Getting Started with IoT - AWS July 2016 Webinar Series
-
Upload
amazon-web-services -
Category
Technology
-
view
511 -
download
0
Transcript of Getting Started with IoT - AWS July 2016 Webinar Series
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Olawale Oladehin, Solutions Architect
July 27, 2016
Getting Started with AWS loT
What to Expect from the Session
Overview of AWS loT Securing loT Devices Routing and processing loT data)
AWS IoT
AWS IoT Region Availability
US-EAST (N. Virginia) US-WEST (Oregon) EU (Ireland) EU (Frankfurt) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney)
Security
Securing devices
TLS mutual authentication
Create CSR Create X.509 certificate from CSR Activate the certificate Create policy Attach policy to certificate
Securely Connect Device
AWS IoT Generated Certificates Use Your Own Certificate
Use Your Own Certificate
Use certificates issued by your own CA Existing certificate issuance infrastructure Use certificates already on board Limited Internet connectivity from assembly/manufacturing
locations Seamless provisioning of devices
8 new API calls to support management of certificates
Elliptic Curve Cryptography (ECC) Support
Create/Register ECC certificates NIST P-256 and NIST P-384
ECC keys are much smaller compared to RSA Benefits
Shorter Key Length Lower CPU/power Lower Memory Lower Bandwidth required Faster processing
Elliptic Curve Cryptography (ECC) Support
Symmetric Key Size RSA and Diffie-Hellman Key Size (bits)
Elliptic Curve Key Size (bits)
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 512
Table 1: National Institute of Standards and Technology (NIST) Recommended Key Sizes
Creating EC based certificate using AWS IoT
# Create an ECC Key pair using ECC curve:
$ openssl ecparam –out ecckey.key –name prime256v1 –genkey
# Create a Certificate Signing Request (CSR) using the ECC key:
$ openssl ecparam –out ecckey.key –name prime256v1 –genkey
# Request an EC-based certificate from AWS IoT:
$ aws iot create-certificate-from-csr --certificate-signing-request file://eccCsr.csr \ --certificate-pem-outfile eccCert.crt --set-as-active
AWS IoT Cipher Suites
AWS IoT supports 18 cipher suites ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 …
AWS IoT Cipher Suites
AWS IoT supports 18 cipher suites ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 …
ECDHE and ECDSA ciphers support
EC Diffie-Hellman Ephemeral (ECDHE) and EC Digital Signature Algorithm (ECDSA) cipher suites support
Forward Secrecy Shared session secret
AWS IoT Cipher Suites
AWS IoT policies
Effect Allow or Deny
Action "iot:Publish" - MQTT publish "iot:Subscribe" - MQTT subscribe "iot:UpdateThingShadow" - Update a thing shadow "iot:GetThingShadow" - Retrieve a thing shadow "iot:DeleteThingShadow - Delete a thing shadow
Resource Client Topic ARN or topic filter ARN
Example publish/subscribe policy
{ "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/foo" ] }, { "Effect": "Deny", "Action": [ ”iot:Subscribe" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/bar" ] }
Allow access to topic/foo
Deny access topic/bar
Securing AWS resource access
Creating the trust relationship with AWS IoT
P P
P Role
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": “iot.amazonaws.com” }, "Action": "sts:AssumeRole" } ]}
Securing AWS resource access
AWS Services
Securing user access
WebSockets support Signature Version 4 authentication IAM roles and policies Amazon Cognito identity pools
Anonymous access to iot:Subscribe Use your own application-level authentication patterns
Routing noise
Device Gateway
Publish / Subscribe
Standard Protocol SupportMQTT, HTTP, WebSockets
Long Lived ConnectionsReceive signals from the cloud
Secure by DefaultConnect securely via X509 Certsand TLS 1.2 Client Mutual Auth
Sensor messagesStandard protocol supportMQTT, HTTP, WebSockets
Topic/channelMessage routing hierarchyControl over full tree
Payload (JSON)Customer-defined JSON payload
Finding the signals
Extracting the value from messages
Filter messages with certain criteria Move messages to other topics Move messages to other systems Transform the payload of messages Predict messages based on trends React based on messages
Rules Engine
AWS IoT SQL reference
SELECT DATA FROM TOPIC WHERE FILTER
• Like scanning a database table• Default source is an MQTT topic
EXAMPLES:• FROM mqtt(‘my/topic’)• FROM mqtt(‘my/wildcard/+/topic’)• FROM (‘my/topic’)
Rules engine
• Familiar SQL syntax• SELECT * FROM topic WHERE filter
• Functions• String manipulation (regex support)• Mathematical operations• Context based helper functions• Crypto support• UUID, timestamp, rand, etc.
• Execute simultaneous actions
Rules engine versions
• Versioning• 2016-10-08 – Original version • 2016-03-23-beta – Beta version released on specific date• beta – Latest beta version (breaking changes!)
{ "sql": "expression", "ruleDisabled": false, "awsIotSqlVersion": "2015-03-23-beta", "actions": [{ "republish": { "topic": "my-mqtt-topic", "roleArn": "arn:aws:iam::123456789012:role/my-iot-role" } }]}
Rules engine features
JSON collections get(array, int) – get item at index of array get(string, int) – get character at position of string get(object, key) – get value of key
SUB SELECT from collections• SELECT (SELECT v FROM e WHERE n = 'temperature') as
temperature FROM 'topic'
AWS IoT device shadow
AWS IoT Device Shadow
1. Device publishes current state
2. Persist JSON data store
3. App requests device’s current state
4. App requests change the state5. Device shadow syncs updated state
6. Device publishes current state 7. Device shadow confirms state change
AWS IoT device shadow flow
AWS IoT device shadow: Simple yet powerful
{
"state" : {
“desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
} },
"version" : 10
}
Device
Report its current state to one or multiple shadowsRetrieve its desired state from shadow
Mobile App
Set the desired state of a device Get the last reported state of the device Delete the shadow
Shadow
Shadow reports delta, desired, and reported states along with metadata and version
Device SDKs
Device SDK support
Based on open standards like Eclipse Paho C
Arduino (Yun) iOS (Swift) Android
WebSocket support NodeJS JS SDK for statically hosted site (WebSockets) Python Java
Summary
AWS IoT Overview AWS IoT Security AWS IoT Device Gateway and Rules Engine AWS IoT Device Shadow
Thank you!