AWS iOT: A Concise Tutorial Just An Hour – FREE
Last updated on 07th Jul 2020, Blog, Tutorials
What is AWS IoT?
AWS IoT provides secure, bi-directional communication between Internet-connected devices such as sensors, actuators, embedded micro-controllers, or smart appliances and the AWS Cloud. This enables you to collect telemetry data from multiple devices, and store and analyze the data. You can also create applications that enable your users to control these devices from their phones or tablets.
AWS IoT components
AWS IoT consists of the following components:
Alexa Voice Service (AVS) Integration for AWS IoT
- Brings Alexa Voice to any connected device. AVS for AWS IoT reduces the cost and complexity of integrating Alexa. This feature leverages AWS IoT to offload intensive computational and memory audio tasks from the device to the cloud. Because of the resulting reduction in the engineering bill of materials (eBoM) cost, device makers can cost-effectively bring Alexa to resource-constrained IoT devices and enable consumers to talk directly to Alexa in parts of their home, office, or hotel rooms for an ambient experience.
- AVS for AWS IoT enables Alexa built-in functionality on MCUs, such as the ARM Cortex M class with less than 1 MB embedded RAM. To do so, AVS offloads memory and compute tasks to a virtual Alexa Built-in device in the cloud. This reduces eBoM cost by up to 50 percent.
Custom Authentication service
- You can define custom authorizers that allow you to manage your own authentication and authorization strategy using a custom authentication service and a Lambda function. Custom authorizers allow AWS IoT to authenticate your devices and authorize operations using bearer token authentication and authorization strategies.
- Custom authorizers can implement various authentication strategies (for example, JSON Web Token verification, OAuth provider callout, and so on) and must return policy documents that are used by the device gateway to authorize MQTT operations.
Enables devices to securely and efficiently communicate with AWS IoT.
Device Provisioning service
- Allows you to provision devices using a template that describes the resources required for your device: a thing, a certificate, and one or more policies. A thing is an entry in the registry that contains attributes that describe a device. Devices use certificates to authenticate with AWS IoT. Policies determine which operations a device can perform in AWS IoT.
- The templates contain variables that are replaced by values in a dictionary (map). You can use the same template to provision multiple devices just by passing in different values for the template variables in the dictionary.
A JSON document used to store and retrieve current state information for a device.
Device Shadow service
- Provides persistent representations of your devices in the AWS Cloud. You can publish updated state information to a device’s shadow, and your device can synchronize its state when it connects. Your devices can also publish their current state to a shadow for use by applications or other devices.
- Groups allow you to manage several devices at once by categorizing them into groups. Groups can also contain groups—you can build a hierarchy of groups. Any action you perform on a parent group will apply to its child groups, and to all the devices in it and in all of its child groups as well. Permissions given to a group will apply to all devices in the group and in all of its child groups.
- Allows you to define a set of remote operations that are sent to and executed on one or more devices connected to AWS IoT. For example, you can define a job that instructs a set of devices to download and install application or firmware updates, reboot, rotate certificates, or perform remote troubleshooting operations.
- To create a job, you specify a description of the remote operations to be performed and a list of targets that should perform them. The targets can be individual devices, groups or both.
- Provides a secure mechanism for devices and AWS IoT applications to publish and receive messages from each other. You can use either the MQTT protocol directly or MQTT over WebSocket to publish and subscribe. You can use the HTTP REST interface to publish.
- Organizes the resources associated with each device in the AWS Cloud. You register your devices and associate up to three custom attributes with each one. You can also associate certificates and MQTT client IDs with each device to improve your ability to manage and troubleshoot them.
- Provides message processing and integration with other AWS services. You can use an SQL-based language to select data from message payloads, and then process and send the data to other services, such as Amazon S3, Amazon DynamoDB, and AWS Lambda. You can also use the message broker to republish messages to other subscribers.
Security and Identity service
Provides shared responsibility for security in the AWS Cloud. Your devices must keep their credentials safe in order to securely send data to the message broker. The message broker and rules engine use AWS security features to send data securely to devices or other AWS services.
How AWS IoT works
- AWS IoT enables internet-connected devices to connect to the AWS Cloud and lets applications in the cloud interact with internet-connected devices. Common IoT applications either collect and process telemetry from devices or enable users to control a device remotely.
- The state of each device connected to AWS IoT is stored in a device shadow. The Device Shadow service manages device shadows by responding to requests to retrieve or update device state data. The Device Shadow service makes it possible for devices to communicate with applications and for applications to communicate with devices.
- Communication between a device and AWS IoT is protected through the use of X.509 certificates. AWS IoT can generate a certificate for you or you can use your own. In either case, the certificate must be registered and activated with AWS IoT, and then copied onto your device. When your device communicates with AWS IoT, it presents the certificate to AWS IoT as a credential.
- We recommend that all devices that connect to AWS IoT have an entry in the registry. The registry stores information about a device and the certificates that are used by the device to secure communication with AWS IoT.
- You can create rules that define one or more actions to perform based on the data in a message. For example, you can insert, update, or query a DynamoDB table or invoke a Lambda function. Rules use expressions to filter messages. When a rule matches a message, the rules engine triggers the action using the selected properties. Rules also contain an IAM role that grants AWS IoT permission to the AWS resources used to perform the action.
