getting started with aws iot
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John Chang 張書源
Ecosystem Solutions Architect
May 2016
AWS IoT 服務入門
Things are NOT static assets
AWS IoT
new: EU (Frankfurt) Region Available
US-EAST (N. Virginia)
US-WEST (Oregon)
EU (Dublin)
* EU (Frankfurt)
Asia Pacific (Tokyo)
Routing noise
Device Gateway
Publish / Subscribe
Standard Protocol Support
MQTT, HTTP, WebSockets
Long Lived Connections
Receive signals from the cloud
Secure by Default
Connect securely via X509 Certs
and TLS 1.2 Client Mutual Auth
Sensor messages
Standard protocol support
MQTT, HTTP, WebSockets
Topic/channel
Message routing hierarchy
Control over full tree
Payload (JSON)
Customer-defined JSON payload
Finding the signals
Extracting the value from messages
• Filter messages with certain criteria
• Move messages to other topics
• Move messages to other systems
• Transform the payload of messages
• Predict messages based on trends
• React based on messages
Rules Engine
AWS IoT SQL reference
SELECT DATA FROM TOPIC WHERE FILTER
• Like scanning a database table
• Default source is an MQTT topic
EXAMPLES:
• FROM mqtt(‘my/topic’)
• FROM mqtt(‘my/wildcard/+/topic’)
• FROM (‘my/topic’)
Rules engine
• Familiar SQL syntax
• SELECT * FROM topic WHERE filter
• Functions
• String manipulation (regex support)
• Mathematical operations
• Context based helper functions
• Crypto support
• UUID, timestamp, rand, etc.
• Execute simultaneous actions
new: Rules engine features
• Versioning
• 2016-10-08 – Original version
• 2016-03-23-beta – Beta version released on specific date
• beta – Latest beta version (breaking changes!)
• lts – Latest long-term support version, automatically updated{
"sql": "expression",
"ruleDisabled": false,
"awsIotSqlVersion": "2015-03-23-beta",
"actions": [{
"republish": {
"topic": "my-mqtt-topic",
"roleArn": "arn:aws:iam::123456789012:role/my-iot-role"
}
}]}
new: Rules engine features
• JSON collections
• get(array, int) – get item at index of array
• get(string, int) – get character at position of string
• get(object, key) – get value of key
• SUB SELECT from collections
• SELECT (SELECT v FROM e WHERE n = 'temperature') as
temperature FROM 'topic'
new: Elasticsearch Integration
new: Predict Function
Basic flow for using prediction
• Generate data
• Use AWS IoT rule to forward to S3
• Build your Amazon Machine Learning model using S3
data source
• Enable real-time predications in Amazon ML
• Use AWS IoT rule to validate predicted value from real-
time prediction endpoint in Amazon ML
• Add other actions
Predictive Maintenance blog:
http://bit.ly/aws-iot-aml-blog
AWS IoT device shadow
AWS IoT Device Shadow
1. Device publishes current state
2. Persist JSON data store
3. App requests device’s current state
4. App requests change the state5. Device shadow syncs
updated state
6. Device publishes current state 7. Device shadow confirms state change
AWS IoT device shadow flow
AWS IoT device shadow: Simple yet powerful
{
"state" : {
“desired" : {
"lights": { "color": "RED" },
"engine" : "ON"
},
"reported" : {
"lights" : { "color": "GREEN" },
"engine" : "ON"
},
"delta" : {
"lights" : { "color": "RED" }
} },
"version" : 10
}
Device
Report its current state to one or multiple shadows
Retrieve its desired state from shadow
Mobile App
Set the desired state of a device
Get the last reported state of the device
Delete the shadow
Shadow
Shadow reports delta, desired, and reported
states along with metadata and version
Security
AWS security operating principles
Separation of duties
Different personnel across service lines
Least privilege
Securing devices
TLS mutual authentication
• Create CSR
• Create X.509 certificate from CSR
• Activate the certificate
• Create policy
• Attach policy to certificate
* Certificate must be issued by AWS IoT
new: Bring your own certificate
• Use certificates issued by your own CA
• Existing certificate issuance infrastructure
• Use certificates already on board
• Limited Internet connectivity from assembly/manufacturing
locations
• Seamless provisioning of devices
• 8 new API calls to support management of certificates
Example publish/subscribe policy
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/foo"
]
},
{
"Effect": "Deny",
"Action": [
”iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/bar"
]
Allow access to
topic/foo
Deny access
topic/bar
AWS IoT policies
• Effect
• Allow or Deny
• Action
• "iot:Publish" - MQTT publish
• "iot:Subscribe" - MQTT subscribe
• "iot:UpdateThingShadow" - Update a thing shadow
• "iot:GetThingShadow" - Retrieve a thing shadow
• "iot:DeleteThingShadow - Delete a thing shadow
• Resource
• Client
• Topic ARN or topic filter ARN
Securing AWS resource access
Creating the trust relationship with AWS IoT
P P
PRole
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": “iot.amazonaws.com”
},
"Action": "sts:AssumeRole"
}
]
}
Securing AWS resource access
Securing user access
• WebSockets support Signature Version 4
authentication
• IAM roles and policies
• Amazon Cognito identity pools
• Anonymous access to iot:Subscribe
• Use your own application-level authentication patterns
Device SDKs
Device SDK support
• Based on open standards like Eclipse Paho
• C
• Arduino (Yun)
• iOS (Swift)
• Android
• WebSocket support
• NodeJS
• JS SDK for statically hosted site (WebSockets)
Summary
• AWS IoT
• New Region launch (EU – Frankfurt)
• New Rules engine features
• Elasticsearch
• Amazon ML prediction function
• New Bring your own certificates
Same room after this:
Building end-to-end AWS IoT Solutions next!
Thank you