Cloud connection is one of the basic ideas behind the Internet of Things. Therefore, support for IoT devices is an important feature for any cloud service provider. In AWS, these services are provided as part of the IoT solutions.

What services does AWS IoT provide?

Connectivity

Cloud connectivity is the core function of any IoT device. Network protocols have been designed with IoT solutions in mind, including CoAP, ZeroMQ, or MQTT. And it is MQTT that is used in the AWS solution. Amazon provides cloud endpoints for IoT solutions, and our role is to implement the device-side functions using MQTT. There is an option to use HTTP, but that API is basically a wrapper for what MQTT does.

Unlike most other services, there is no robust SDK for AWS IoT. This means that there may not be an official device-side library for the language we use. It is not a problem, though, because the functions offered over MQTT are pretty simple and can be handled by any MQTT implementation.

For the backend side, however, there is a regular AWS API, with SDK and console support.

Authentication

Unlike web applications or mobile apps, IoT devices do not have a way for the user to enter access credentials. Small devices cannot prompt for username and password. For this reason, there must be another way of authentication.

First of all, in IoT solutions, it is the device that authenticates to the system, not the user. So there has to be a way for the device to prove its identity. The solution is public-key cryptography, specifically mTLS. Once the device is registered with the cloud, it can use its own key and certificate to authenticate to the backend.

But how exactly is the device registered? Usually, when you buy an IoT device, you need to do first-time setup. It typically means that you connect to it using Bluetooth or USB, then you select the WiFi network, log in using your credentials, and in the end, the device is registered to the cloud. In the case of AWS, this would mean generating the device key and certificate. There are many ways to store the cryptographic secrets, and the best practice is to use hardware-based solutions.

Authorization

As with any other service in AWS, IAM roles and policies are involved. We can define exact permissions for our devices. Technically, devices operate using messages on MQTT topics. So a security policy for a device focuses on what topics it can subscribe and publish to.

A message from the device can lead to a chain of events in the backend, and for each step in that process, there is another policy. It’s the same pattern when it comes to sending messages to devices.

Backend Solutions

As I mentioned before, there are many things that can happen in the backend. Most of them are controlled by specialized services and functions from AWS IoT. These services include managing the device configuration, state monitoring, triggering actions, and management of installed software. I will explore these functions in future posts in this blog series.

Bonus: using TLS certificates to authenticate to other services

Typically, when we develop applications using AWS, we need to provide access credentials (access key and secret access key). We just discovered that IoT devices can use TLS certificates to authenticate, which in some cases may be more convenient. AWS provides a way to receive temporary access credentials that let us assume a role.

You can learn more about it in this article: Authorizing direct calls to AWS services using AWS IoT Core credential provider.