© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Philipp Sacha

Specialist Solutions Architect IoT, Amazon Web Services

Device Provisioning Options with AWS IoT

MQTT

AWS IoT 1-click

Endpoints Gateway/PLCCloud Enterprise

Applications

Device shadow

RulesEngine

AWS IoTCore

Certificate Authority

DeviceShadow

AWSGreengrass

LambdaFunctions

MessageRouter

Local Comms Long-range Comms

Amazon FreeRTOS

Certificate Authority

Local Resourc

es

OPC-UAAdapter

IoT SDK

AWS IoT Device Management

AWS IoTAnalytic

s

AWS

Enterprise Users

Corp AppsThe picture can't be displayed.

The picture can't be displayed.

AmazonQuickSigh

t

AmazonEMR

Amazon Redshift

AmazonS3

Machine Learning

OPC-UA

MQTT

MQTT

IoTUsers

EdgeUsers

IoT Partners

Cert

AWS Lambda

WiFi

All AWS

Over-the-air (OTA)

Updates

Analytics Data Store

Data Pipelines

Templated Reports

Local Resources

IoT with AWS

Batch Fleet Provisioning

Real-time Fleet Index &

Search

AWS IoTDevice

Defender

Ad-hoc & In-depth Analysis

Risk Mitigation

Edge

ARM, Broadcom, Digi, Expressif, Intel, MediaTek, Microchip, NXP, ST, TI, Qualcomm, …

Gateway

Adlink Technology,

Advantech, MachineShop, Technicolor, …

Detection Profiles

Alerts

Scheduled or Ad-hoc

Audit

MQTT

Platform

Ayala, Bright Wolf, BSquare, C3IoT, Mnubo, PTC ThingLogix,Splunk, …

Connectivity

Amdocs, Asavie, AT&T, Eseye, Soracom, TATA CommunicationsVerizon, …

Consulting / ISVs

Accenture, Aricent, ClearScale, CTP, Luxoft,Mobiquity, solstice, Storm Reply, Sturdy Networks, TCS, TrekIO, …

Things

OTA

OTA

Amazon FreeRTOS

Message Broker

IntegratedClient

Amazon

Kinesis

AWS IoT – Start ing To Explore…

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

At Scale - How To Provis ion Devices?

Secure device connectivity

and messaging Devices

AWS IoT Core

Fleet onboarding, management and

SW updates

Architecture is developed…

How Do I onboard my devices???

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

When a Device i s Prov is ioned

• (Created in the device registry)•Device certificate registered with AWS IoT Core• (Certificate attached to the device)• IoT Policy attached to the device through:

• Certificate• Thing group

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

• API Calls

• Single Device Provisioning

• Bulk Device Provisioning

• Just-in-Time Provisioning

• Just-in-Time RegistrationIoT topic rule Lambda

function

AWS IoT Provis ioning Opt ions

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Device Onboarding – API

Using scripts with SDKs and call the API•create-thing•create-keys-and-certificate or register-certificate for BYOCA•create-policy•attach-principal-policy•attach-thing-principal

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Provis ioning Template"Parameters" : {

"ThingName" : { "Type" : "String" },

"SerialNumber" : { "Type" : "String" },

"Location" : { "Type" : "String","Default" : "WA“ },

"CSR" : { "Type" : "String“ }}

"Resources" : {"thing" : {

"Type" : "AWS::IoT::Thing","Properties" : {

"ThingName" : {"Ref" : "ThingName"},"AttributePayload" : {

"version" : "v1","serialNumber" : {"Ref" : "SerialNumber"}

},"ThingTypeName" : "lightBulb-versionA","ThingGroups" : ["v1-lightbulbs", {"Ref" : "Location"}]

}},

"certificate" : { "Type" : "AWS::IoT::Certificate", "Properties" : { "CertificateSigningRequest": {"Ref" : "CSR"}, "Status" : "ACTIVE" } }

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Single/Bulk Device Prov is ioning

{"ThingName": "foo", "SerialNumber": "123", "CSR": "csr1"} {"ThingName": "bar", "SerialNumber": "456", "CSR": "csr2"}

• Parameters with device information are used in the provisioning template

• Single: on ”line” as parameter to register a thing• Bulk: multiple parameter lines in an S3 bucket

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Device Onboarding – J ITP

AWS IoT

Own CA

• Own CA required• Provisioning Template attached to own CA1. Device connects to AWS IoT, device certificate gets

registered2. JITP provisions device according to the provisioning

template

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Device Onboarding – J ITR

AWS IoT

1.Device connects to AWS IoT, device certificate gets registered

2.AWS IoT publishes message to $aws/events/certificates/registered/<caCertificateID>

3.Topic Rule is invoked4.Topic Rule calls Lambda Function as action5.Lambda provisions device

Topic Topic-rule

• Create thing• Activate Certificate• Create/Attach IoT Policy• Attach policy to certificate• Do more stuff…

1 2 3 4 5Own CA

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

J ITR vs . J ITPJITR JITPTopic rule and Lambda function. Code must be written and maintained

No code, only body template attached to CA

Provisioning more complex: Device connects, certificate registers with status PENDING_ACTIVATION, service sends MQTT message, rule triggers Lambda, Lambda does provisioning and optionally more stuff

Easy provisioning: Device connects, provisioning workflow run automatically

Flexible, different policies for different devices can be created/attached. Information from/to the provisioning process can be put/read from other systems, etc.

Static, same provisioning process for every device

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Demo Time!

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Please complete the session survey in the summit mobile app.

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.