLKFJ23423KJOIJOJL", "serial_number": "K123Y34R456O" }, "thingName": "thing01" } ]}
Security & Identity
AWS IoT Security
AUTHENTICATIONSecure with mutual authentication and
encryption
AUTHENTICATIONAUTHORIZATION
Secure with mutual authentication and
encryption
Securing and Identifying Things
- Secure Bi-Directional Pipe- Anonymous
Securing and Identifying Things
- Secure Bi-Directional Pipe- Anonymous
- Secure Bi-Directional Pipe- Anonymous
Securing and Identifying Things: Mutual Auth TLS
- Secure Bi-Directional Pipe- Anonymous
- Secure Bi-Directional Pipe- Mutual Proof of Identity
Security, Designed for Connected DevicesMQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Identification AWS ARNs AWS ARNs
Authorization AWS Policy AWS Policy
NEW
Rule Invocations - IAM Roles
- Service iot.amazonaws.com- Assumes Role- Policy Allows Actions to other services
Demo Create Keys & Certificate
Demo Steps
- Create Keys & Certificate- Create Thing in Registry (optional)- Create Policy Document- Attach Policy to Certificate and Thing
AWS IoT Device Gateway
AWS IoT Device Gateway
DEVICE GATEWAYCommunicate with devices
via MQTT and HTTP
AWS IoT Device Gateway
Standard Protocol Support (no lock-in)Millions of devices and apps can connect over any protocol starting with MQTT and HTTP 1.1
Powerful Pub/Sub Broker with Long-lived bi-directional messagesClients (Devices and Apps) can receive commands and control signals from the cloud
Secure by DefaultConnect securely via X509 Certs and TLS 1.2 Client Mutual Auth
Topic Based Architecture
(lights/thing-2/color)
Highly ScalableDevice Gateway
Demo Publish and Subscribe (MQTT)
AWS IoT Rules Engine
AWS IoT Rules Engine
RULES ENGINETransform messages based on rules and
route to AWS Services
AWS IoT Rules Engine Basics
SELECT * FROM ‘things/thing-2/color’ WHERE color = ‘red’
Rule
Name
Description
SQL Statement
Array of Actions
Simple & Familiar Syntax- SQL Statement to define topic filter- Optional WHERE clause- Advanced JSON support
Functions improve signal : noise- String manipulation (regex support)- Mathematical operations- Context based helper functions- Crypto support- UUID, Timestamp, rand, etc.
AWS IoT Rules Engine Basics
SELECT * FROM ‘things/thing-2/color’ WHERE color = ‘red’
AWS IoT - SQL Reference
SELECT DATA FROM TOPIC WHERE FILTER
AWS IoT - SQL Reference
SELECT DATA FROM TOPIC WHERE FILTER
• Like scanning a database table• Default source is an MQTT topic
EXAMPLES:• FROM mqtt(‘my/topic’)• FROM mqtt(‘my/wildcard/+/topic’)• FROM (‘my/topic’)
AWS IoT - SQL Reference
SELECT DATA FROM TOPIC WHERE FILTER
• Properties from the JSON Object in the payload• “.” Operator• “..” Operator• “*” Operator• Apply functions to attribute value
AWS IoT - SQL Reference
SELECT DATA FROM…
• SELECT deviceid AS client• SELECT md5(deviceid) AS hashed_id
Substitution Templates• ${expression}• ${topic() - md5(deviceid)}• ${deviceid - temp}
{“deviceid” : “iot123”,“temp” : 54,“humidity” : 32,“coords” : {
“latitude” : 47.615694,
“longitude” : -122.3359976
},“a” : {
“another_level” : {
{“b” : 3},
{“b” : 5}
}}}
SAMPLE PAYLOAD
AWS IoT Rules Engine Actions
RULES ENGINETransform messages based on rules and
route to AWS Services
AWS Services- - - - -
3P Services
AWS Services- - - - -
3P Services
AWS IoT Rules Engine Actions
Rules Engine evaluates inbound messages published into AWS IoT, transforms and delivers to the appropriate endpoint based on business rules.
External endpoints can be reached via Lambda and Simple Notification Service (SNS).
