IoT Connectivity and Security on the AWS Cloud

Quick Start Reference Deployment

QS

January 2022
David Johnsen and Prateek Prakash, AWS Professional Services team
Tony Bulding, AWS Integration & Automation team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start guide provides instructions for deploying AWS Internet of Things (AWS IoT) connectivity and security capabilities. The deployment uses preset configurations to help commercial and consumer-electronics companies set up and operate their fleet of IoT devices.

IoT Connectivity and Security on AWS

Getting started with AWS IoT, including implementing security features, is a complex process. This Quick Start reduces the complexity by automating the provisioning process and helping you secure your IoT devices for development, testing, and production. It sets up the following:

  • Just-in-time registration (JITR) of device certificates.

  • Device connectivity and messaging.

  • A web application used by consumers—the device purchasers—to activate and interact with their devices.

  • Device security auditing, monitoring, and anomaly mitigation.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

No licenses are required to deploy this Quick Start.

Architecture

Deploying this Quick Start with default parameters builds the following IoT Connectivity and Security environment in the AWS Cloud.

Architecture
Figure 1. IoT IoT Connectivity and Security Quick Start architecture diagram

As shown in Figure 1, the Quick Start sets up the following:

  • AWS IoT Core, which enables registration, control, and data collection for IoT devices.

  • Lambda functions:

    • A JITR function that automatically registers and activates device certificates whenever you connect a device to AWS IoT for the first time. This function leaves the devices themselves inactive (not yet registered to an end user—the consumer or device purchaser).

    • A command-and-control function that updates device shadows.

    • A function that queries IoT devices and device telemetry.

  • Amazon DynamoDB, which stores device telemetry data and gives the web application access to this data.

  • AWS IoT Device Management, which organizes, monitors, and manages IoT things (devices registered in the AWS IoT registry). For example, you can use this service to assign devices to thing groups based on lifecycle stage—inactive, active, quarantine, and troubleshooting—and to attach IoT policies to each group.

  • AWS IoT Device Defender, which audits cloud-side device configurations against AWS security best practices. You can use this service to monitor device behaviors and respond to anomalies by using built-in mitigation actions. For example, you can move an IoT thing from the active group to the quarantine group. You can configure Device Defender to publish metrics, detect device-behavior anomalies, and send you alarms.

  • Amazon API Gateway, which provides endpoints that the web application connects to.

  • Amazon Cognito, which authenticates web-application users.

  • AWS CodeCommit, which holds the web-application repository.

  • AWS Amplify, which publishes the web-application webpages.

  • The web application, a Vue.js front end that consumers—the device purchasers—use to activate, control, and view telemetry data for their devices.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This deployment also assumes that you’re familiar with AWS IoT Core, Transport Layer Security (TLS), server- and client-authentication procedures, and installing device agents.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

AWS Amplify web applications

1

AWS Amplify branches

1

Amazon API Gateway gateway

1

REST APIs (application programming interfaces)

1

AWS CloudFormation stacks

15

AWS CodeCommit repositories

1

Amazon Cognito identity pools

1

Amazon Cognito identity pool roles

1

Amazon Cognito user pools

1

Amazon Cognito user-pool clients

1

Amazon DynamoDB tables

2

AWS Identity and Access Management (IAM) policies

27

IAM roles

19

AWS IoT audit configurations

1

AWS IoT policies

4

AWS IoT scheduled audits

1

AWS IoT Security Profiles

1

AWS IoT topic rules

2

AWS Lambda functions

11

AWS Lambda permissions

6

Amazon S3 buckets

3

Amazon Simple Notification Service (Amazon SNS) topics

1

Supported AWS Regions

For any Quick Start to work in a Region other than its default Region, all the services it deploys must be supported in that Region. You can launch a Quick Start in any Region and see if it works. If you get an error such as “Unrecognized resource type,” the Quick Start is not supported in that Region.

For an up-to-date list of AWS Regions and the AWS services they support, see AWS Regional Services.

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start has one deployment option. It uses a CloudFormation template to deploy the components of the IoT environment, including the web application.

Prepare your AWS account

Confirm that your AWS account has the permissions required to create the resources listed in the Resource quotas section of this guide.

Create JITR-ready device certificates

Any device certificate (client certificate) issued by your certificate authority (CA) can be registered with AWS IoT. For this Quick Start, you need to create JITR-ready device certificates, that is, certificates that will be automatically registered and activated whenever you connect the devices to AWS IoT for the first time. These are the main steps:

  1. Register your CA certificate with AWS IoT.

  2. Configure your CA certificate to support automatic registration of client certificates.

  3. For each IoT device, create a client certificate using your CA certificate. Use each device’s serial number for its common name.

  4. Install the client certificates on the devices.

For an example walkthrough, see Just-in-Time Registration of Device Certificates on AWS IoT. (This blog post includes creating a sample CA, which you don’t need to do when you already have a CA.)

For more details, see the related documentation:

Check your AWS Region

Within your chosen AWS Region, confirm the following:

  • This deployment does not already exist.

  • An audit configuration for AWS IoT Device Defender does not already exist.

Deployment steps

Confirm your AWS account configuration

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For more information, see Planning the deployment, earlier in this guide.

  2. Ensure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

Each deployment takes about 20 minutes to complete. This automated process includes creating the CloudFormation stack (10 minutes) and then deploying the web application (10 minutes).

Consider launching the Quick Start into a development or test environment before deploying a production workload.

