4. Publish / Subscribe
Standard Protocol Support
MQTT, HTTP, WebSockets
Long Lived Connections
Receive signals from the cloud
Secure by Default
Connect securely via X509 Certs
and TLS 1.2 Client Mutual Auth
14. Authentication for devices
Device credentials
• Private key (authenticate the device)
• Certificate (register the device with IoT)
• Root CA cert (authenticate IoT)
21. Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT
28. Fine-grained access control
SUB home/456_iot_ln
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
SUB home/123_aws_ave/#
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck
29. Fine-grained access control
PUB home/123_aws_ave/door_1/open
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
SUB home/123_aws_ave/#
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck
36. Authenticated access for end-users
Amazon
Cognito
Get Credentials
temporary
security
credentials
AWS STSAWS IAM
permissions
role
temporary
security
credentials
37. Connect through JavaScript
var region = c.AWS.region; //'ap-northeast-1'
var iotEndpoint = c.AWS.iotEndpoint;
var identityPoolId = c.AWS.identityPoolId;
AWS.config.region = region;
AWS.config.credentials =
new AWS.CognitoIdentityCredentials(
{ IdentityPoolId: c.AWS.identityPoolId,
Logins: {'graph.facebook.com': fbresponse.authResponse.accessToken }
});
AWS.config.credentials.get(function(){
var signedUrl = getSignedUrl();
initClient(signedUrl);
});
var requestUrl = 'wss://' + host + canonicalUri + '?' + canonicalQuerystring;
//Authenticated
//After fb.login
38. Connect through JavaScript
function initClient(requestUrl) {
var clientId = String(Math.random()).replace('.', '');
var client = new Paho.MQTT.Client(requestUrl, clientId);
mqttClient = client;
var connectOptions = {
onSuccess: function() {
client.subscribe(topiclightbulb);
client.subscribe(topicgrove);
},
useSSL: true, timeout: 3, mqttVersion: 4,
onFailure: function() { console.error('connect failed'); }
};
client.connect(connectOptions);
client.onConnectionLost = onConnectionLost;
client.onMessageArrived = onMessageArrived;
}
//Subscribe topics
//Subscribe topics
39. Authenticated access for end-users
Amazon
Cognito
AWS STS
AWS IAM
permissions
role
WebSocket Connect
temporary
security
credentials
Allowed?
Yes!
IoT
topic
IoT
shadow
IoT
policy
40. Authenticated access for end-users
Amazon
Cognito
AWS STS
AWS IAM
permissions
role
WebSocket Connect
temporary
security
credentials
Allowed?
Yes!
IoT
topic
IoT
shadow
IoT
policy
Create, Attach
Policy for Alice,
Bob, and Chuck
41. Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT
42. Chicken and egg: when to attach the policy?
• Users cannot connect until they have a policy in IoT
• Policy cannot be attached without knowing the user’s
CognitoId
Solution: attach a policy when the user first connects!
45. Lambda Code – Attach Principal Policy
'use strict';
var AWS = require('aws-sdk');
AWS.config.region = 'us-east-1';
var iot = new AWS.Iot();
exports.handler = (event, context, callback) => {
var cognitoid = ‘';
if (typeof context.identity !== 'undefined') {
cognitoid = context.identity.cognitoIdentityId;
var params = {
policyName: 'cognito-user-access', /* required */
principal: cognitoid /* required */
};
iot.attachPrincipalPolicy(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
}
};
46. What permissions to attach?
• Start with minimal permissions
• Dynamically generate or attach your policy base on user
47. Wrapping up
• WebSockets makes IoT interactive
• Authentication for humans is different than devices
• Use Lambda to drive user registration, pairing
• Getting started with the AWS IoT Device SDK is easy
• AWS IoT WebSockets, Rules Engine, Shadow and
Lambda makes server-less applications easy