Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS IoT - Coggle Diagram
AWS IoT
IoT Overview
Device Management
Device Management - A device registry for bulk registration, organizing devices into groups, securely sending over-the-air (OTA) firmware updates
Device Defender - Managed security service that continually audits IoT configurations. Uses ML anomaly detection to publish alerts in response to device behavior
-
Device Connection
AWS IoT Core - route IoT message to the trillions
- Ingest messages from IoT devices
- Publish messages to your devices
- Enable connections to/from AWS services
- Supports devices&clients that use:
- MQTT and MQTT over WebSocket Secure to publish and subscribe to messages
- HTTPS to publish messages
AWS IoT Events - triggers alert when events occur
- Monitor sensor data from your IoT devices
- Define condition logic to determine when alarms should be triggered
- Detect and trigger events
AWS IoT 1-click - simple integration for Compatible Devices (e.g. dash 1-click button)
- Directly trigger Lambda from with 1-click compatible devices
- Compatible devices are pre-provisioned with certificates for secure access
- Manage and group 1-click devices
AWS IoT Things Graph - develop models (workflows) to integrate deices and web services
- Similarly to StepFunction, allows to graphically design / low code your workflow
- Save devices types and groups of services as reusable models
IoT Greengrass - build IoT device software
- Install Greengrass client on your devices
- Deploy Lambda functions, Docker images or ML models for local inference
- Exchange data with IoT Core or other AWS services
AWS IoT Core
AWS IoT Core Security
Authentication
Server Authentication
When your device or other client attempts to connect to AWS IoT Core, the AWS IoT Core server will send an X.509 certificate that your device uses to authenticate the server. Like your browser
-
When your devices or other clients establish a TLS connection to an AWS IoT Core endpoint, AWS IoT Core presents a certificate chain that the devices use to verify that they're communicating with AWS IoT Core and not another server impersonating AWS IoT Core
Use iot:Data-ATS (Amazon Trust Service) AWS endpoint and AWS IoT Core server authentication certificates are signed by Starfield Root CA
Client Authentication
X.509 certificates provide AWS IoT with the ability to authenticate client and device connections. Client certificates must be registered with AWS IoT before a client can communicate with AWS IoT
AWS recommend that each device or client be given a unique certificate to enable fine-grained client management actions
AWS IoT supports these types of X.509 client certificates:
- X.509 certificates generated by AWS IoT <<-- THIS AWS IoT provides client certificates that are signed by the Amazon Root certificate authority (CA)
- X.509 certificates signed by a CA registered with AWS IoT
- X.509 certificates signed by a CA that is not registered with AWS IoT
-
Devices or other clients authenticate themselves with AWS IoT. Some options are available:
- X.509 Certificates (best for devices)
- IAM users, groups, and roles (dev/test phase or if you need make API calls or use WebSockets)
- Amazon Cognito identities (best for mobile devices)
-
Authorization
Authorization is the process of granting permissions to an authenticated identity. You grant permissions in AWS IoT Core using AWS IoT Core and IAM policies
Both AWS IoT Core policies and IAM policies are used with AWS IoT Core to control the operations an identity (also called a principal) can perform. The policy type you use depends on the type of identity you are using to authenticate with AWS IoT Core.
AWS IoT Core operations are divided into two groups:
- Control plane API allows you to perform administrative tasks like creating or updating certificates, things, rules, and so on
- Data plane API allows you send data to and receive data from AWS IoT Core
With MQTT over TLS you can only work with:
- AWS IoT Device SDK
- IoT Core policy
- data plane API