© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Olawale Oladehin, Solutions Architect

July 27, 2016

Getting Started with AWS loT

What to Expect from the Session

Overview of AWS loT Securing loT Devices Routing and processing loT data)

AWS IoT

AWS IoT Region Availability

US-EAST (N. Virginia) US-WEST (Oregon) EU (Ireland) EU (Frankfurt) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney)

Security

Securing devices

TLS mutual authentication

Create CSR Create X.509 certificate from CSR Activate the certificate Create policy Attach policy to certificate

Securely Connect Device

AWS IoT Generated Certificates Use Your Own Certificate

Use Your Own Certificate

Use certificates issued by your own CA Existing certificate issuance infrastructure Use certificates already on board Limited Internet connectivity from assembly/manufacturing

locations Seamless provisioning of devices

8 new API calls to support management of certificates

Elliptic Curve Cryptography (ECC) Support

Create/Register ECC certificates NIST P-256 and NIST P-384

ECC keys are much smaller compared to RSA Benefits

Shorter Key Length Lower CPU/power Lower Memory Lower Bandwidth required Faster processing

Elliptic Curve Cryptography (ECC) Support

Symmetric Key Size RSA and Diffie-Hellman Key Size (bits)

Elliptic Curve Key Size (bits)

80 1024 160

112 2048 224

128 3072 256

192 7680 384

256 15360 512

Table 1: National Institute of Standards and Technology (NIST) Recommended Key Sizes

Creating EC based certificate using AWS IoT

# Create an ECC Key pair using ECC curve:

$ openssl ecparam –out ecckey.key –name prime256v1 –genkey

# Create a Certificate Signing Request (CSR) using the ECC key:

$ openssl ecparam –out ecckey.key –name prime256v1 –genkey

# Request an EC-based certificate from AWS IoT:

$ aws iot create-certificate-from-csr --certificate-signing-request file://eccCsr.csr \ --certificate-pem-outfile eccCert.crt --set-as-active

AWS IoT Cipher Suites

AWS IoT supports 18 cipher suites ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 …

AWS IoT Cipher Suites

AWS IoT supports 18 cipher suites ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 …

ECDHE and ECDSA ciphers support

EC Diffie-Hellman Ephemeral (ECDHE) and EC Digital Signature Algorithm (ECDSA) cipher suites support

Forward Secrecy Shared session secret

AWS IoT Cipher Suites

AWS IoT policies

Effect Allow or Deny

Action "iot:Publish" - MQTT publish "iot:Subscribe" - MQTT subscribe "iot:UpdateThingShadow" - Update a thing shadow "iot:GetThingShadow" - Retrieve a thing shadow "iot:DeleteThingShadow - Delete a thing shadow

Resource Client Topic ARN or topic filter ARN

Example publish/subscribe policy

{            "Effect": "Allow",            "Action": [                "iot:Publish"            ],            "Resource": [                "arn:aws:iot:us-east-1:123456789012:topic/foo"            ]        },        {            "Effect": "Deny",            "Action": [                ”iot:Subscribe"            ],            "Resource": [                "arn:aws:iot:us-east-1:123456789012:topic/bar"            ] }        

Allow access to topic/foo

Deny access topic/bar

Securing AWS resource access

Creating the trust relationship with AWS IoT

P P

P Role

{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "",      "Effect": "Allow",      "Principal": {        "Service": “iot.amazonaws.com”      },      "Action": "sts:AssumeRole"    }  ]}

Securing AWS resource access

AWS Services

Securing user access

WebSockets support Signature Version 4 authentication IAM roles and policies Amazon Cognito identity pools

Anonymous access to iot:Subscribe Use your own application-level authentication patterns

Routing noise

Device Gateway

Publish / Subscribe

Standard Protocol SupportMQTT, HTTP, WebSockets

Long Lived ConnectionsReceive signals from the cloud

Secure by DefaultConnect securely via X509 Certsand TLS 1.2 Client Mutual Auth

Sensor messagesStandard protocol supportMQTT, HTTP, WebSockets

Topic/channelMessage routing hierarchyControl over full tree

Payload (JSON)Customer-defined JSON payload

Finding the signals

Extracting the value from messages

Filter messages with certain criteria Move messages to other topics Move messages to other systems Transform the payload of messages Predict messages based on trends React based on messages

Rules Engine

AWS IoT SQL reference

SELECT DATA FROM TOPIC WHERE FILTER

• Like scanning a database table• Default source is an MQTT topic

EXAMPLES:• FROM mqtt(‘my/topic’)• FROM mqtt(‘my/wildcard/+/topic’)• FROM (‘my/topic’)

Rules engine

• Familiar SQL syntax• SELECT * FROM topic WHERE filter

• Functions• String manipulation (regex support)• Mathematical operations• Context based helper functions• Crypto support• UUID, timestamp, rand, etc.

• Execute simultaneous actions

Rules engine versions

• Versioning• 2016-10-08 – Original version • 2016-03-23-beta – Beta version released on specific date• beta – Latest beta version (breaking changes!)

{  "sql": "expression",  "ruleDisabled": false,  "awsIotSqlVersion": "2015-03-23-beta",  "actions": [{      "republish": {          "topic": "my-mqtt-topic",          "roleArn": "arn:aws:iam::123456789012:role/my-iot-role"      }  }]}

Rules engine features

JSON collections get(array, int) – get item at index of array get(string, int) – get character at position of string get(object, key) – get value of key

SUB SELECT from collections• SELECT (SELECT v FROM e WHERE n = 'temperature') as

temperature FROM 'topic'

AWS IoT device shadow

AWS IoT Device Shadow

1. Device publishes current state

2. Persist JSON data store

3. App requests device’s current state

4. App requests change the state5. Device shadow syncs updated state

6. Device publishes current state 7. Device shadow confirms state change

AWS IoT device shadow flow

AWS IoT device shadow: Simple yet powerful

{

"state" : {

“desired" : {

"lights": { "color": "RED" },

"engine" : "ON"

},

"reported" : {

"lights" : { "color": "GREEN" },

"engine" : "ON"

},

"delta" : {

"lights" : { "color": "RED" }

} },

"version" : 10

}

Device

Report its current state to one or multiple shadowsRetrieve its desired state from shadow

Mobile App

Set the desired state of a device Get the last reported state of the device Delete the shadow

Shadow

Shadow reports delta, desired, and reported states along with metadata and version

Device SDKs

Device SDK support

Based on open standards like Eclipse Paho C

Arduino (Yun) iOS (Swift) Android

WebSocket support NodeJS JS SDK for statically hosted site (WebSockets) Python Java

Summary

AWS IoT Overview AWS IoT Security AWS IoT Device Gateway and Rules Engine AWS IoT Device Shadow

Thank you!