AWS Summit Auckland- Developing Applications for IoT
69
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adam Larter, Principal Solutions Architect, Amazon Web Services Jarred Clayton, EVP Engineering, EROAD Developing applications for the Internet of Things with AWS IoT AWS IoT, AWS Lambda & AWS Cognito Technical 301
-
Upload
amazon-web-services -
Category
Technology
-
view
261 -
download
2
Transcript of AWS Summit Auckland- Developing Applications for IoT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adam Larter, Principal Solutions Architect, Amazon Web Services
Jarred Clayton, EVP Engineering, EROAD
Developing applications for
the Internet of Things with AWS IoT
AWS IoT, AWS Lambda & AWS Cognito
Technical 301
Business
101 Technical
201 Technical
301 Technical
401 Technical
Session Depth
What to Expect from Today’s Session
• Dive Deep on AWS IoT
• Patterns for Building IoT Applications
• Creating Applications using AWS IoT, Amazon Cognito,
AWS Lambda and Amazon API Gateway
• Customer Story – EROAD
• A few Demonstrations and Audience Participation
Example:
Connected City
bit.ly/summitiot
bit.ly/summitiot
Light Bulb Moment
Amazon
CloudFrontAmazon
S3 BucketAWS IoT
IoT
shadow
Amazon
Cognito
Amazon
Cognito
Light Bulb Moment
AWS IoT
IoT
shadow
Amazon
Cognito
Light Bulb Moment
Amazon
CloudFrontAmazon
S3 BucketAWS IoT
Amazon
Cognito
Amazon
Cognito
IoT
shadow
AWS
Lambda
Light Bulb Moment
Amazon
CloudFrontAmazon
S3 Bucket
Amazon
Cognito
Amazon
Cognito
IoT
shadow
AWS
Lambda
AWS IoT
bit.ly/summitiotcolour
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and
exchange messages
DEVICE GATEWAYCommunicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORISATIONSecure with mutual
authentication and encryption
RULES ENGINETransform messages
based on rules and
route to AWS Services
AWS Services
- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent
connections
APPLICATIONS
AWS
IoT API
DEVICE REGISTRYIdentity and Management of
your things
Patterns for
IoT on AWS
Broadcast Pattern SUB: au/sydney/weather
Weather Service
{
"forecast" : "storm",
"prob" : "85%",
"temp" : 14
}
PUB: au/sydney/weather
Reduce Speed
Ignore
Turn on headlights
AWS IoT
Publish Message
Point to Point
SUB: kettle/100AWS IoT
Mobile App
PUB: kettle/100
Kettle Appliance
Publish Message
{
"power" : "on",
"turbo" : "true"
}
Fan Out Notification Pattern
SUB: SN/2390/repair
PUB: SN/2389/repair
SUB: SN/2389/repair
Repair Service
{
“part" : "4921",
“status" : "shipped"
}
PUB: SN/{serial}/repair
Alert operator to
schedule a
maintenance window
Change gears / reduce
load on equipment
AWS IoTAmazon
DynamoDB
Repair inventory
PUB: SN/2390/repair
{
"part" : "7822",
"status" : "delayed"
}
Aggregator Pattern
Alert: Kettle boiling
Alert: Toast ready
AWS IoT
Home
appliances
Smart Hub
AWS IoT – How do we Secure Communications?
• Mutual authentication X.509 certificate-based authDevices use certificate-based authentication
We assign policies to certificates
• AWS SigV4 Browsers use web sockets, connections signed using SigV4
We assign policies to the user principal
• Amazon Cognito simplifies signing SigV4 requestsSDK simplifies interfacing with Cognito to obtain limited-privilege AWS
credentials
AWS IoT – Securing Device Connections
IoT certificate
& private key IoT policyAWS IoT
IoT ‘Thing’
LightBulb
+
MQTT topics
Certificate provisioned
by device manufacturer
AWS IoT has the public key to
confirm the authenticity of the
certificate and the connection
between the Thing and the
AWS IoT service is encrypted
Based on the certificate presented
by the Thing, the associated IoT
Policy is applied to allow/deny
actions to resources (such as
publishing to certain MQTT topics)
AWS IoT Policies are attached to Principals
A Principal can be either a
certificate or a Cognito Identity
User ID
(Temp
Credentials)
End Users
Developer
Access
to AWS
Services
Cognito Identity
Broker
Login OAUTH/OpenID
Access Token
Cognito ID,
Temp
Credentials
AWS IoT
AWS
Management
Console
Access
Token
Pool ID
Role ARNs
Amazon Cognito Security Architecture
MQTT topics
IoT Policy
Your User Pools
released in
Public Beta
Amazon Cognito
Identity IoT policyAWS IoT‘Bob’
+
MQTT topics
AWS IoT – Securing Browser Connections
Authentication
performed by a public
or custom identity
provider
The web browser connects via
HTTP with SigV4-signed URL using
Cognito-supplied credentials and
then upgrades the connection
to use WebSockets
The administrator has previously
called "attach-principal-policy" to
associate the IoT policy with the
Cognito Identity Id
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/foo/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/foo/bar"
]
}
]
}
IoT Policy Example
Smart Hub Appliance System
• Smart Hubs will have certificate/private key pre-installed.
