AWS IoT & GreenGrass
Jeremy Cowan, Enterprise Solutions [email protected]
25billion devices by 2020
Everyday things will be connected…
http://www.washingtonpost.com/sf/brand-connect/wp-content/uploads/sites/3/2015/05/cc_heroimage_v2.jpg
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and exchange messages
DEVICE GATEWAYCommunicate with devices
via MQTT, HTTPand Web Sockets
AUTHENTICATIONAUTHORIZATION
Secure with mutual authentication and
encryption
RULES ENGINETransform messages based on rules and
route to AWS Services
AWS Services- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRYIdentity and Management of
your things
MQTT Primer
MQ Telemetry Transport – the IoT protocol
Senders ‘Publish’ to topics and send messages Receivers ‘Subscribe’ to topics and receive messages All subscribers receive all messages sent to a topic Topic names can be subscribed to using ‘wildcards’
topicname/path Use the path depth that makes sense for
your application
MQTT Primer
Pub: sensors/temp/room1
If the receiver subscribes to the exact full path, they only receive
messages sent to the exact full path
All messages published on this topic are received by all
subscribers to the topic
Sub: sensors/temp/room1
MQTT Primer
Pub: sensors/temp/room1
The plus (+) matches exactly one item in the topic hierarchy so here the subscriber will receivemessages for all sensors in room 1
All messages published on this topic are received by all
subscribers to the topic
Sub: sensors/+/room1
Pub: sensors/temp/room1
The Hash (#) means the subscriber will receive messages for all
temperature sensors in all rooms
All messages published on this topic are received by all
subscribers to the topic
Sub: sensors/temp/#
MQTT Primer
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and exchange messages
DEVICE GATEWAYCommunicate with devices
via MQTT, HTTPand Web Sockets
AUTHENTICATIONAUTHORIZATION
Secure with mutual authentication and
encryption
RULES ENGINETransform messages based on rules and
route to AWS Services
AWS Services- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRYIdentity and Management of
your things
Device Shadow• Plan for devices to lose connectivity
– Device may need to shut down when idle to conserve battery. – Device may be stable, but the network could be unreliable.
• Send devices commands through Shadows– Instead of wrangling custom topics and keeping state yourself, use the
Device Shadow to abstract away the topics and connectivity issues.
• Query device state through Shadows– The Device Shadow is always available, even if the device is not.
• Addresses message ordering for command and control– Uses optimistic locking (version number)
Device Shadow
Thing
reported state
desired state
MQ
TTAWS Lambda
The device itself is the source of truth for the
‘reported’ state.
Interested parties set the ‘desired’ state to request a change to the state of
the device.
• Used to request a change to device stateInterested parties request device state change through the JSON payload.
• Difference between ‘reported’ and ‘desired’ triggers a ‘delta’ message to the deviceThe AWS IoT device shadow compares the ‘reported’ state with the ‘desired’ state, and any properties of ‘desired’ not present or different in the ‘reported’ state are notified via a ‘delta’ message.
‘Desired’ state
AWS IoT Reserved Topics
$aws/things/SmartHub/shadow/update
Topic names that begin with $aws are reserved for AWS IoT special uses, such as addressing the device shadow for a thing.
The Device Shadow listens to a well-known topic and interprets the JSON payload it receives.
You can publish well-formed messages to$aws/things/SmartHub/shadow/updateto update the shadow, or more conveniently,
use the aws-iot-sdk abstractions.
AWS IoT SDKs• Supported languages / environments
• Python• Embedded C• iOS• Android
• Javascript• NodeJS• Java• Arduino Yun
• Support device shadow and custom topicsBuilt on top of Paho MQTT client library, the SDKs abstract the device shadow but allow direct pub/sub
• Fully documentedRich documentation with examples on GitHub
AWS IoT – How Do You Connect a Device?
1. Provision a certificateAWS IoT can generate the Cert/Public/Private keys for youAlternatively, BYO certificate to more easily integrate with existing workflows
2. Attach an IoT PolicyAssociate an IoT Policy document with the certificate to scope down what the certificate holder can do
3. Connect over MQTTUse the AWS IoT SDKs or roll-your-own
4. Send some dataPublish a payload!
AWS IoT – How Do You Secure Communications?• Mutual authentication X.509 certificate-based auth
– When devices connect to the AWS IoT broker, they use certificate-based authentication. You assign policies to certificates.
• AWS SigV4– When browsers use WebSockets, connections are signed using SigV4, which
identifies the user principal that you can attach AWS IoT policies to.
• Amazon Cognito simplifies signing SigV4 requests– Takes care of steps necessary to create a unique identifier for users and
retrieve temporary, limited-privilege AWS credentials.
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and exchange messages
DEVICE GATEWAYCommunicate with devices
via MQTT, HTTPand Web Sockets
AUTHENTICATIONAUTHORIZATION
Secure with mutual authentication and
encryption
RULES ENGINETransform messages based on rules and
route to AWS Services
AWS Services- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRYIdentity and Management of
your things
Rules Engine• Augment or filter data received from a device.• Write data received to an Amazon DynamoDB database.• Save a file to Amazon S3.• Send a push notification to all users of Amazon SNS.• Publish data to an Amazon SQS queue.• Invoke a Lambda function to extract data.• Push data into Elastic Search.• Process messages from a large number
of devices using Amazon Kinesis.• Republish the message to another MQTT topic.
Example Rule
SELECT * FROM '#'
The entire contentsof the MQTT message
All messages that arrive at the message broker
Example Rule
SELECT * FROM '$aws/things/SmartHub/shadow/update'
The entire contentsof the MQTT message
Only messages as part of a shadow update request
Example Rule
SELECT state.reported.info as info FROM '$aws/things/SmartHub/shadow/update' WHERE state.reported.target="LightBulb"
Just the ‘info’ property in the reported state message
Only messages that have a ‘target’ value set to ‘LightBulb’
Demo:
Color Cube Demo
http://bit.ly/2nS3GVN