Accessing AWS IoT
AWS IoT provides the following interfaces to create and interact with your devices:
Get Hands-On Practical AWS IoT Training to Advance Your Career
- Instructor-led Sessions
- Real-life Case Studies
- AWS Command Line Interface (AWS CLI)—Run commands for AWS IoT on Windows, macOS, and Linux. These commands allow you to create and manage things, certificates, rules, and policies. To get started, see the AWS Command Line Interface User Guide. For more information about the commands for AWS IoT, see iot in the AWS CLI Command Reference.
- AWS IoT API—Build your IoT applications using HTTP or HTTPS requests. These API actions allow you to programmatically create and manage things, certificates, rules, and policies. For more information about the API actions for AWS IoT.
- AWS SDKs—Build your IoT applications using language-specific APIs. These SDKs wrap the HTTP/HTTPS API and allow you to program in any of the supported languages.
- AWS IoT Device SDKs—Build applications that run on devices that send messages to and receive messages from AWS IoT.
Getting started with AWS IoT Core
This tutorial shows you how to create resources required to send, receive, and process MQTT messages from devices using AWS IoT Core. You use an MQTT client to emulate an IoT device.
- Setting up
- Sign in to the AWS IoT console
- Create a thing
- Register a device
- Configure your device
- View MQTT messages with the AWS IoT MQTT client
- Configure and test rules
- Create and track an AWS IoT Core job
Sign up for AWS
When you sign up for AWS, your account is automatically signed up for all services in AWS, including AWS IoT Device Defender. If you have an AWS account already, skip to the next task. If you don’t have an AWS account, use the following procedure to create one.
If you do not have an AWS account, complete the following steps to create one.
To sign up for an AWS account
- Open https://portal.aws.amazon.com/billing/signup.
- Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
Note your AWS account number, because you need it for the next task.
Create an IAM user
This procedure describes how to create a IAM user for yourself and add that user to a group that has administrative permissions from an attached managed policy.
To create an administrator user for yourself and add the user to an administrators group (console)
- Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.
In the navigation pane, choose Users and then choose Add user.
- For User name, enter Administrator.
- Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.
- (Optional) By default, AWS requires the new user to create a new password when first signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.
- Choose Next: Permissions.
- Under Set permissions, choose Add user to group.
- Choose Create group.
- In the Create group dialog box, for Group name enter Administrators.
- Choose Filter policies, and then select AWS managed -job function to filter the table contents.
- In the policy list, select the check box for AdministratorAccess. Then choose Create group.
Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.
- Choose Next: Tags.
- (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM Entities in the IAM User Guide.
- Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.
Enroll in Best AWS IoT Certification Courses and Get Hired by TOP MNCsWeekday / Weekend BatchesSee Batch Details
You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access Management and Example Policies.
Create a thing
Devices connected to AWS IoT are represented by things in the AWS IoT registry. A thing represents a specific device or logical entity. It can be a physical device or sensor (for example, a light bulb or a switch on the wall). It can also be a logical entity, like an instance of an application or physical entity that does not connect to AWS IoT, but is related to other devices that do (for example, a car that has engine sensors or a control panel).
To create a thing
- On the Welcome to the AWS IoT Console page, in the navigation pane, choose Manage.
- On the You don’t have any things yet page, choose Register a thing.
- On the Creating AWS IoT things page, choose Create a single thing.
- On the Create a thing page, in the Name field, enter a name for your thing, such as MyIotThing. Choose Next. To change a thing’s name, you must create a new thing, give it the new name, and then delete the old thing.
When naming your thing objects:
- You should not use personally identifiable information in your thing name. The thing name can appear in unencrypted communications and reports.
- You should not use a colon character ( : ) in a thing name. The colon character is used as a delimiter by other AWS IoT services and this can cause them to parse strings with thing names incorrectly.
Register a device
The registry allows you to keep a record of all of the devices that are registered to your AWS IoT Core account.
Configure your device
To communicate with AWS IoT Core, all devices must have a device certificate, private key, and root CA certificate installed. Consult your device’s documentation to connect to it and copy your device certificate, private key, and root CA certificate onto your device.
If you don’t have an IoT-ready device, you can use the MQTT client, the AWS IoT Device SDKs, or the AWS CLI. For more information, see the Using the AWS IoT device SDKs on a Raspberry Pi section. The tutorials use a Raspberry Pi, but can easily be adapted for use with other types of computers.
Rules for AWS IoT
Rules give your devices the ability to interact with AWS services. Rules are analyzed and actions are performed based on the MQTT topic stream. You can use rules to support tasks like these:
- Augment or filter data received from a device.
- Write data received from a device to an Amazon DynamoDB database.
- Save a file to Amazon S3.
- Send a push notification to all users using Amazon SNS.
- Publish data to an Amazon SQS queue.
- Invoke a Lambda function to extract data.
- Process messages from a large number of devices using Amazon Kinesis.
- Send data to the Amazon Elasticsearch Service.
- Capture a CloudWatch metric.
- Change a CloudWatch alarm.
- Send the data from an MQTT message to Amazon Machine Learning to make predictions based on an Amazon ML model.
- Send a message to a Salesforce IoT Input Stream.
- Send message data to an AWS IoT Analytics channel.
- Start execution of a Step Functions state machine.
- Send message data to an AWS IoT Events input.
- Send message data an asset property in AWS IoT SiteWise.
- Send message data to a web application or service.
Your rules can use MQTT messages that pass through the publish/subscribe Message broker for AWS IoT or, using the Basic Ingest feature, you can securely send device data to the AWS services listed above without incurring messaging costs. (The Basic Ingest feature optimizes data flow by removing the publish/subscribe message broker from the ingestion path, so it is more cost effective while keeping the security and data processing features of AWS IoT.)