  1. Sign in to your AWS account, and deploy the IoT Connectivity and Security Quick Start. (View the template.)

  2. Check the AWS Region displayed in the upper-right corner of the navigation bar, and change it if necessary. The template launches in the us-east-1 Region by default. For more information, see Supported AWS Regions earlier in this guide.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template, and provide values for any parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the IoT Connectivity and Security deployment is ready.

  9. To view the created resources, see the values displayed in the Outputs tab for the stack.

Set up an account in the web application

As soon as the CloudFormation stack deployment is complete and the web application has been deployed in AWS Amplify, set up an account in the web application as follows:

  1. While you’re still in the CloudFormation console, under the Outputs tab, note the DefaultDomain value.

  2. Open the AWS Amplify console.

  3. Choose All apps, and then choose the web application (iotquickstart).

  4. Under the Frontend environments tab, choose the web application’s thumbnail. A browser tab opens with a sign-up page.

  5. Create an account using the DefaultDomain value you noted in Step 1.

  6. (Optional) Customize the web application so that it meets your business needs. For example, you might change the application name, create a banner, or set up a custom domain.

Test the deployment

Review the initial AWS IoT setup

  1. Open the AWS IoT console.

  2. Confirm that the thing groups were deployed in AWS IoT Device Management. To do this, at the left choose Manage, Thing groups. Under prebuilt thing, verify that groups appear with names containing Active, inactive, and Quarantine (for example, iotquickstart-Active, iotquickstart-inactive, and iotquickstart-Quarantine).

  3. Confirm that a daily audit was scheduled in AWS IoT Device Defender. To do this, choose Defend, Audit, Schedules. Verify that a file appears with a name containing dailyaudit (for example, dailyaudit-main). This audit checks the cloud-side device configurations against AWS security best practices.

  4. Confirm that a machine learning Detect (ML Detect) Security Profile was deployed. To do this, choose Defend, Detect, Security profiles. Verify that a file appears with a name containing SecurityProfile (for example, SecurityProfile-152920-main). The presence of this file tells you that device behavior is being monitored continuously.

Test the device-registration process

To test the device-registration process, you do two things: connect a device to AWS IoT and then activate the device, as described in the following sections.

Connect a device to AWS IoT

  1. Connect any device with a JITR-ready certificate to your account’s AWS IoT device data endpoint through AWS IoT Core. For details, see Connecting devices to AWS IoT.

    The Quick Start’s JITR Lambda function registers the device certificate with AWS IoT by doing the following on the backend:

    • Generates an IoT thing in the device registry using the common name (serial number) from the device certificate.

    • Attaches the certificate to the generated IoT thing.

    • Creates an AWS DynamoDB entry using the common name.

    • Adds the IoT thing to the <iotquickstart>-inactive group with limited permissions (where the bracketed text represents the web application’s name).

    • Activates the device certificate.

  2. Open the AWS IoT console.

  3. At the left, choose Manage, Things. Verify that the newly registered certificate’s serial number (common name) and group affiliation appear.

For more information on the JITR process, see Just-in-Time Registration of Device Certificates on AWS IoT.

Activate the device

Now that you’ve connected a device to AWS IoT, its certificate is registered and activated. However, the device itself (the IoT thing) is still inactive. To activate the device—which typically means to register it to the end user—use the web application as follows:

  1. Open the AWS Amplify console.

  2. At the left, choose All apps, and then choose the web application.

  3. Under the Frontend environments tab, choose the web application’s thumbnail.

  4. Log in with your account credentials. The Register Device page appears.

  5. Enter the serial number (common name) of the IoT device, and choose REGISTER DEVICE.

  6. At the left, choose Devices. On the My Devices page, verify that the device appears.

Postdeployment steps

(Optional) Migrate to a production environment

If you launched the Quick Start into a development or test environment and want to migrate to a production environment, follow these steps:

  1. Customize the web application so that it meets your business needs. For example, you might change the application name, create a banner, or set up a custom domain.

  2. Create and register device certificates at the expected rates so that you can validate the deployment’s processing rate and scale. For more information, see AWS IoT Core service quotas.

  3. Change quotas or update your resource configuration as needed for your production use case.

(Optional) Clean up your development or test environment

When you no longer need the resources deployed by this Quick Start, clean up your development or test environment as follows:

  1. Open the AWS Amplify console, and delete the web application.

  2. Open the AWS CloudFormation console, and delete the stacks associated with this Quick Start.

FAQ

Q. How do I anticipate incurred AWS service charges when using this Quick Start, if I am going to be registering a large quantity of devices?

A. This deployment incurs costs for multiple AWS services. For cost estimates, see the following pricing pages for each AWS service you use. Prices are subject to change.

For more information, see AWS costs, earlier in this guide.


Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, do the following:

  • Confirm that the stack is not already deployed in your selected Region.

  • Verify that the audit configuration for AWS IoT Device Defender is not already set up in your selected Region.

  • Confirm that you registered your CA certificate and that the correct identifier is listed for the parameter CACertificateID in the AWS CloudFormation template. For more information, see Register your CA certificate.


Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another Amazon S3 bucket. If you deploy the templates from a local copy on your computer, or from a location other than an S3 bucket, you might encounter template-size limitations. For more information, see AWS CloudFormation quotas.

Customer responsibility

After you successfully deploy this Quick Start, confirm that your resources and services are updated and configured — including any required patches — to meet your security and other needs. For more information, see the AWS Shared Responsibility Model.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.