Page 1
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adam Larter, Principal Solutions Architect, Amazon Web Services
Jarred Clayton, EVP Engineering, EROAD
Developing applications for
the Internet of Things with AWS IoT
AWS IoT, AWS Lambda & AWS Cognito
Technical 301
Page 2
Business
101 Technical
201 Technical
301 Technical
401 Technical
Session Depth
Page 3
What to Expect from Today’s Session
• Dive Deep on AWS IoT
• Patterns for Building IoT Applications
• Creating Applications using AWS IoT, Amazon Cognito,
AWS Lambda and Amazon API Gateway
• Customer Story – EROAD
• A few Demonstrations and Audience Participation
Page 4
Example:
Connected City
Page 7
Light Bulb Moment
Amazon
CloudFrontAmazon
S3 BucketAWS IoT
IoT
shadow
Amazon
Cognito
Amazon
Cognito
Page 8
Light Bulb Moment
AWS IoT
IoT
shadow
Amazon
Cognito
Page 10
Light Bulb Moment
Amazon
CloudFrontAmazon
S3 BucketAWS IoT
Amazon
Cognito
Amazon
Cognito
IoT
shadow
AWS
Lambda
Page 11
Light Bulb Moment
Amazon
CloudFrontAmazon
S3 Bucket
Amazon
Cognito
Amazon
Cognito
IoT
shadow
AWS
Lambda
AWS IoT
Page 13
bit.ly/summitiotcolour
Page 14
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and
exchange messages
DEVICE GATEWAYCommunicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORISATIONSecure with mutual
authentication and encryption
RULES ENGINETransform messages
based on rules and
route to AWS Services
AWS Services
- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent
connections
APPLICATIONS
AWS
IoT API
DEVICE REGISTRYIdentity and Management of
your things
Page 15
Patterns for
IoT on AWS
Page 16
Broadcast Pattern SUB: au/sydney/weather
Weather Service
{
"forecast" : "storm",
"prob" : "85%",
"temp" : 14
}
PUB: au/sydney/weather
Reduce Speed
Ignore
Turn on headlights
AWS IoT
Publish Message
Page 17
Point to Point
SUB: kettle/100AWS IoT
Mobile App
PUB: kettle/100
Kettle Appliance
Publish Message
{
"power" : "on",
"turbo" : "true"
}
Page 18
Fan Out Notification Pattern
SUB: SN/2390/repair
PUB: SN/2389/repair
SUB: SN/2389/repair
Repair Service
{
“part" : "4921",
“status" : "shipped"
}
PUB: SN/{serial}/repair
Alert operator to
schedule a
maintenance window
Change gears / reduce
load on equipment
AWS IoTAmazon
DynamoDB
Repair inventory
PUB: SN/2390/repair
{
"part" : "7822",
"status" : "delayed"
}
Page 19
Aggregator Pattern
Alert: Kettle boiling
Alert: Toast ready
AWS IoT
Home
appliances
Smart Hub
Page 20
AWS IoT – How do we Secure Communications?
• Mutual authentication X.509 certificate-based authDevices use certificate-based authentication
We assign policies to certificates
• AWS SigV4 Browsers use web sockets, connections signed using SigV4
We assign policies to the user principal
• Amazon Cognito simplifies signing SigV4 requestsSDK simplifies interfacing with Cognito to obtain limited-privilege AWS
credentials
Page 21
AWS IoT – Securing Device Connections
IoT certificate
& private key IoT policyAWS IoT
IoT ‘Thing’
LightBulb
+
MQTT topics
Certificate provisioned
by device manufacturer
AWS IoT has the public key to
confirm the authenticity of the
certificate and the connection
between the Thing and the
AWS IoT service is encrypted
Based on the certificate presented
by the Thing, the associated IoT
Policy is applied to allow/deny
actions to resources (such as
publishing to certain MQTT topics)
Page 22
AWS IoT Policies are attached to Principals
A Principal can be either a
certificate or a Cognito Identity
Page 23
User ID
(Temp
Credentials)
End Users
Developer
Access
to AWS
Services
Cognito Identity
Broker
Login OAUTH/OpenID
Access Token
Cognito ID,
Temp
Credentials
AWS IoT
AWS
Management
Console
Access
Token
Pool ID
Role ARNs
Amazon Cognito Security Architecture
MQTT topics
IoT Policy
Your User Pools
released in
Public Beta
Page 24
Amazon Cognito
Identity IoT policyAWS IoT‘Bob’
+
MQTT topics
AWS IoT – Securing Browser Connections
Authentication
performed by a public
or custom identity
provider
The web browser connects via
HTTP with SigV4-signed URL using
Cognito-supplied credentials and
then upgrades the connection
to use WebSockets
The administrator has previously
called "attach-principal-policy" to
associate the IoT policy with the
Cognito Identity Id
Page 25
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topicfilter/foo/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Receive"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/foo/bar"
]
}
]
}
IoT Policy Example
Page 26
Smart Hub Appliance System
Page 27
• Smart Hubs will have certificate/private key pre-installed.