• Customers should be able to associate one or more Smart Hubs
with their own login – all customers managed in one system.
• Smart Hubs should automatically detect the presence
of Smart Appliances.
• Smart Hubs should aggregate telemetry data from Smart
Appliances and make the telemetry available to the web portal.
• Manufacturer should be able to view information about the fleet
of Smart Hubs in the field, for continual service improvement.
Smart Hub Appliance System
Smart Hub
Bob
This is how the
vendor manages the
fleet of Smart Hubs
Register on bootCentral
Smart Hub
repository
Vendor’s central management portal
for all Smart Hubs in the field
Bob
Bob registers his own
personal account in
the Smart Hub
management portal
Every customer has
their own log in
System Overview:
Association
Bob
Bob
A unique ID for the
Smart Hub, assigned
by the manufacturer
Bob
The Smart Hub has
its own tiny web
server on board
Bob
This ID is generated
on the Smart Hub and
shared with the user
via the web browser
The pairing code is also stored in the device shadow
IoT
shadow
Bob
Checking the Pairing Secret
IoT Device
Shadow
API
Gateway
Amazon
Lambda
Amazon
DynamoDB
Bob’s provided secret 913387
Bob’s Cognito identity Id
Smart Hub identifier
+
Bob
Bob’s Smart Hub is
now registered
against his account
System Overview:
Discovery
Bob Connected appliances
Bob
Bluetooth Low Energy (BLE) advertisements
used for Discovery and Proximity detection
System Overview:
Publication
Bob
List of nearby appliances
published by the Smart Hub
Bob
IoT shadow AWS IoT
Device shadow keeps
the last-known state of
the Smart Hub and all
the appliances
System Overview:
Connection
Bob
Bob clicks on his Smart Hub
in the web portal to view
more information
Bob
IoT shadowAWS IoT
MQTT
Appliance
"aabbccdd"
Amazon API Gateway
AWS Lambda
System Overview:
Display
Bob
AWS IoTWebsockets
connection
between AWS
IoT and the
browser
Bob sees the Kettle
telemetry on the web
portal via the Smart Hub
and AWS IoT; he does not
directly connect to the
Kettle or Smart Hub!
How we Would do this Before AWS IoT
Smart Hub
BLE detections
to Kinesis stream
Amazon
Kinesis
Kinesis records
to Lambda function
AWS
Lambda
Amazon DynamoDBCompanion
Web Application
Amazon SQS
Appliances
listing
Connect &
control
commands
MQTT
Kettle Appliance
BLESmart Hub would
need credentials
to connect to the
Kinesis & SQS
HTTP APIs
Heavy-weight
protocols
Inbound control
channel requires
constant polling
Amazon
Cognito
AWS IoT Amazon
DynamoDB
Amazon API GatewayAWS Lambda
BLE MQTT
Smart Hub
Toaster ApplianceKettle Appliance
Companion
Web Application
IoT Device
Shadow
MQTT
Architecture with AWS IoT
AWS Lambda
Smart Hub Appliance SystemWalkthrough
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EROADRoad tolling IoT platform on AWS
Jarred Clayton
EVP Engineering
57
• World first GPS-based road user
charging system in New Zealand
• Operations in New Zealand,
Australia, Oregon, Washington &
Idaho
• Sole heavy vehicle technology
supplier for California Road User
Charge Pilot
• 37,000 units across three
countries
About EROAD
58
EROAD Services
Road User
Charging
‐ Electronic distance
recorder
‐ Electronic RUC purchase
and management
‐ Off road claims
Compliance
‐ Vehicle compliance
‐ Driver compliance
‐ Fleet compliance
Commercial
‐ Tracking
‐ Fuel management
‐ Driver behaviour
‐ Fleet productivity
59
Architecture Overview
60
Ehubo2 (OBU “thing”) Architecture Overview
61
Event Solution
62
• EROAD investigated IoT after release in 2015
• Key motivator is the device shadow for:
• simplified handling of outbound messages
• simplified handling of ‘thing’ configuration changes
• Why haven’t we moved yet?
• Not yet available in Sydney
• Authentication options were too limited at time of initial review (resolved or being
resolved)
• Expense of migration from custom implementation
• Data consumption vs custom protocol unclear, data expensive. Research effort time
consuming.
AWS IoT and EROAD
63
IoT Vehicle Hub using BLE
64
Numbers
2,678Peak events per
second
37,000Units
80R&D staff
$1BRUC collected in
NZ
~800MEvents per month
60kb/sEvent traffic
4.9MKM Tracked daily
600Steady events
per second
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EROADRoad tolling IoT platform on AWS
Jarred Clayton
EVP Engineering
AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
Your Training Next Steps:
Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
Register & attend AWS instructor led training
Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training
Thank you!