Invoke a Lambda function
Put object in an S3 bucket
Insert, Update, Read from a DynamoDB table
Publish to an SNS Topic or Endpoint
Publish to a Kinesis stream
Actions
Amazon Firehose
Republish to AWS IoT
Rule Template - Invoke Lambda
kyleroche@Kyles-MacBook-Pro: aws iot get-topic-rule --rule-name invokeLambda{ "rule": { "sql": "SELECT * FROM 'things/rules/lambda'", "ruleDisabled": false, "actions": [ { "lambda": { "functionArn": "arn:aws:lambda:us-east-1:8675309:function:helloWorld" } } ], "ruleName": "invokeLambda" }}
Invoke Lambda function from MQTT
kyleroche@Kyles-MacBook-Pro: mosquitto_pub --cafile rootCert.pem --cert cert.pem --key privateKey.pem -h A3OZCB0FJ4Y4JS.iot.us-east-1.amazonaws.com -p 8883 -q 1 -d -t things/rules/lambda -i thing01 -m ”{\"color\":\"red\"}”
MQTT Payload available to Lambda event parameter
AWS IoT Rules Engine & Stream Data
N:1 Inbound Streams of Sensor Data (Signal to Noise Reduction)Rules Engine filters, transforms sensor data then sends aggregate to Amazon Kinesis
Kinesis Streams to Enterprise ApplicationsSimultaneously stream processed data to databases, applications, other AWS Services
Ordered Stream
AWS IoT Rules Engine for Machine Learning
Anomaly DetectionAmazon Machine Learning can feed predictive evaluation criteria to the Rules Engine
Continuous Improvement around PredicationContinuously look for outliers and re-calibrate the Machine Learning models
Send to S3
Amazon Machine Learning
Re-Train
AWS IoT – Device Management
S3 Holds Versioned Firmware DistributionsOrganize and secure your firmware binaries in S3
Message Broker notifies groups of the fleet using Topic PatternsAlert the fleet (or part of it) of the update, and send the URL to the S3 download
Firmware Update
Stored in S3
Event Hook -> Lambda
Publish to groups of devices
• Ability to update global or within a Region
• Rules Engine keeps state of updates and tracks progress in a DynamoDB Table
• Store Version in Registry Entry
Rule Template - Save to DynamoDB
kyleroche@Kyles-MacBook-Pro: aws iot get-topic-rule --rule-name saveToDynamoDB{ "rule": { "sql": "SELECT * FROM 'things/rules/dynamo'", "ruleDisabled": false, "actions": [ { "dynamoDB": { "hashKeyField": "topic", "roleArn": "arn:aws:iam::8675309:role/iot-actions-role", "tableName": "awsiot", "hashKeyValue": "${topic(3)}", "rangeKeyValue": "${timestamp()}", "rangeKeyField": "timestamp" } } ], "ruleName": "saveToDynamoDB" }}
Demo Rules - Save to DynamoDB
AWS IoT Device Shadow
AWS IoT Device Shadow
THING SHADOWPersistent thing state
during intermittent connections
SHADOWPersistent thing state
during intermittent connections
APPLICATIONS
AWS IoT Shadow Flow
Device SDK
1. Device Publishes Current State
2. Persist JSON Data Store
3. App requests device’s current state
4. App requests change the state5. Device Shadow sync’s updated state
6. Device Publishes Current State 7. Device Shadow confirms state change
AWS IoT Device Shadow Topics (MQTT)
Thing SDK (C-SDK, JS-SDK)makes it easy for you build shadow functionality into your device so it can automatically synchronize the state with the device.
AWS IoT Thing Shadow
UPDATE: $aws/things/{thingName}/shadow/updateDELTA: $aws/things/{thingName}/shadow/update/delta GET: $aws/things/{thingName}/shadow/getDELETE: $aws/things/{thingName}/shadow/delete
Sensor Reported Desired Delta
LED1 RED YELLOWLED1 = YellowTEMP = 60F
ACCEL X=1,Y=5,Z=4 X=1,Y=5,Z=4
TEMP 83F 60F
Demo AWS IoT Device Shadow
Pricing
Pay as You Go
- No minimum- $5 per million messages published to, or delivered in
US East (N. Virginia), US West (Oregon), EU (Ireland)- $8 per million in Asia Pacific (Tokyo) - No fees for Rules, Shadows, Deliveries to other AWS
ServicesFree Tier250,000 Messages Per Month Free for first 12 Months
Hardware and SDKs
Get Started with AWS IoT Device SDK
C-SDK(Ideal for embedded
OS)
JS-SDK (Ideal for Embedded
Linux Platforms)
Arduino Library(Arduino Yun)
Mobile SDK(Android and iOS)
Official IoT Starter Kits, Powered by AWS
Summary
- Components of AWS IoT- Securely Identify and Connect a Device- Device Gateway- Publish and Subscribe over MQTT- Rules and Actions- Device Shadows- SDKs and Starter Kits
Thank you!
https://aws.amazon.com/iot@kylemroche