• Customers should be able to associate one or more Smart Hubs
with their own login – all customers managed in one system.
• Smart Hubs should automatically detect the presence
of Smart Appliances.
• Smart Hubs should aggregate telemetry data from Smart
Appliances and make the telemetry available to the web portal.
• Manufacturer should be able to view information about the fleet
of Smart Hubs in the field, for continual service improvement.
Smart Hub Appliance System
Page 29
This is how the
vendor manages the
fleet of Smart Hubs
Register on bootCentral
Smart Hub
repository
Vendor’s central management portal
for all Smart Hubs in the field
Page 30
Bob
Bob registers his own
personal account in
the Smart Hub
management portal
Every customer has
their own log in
Page 31
System Overview:
Association
Page 33
Bob
A unique ID for the
Smart Hub, assigned
by the manufacturer
Page 34
Bob
The Smart Hub has
its own tiny web
server on board
Page 35
Bob
This ID is generated
on the Smart Hub and
shared with the user
via the web browser
The pairing code is also stored in the device shadow
IoT
shadow
Page 37
Checking the Pairing Secret
IoT Device
Shadow
API
Gateway
Amazon
Lambda
Amazon
DynamoDB
Bob’s provided secret 913387
Bob’s Cognito identity Id
Smart Hub identifier
+
Page 38
Bob
Bob’s Smart Hub is
now registered
against his account
Page 39
System Overview:
Discovery
Page 40
Bob Connected appliances
Page 41
Bob
Bluetooth Low Energy (BLE) advertisements
used for Discovery and Proximity detection
Page 42
System Overview:
Publication
Page 43
Bob
List of nearby appliances
published by the Smart Hub
Page 44
Bob
IoT shadow AWS IoT
Device shadow keeps
the last-known state of
the Smart Hub and all
the appliances
Page 45
System Overview:
Connection
Page 46
Bob
Bob clicks on his Smart Hub
in the web portal to view
more information
Page 48
Bob
IoT shadowAWS IoT
MQTT
Appliance
"aabbccdd"
Amazon API Gateway
AWS Lambda
Page 50
System Overview:
Display
Page 52
Bob
AWS IoTWebsockets
connection
between AWS
IoT and the
browser
Bob sees the Kettle
telemetry on the web
portal via the Smart Hub
and AWS IoT; he does not
directly connect to the
Kettle or Smart Hub!
Page 53
How we Would do this Before AWS IoT
Smart Hub
BLE detections
to Kinesis stream
Amazon
Kinesis
Kinesis records
to Lambda function
AWS
Lambda
Amazon DynamoDBCompanion
Web Application
Amazon SQS
Appliances
listing
Connect &
control
commands
MQTT
Kettle Appliance
BLESmart Hub would
need credentials
to connect to the
Kinesis & SQS
HTTP APIs
Heavy-weight
protocols
Inbound control
channel requires
constant polling
Page 54
Amazon
Cognito
AWS IoT Amazon
DynamoDB
Amazon API GatewayAWS Lambda
BLE MQTT
Smart Hub
Toaster ApplianceKettle Appliance
Companion
Web Application
IoT Device
Shadow
MQTT
Architecture with AWS IoT
AWS Lambda
Page 55
Smart Hub Appliance SystemWalkthrough
Page 56
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EROADRoad tolling IoT platform on AWS
Jarred Clayton
EVP Engineering
[email protected]
Page 57
57
• World first GPS-based road user
charging system in New Zealand
• Operations in New Zealand,
Australia, Oregon, Washington &
Idaho
• Sole heavy vehicle technology
supplier for California Road User
Charge Pilot
• 37,000 units across three
countries
About EROAD
Page 58
58
EROAD Services
Road User
Charging
‐ Electronic distance
recorder
‐ Electronic RUC purchase
and management
‐ Off road claims
Compliance
‐ Vehicle compliance
‐ Driver compliance
‐ Fleet compliance
Commercial
‐ Tracking
‐ Fuel management
‐ Driver behaviour
‐ Fleet productivity
Page 59
59
Architecture Overview
Page 60
60
Ehubo2 (OBU “thing”) Architecture Overview
Page 61
61
Event Solution
Page 62
62
• EROAD investigated IoT after release in 2015
• Key motivator is the device shadow for:
• simplified handling of outbound messages
• simplified handling of ‘thing’ configuration changes
• Why haven’t we moved yet?
• Not yet available in Sydney
• Authentication options were too limited at time of initial review (resolved or being
resolved)
• Expense of migration from custom implementation
• Data consumption vs custom protocol unclear, data expensive. Research effort time
consuming.
AWS IoT and EROAD
Page 63
63
IoT Vehicle Hub using BLE
Page 64
64
Numbers
2,678Peak events per
second
37,000Units
80R&D staff
$1BRUC collected in
NZ
~800MEvents per month
60kb/sEvent traffic
4.9MKM Tracked daily
600Steady events
per second
Page 65
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EROADRoad tolling IoT platform on AWS
Jarred Clayton
EVP Engineering
[email protected]
Page 66
AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
Page 67
Your Training Next Steps:
Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
Register & attend AWS instructor led training
Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training