As a Company deeply involved in the development of various solutions for the IoT environment, we presumably should promote both the very sector of the IoT and our relative development skills and capabilities. The arrogant self-promotion where mentioning of any topical trade-offs is minimized to almost zero seems a widely accepted practice since potential customers prefer dealing with only well-meaning professionals facing no significant difficulties in their activity.
However, the fact that our blog is read by our colleagues - the other IoT developers in addition to the potential customers makes us address the IoT topic from a little bit another angle. To say the truth, it’s not so simple to maintain a proper balance between being honest and being always positive. And the very nature of such an immature sector as the Internet of Things makes us admit that there’s trouble in paradise actually. On the one hand, the IoT offers new opportunities the scope of which can hardly be graspable nowadays. On the other hand, the IoT introduces unique risks capable of compromising any IoT project in terms of both the security and operational reliability.
We believe that revealing the risks along with sharing best practices how to meet the IoT challenges can enhance the interest of potential customers to the IoT much better than just telling lucky “no-problem” stories.
This time we would like to examine the AWS IoT solution which is gaining popularity among many IoT developers. Both advertising and promotion are redundant in this case. Let’s better try to realize whether AWS IoT is really so good for both developers and end users as its creators claim. Besides, some healthy criticism would never hurt, right?
What is AWS IoT
Amazon Internet of things or Amazon Web Services platform is a complex solution capable of collecting data from various IoT devices to connect them to the cloud apps. Amazon has long realized that the contemporary IoT market could hardly be happy with a one-fits-all service. Since the diversity of IoT devices keeps growing, a multi-service platform should be more relevant for the needs of various business sectors. Hence, AWS IoT comprises several specific services dedicated to different operational tasks. Such an approach represents Amazon as a true digital giant having rich development capabilities (the $ 1 trillion capitalization reflects the status, he-he:)
By the way, Amazon as a business behemoth clearly understands that in the contemporary globalized business environment there’s only one method to succeed in a competition - improving operational efficiency. How to achieve this? The more intelligent business processes are, the better efficiency can be achieved and, therefore, the bigger profits occur. Just the IoT services allow enterprises of various sizes from numerous sectors to analyze huge data massifs collected from the industrial equipment. These days, machinery is becoming educable with the help of machine learning. The machine learning models created with AWS IoT can work both in a cloud and directly at the site. Thus, the IoT enables any equipment to react to local events with intelligent responses.
We cannot fail to mention the impressive infrastructural covering of AWS that provides customers with a truly flexible choice in terms of both the variety of the AWS cloud services and their pricing.
Last, but not least, the IoT security along with operational stability provided by AWS IoT represents Amazon as a quite pragmatic IoT platform provider (however, more on that later).
Among the others, the following AWS IoT services are available:
Amazon FreeRTOS and AWS Greengrass (edge);
AWS IoT Core, AWS IoT Device Management, and AWS IoT Device Defender (cloud);
AWS IoT Analytics (analytics).
But we would like to begin with just a button :)
AWS IoT Button
A simple easily adjustable Wi-Fi/LTE-M device in the form of a button was designed for the IoT developers who would like to start working with such services as AWS IoT Core, AWS Lambda, Amazon DynamoDB, Amazon SNS along with the other AWS services without having to write proprietary code for the device. The logic of the button’s activation can be configured in accordance with a particular task. For example, it can remotely start a car, open/close a garage door, and control various home appliances. The device can be integrated with some third-party APIs such as Twitter, Facebook, Slack as well as with some custom software.
The button is produced by the hardware partners of AWS specifically for the AWS IoT services. In fact, there are two versions of the button:
1) The AWS IoT Enterprise Button which communicates via Wi-Fi. It has a 2000-click lifetime, encrypts outbound data using TLS, and can be configured using BLE and a mobile app. It retails for $19.99 (shipping and handling not included) and can be used in the United States, Europe, and Japan.
2) The AT&T LTE-M Button which communicates via the LTE-M cellular network. It has a 1500-click lifetime, and it also encrypts outbound data using TLS. The device and the bundled data plan is available at an introductory price of $29.99 (shipping and handling not included) and can be used in the United States.
Both versions are ready to use being pre-adjusted with X.509 certificates to connect with a cloud through a secured connection.
You may ask why Amazon involved some third-party hardware manufacturers to produce a special button. Here is why:
AWS IoT 1-Click
AWS IoT 1-Click is a special cloud service which works only with specially designed hardware devices - the above-mentioned buttons. What a solution! The solution is well-tested by many famous digital giants who would like to tie their customers with some particular devices and gadgets. A typical monopolistic intention to put all eggs in one basket. Of course, Amazon represents it as a part of its customer care: the customers do not need to fill their heads about where to find some pre-adjusted devices fully compatible with the offered cloud service anymore. Amazon has already made the choice on behalf of them. The best choice ever. Especially since the cloud service seems really customer-friendly in terms of running out of the box.
AWS IoT 1-Click is a service which enables special IoT devices to quire functions from AWS Lambda (a special event-driven service allowing developers to program functions on a pay-per-use basis) to perform certain actions. For example, through pushing a button it is possible to send a message to a technical support team, to track inventory process, or to feed your dog remotely.
The types of applications empowered by AWS IoT 1-Click can significantly vary: apartment stores, schools, office buildings, health facilities, and various vehicles all can be equipped with the IoT devices fully integrated with the cloud service.
The main advantage of AWS IoT 1-Click is that the developers do not need to write code at the hardware end. All they have to do is just to use the already available operations. In addition, they can easily create new ones with the help of AWS Lambda functions. They need neither to install certificates nor to configure edge devices. Caring about firmware updates is also redundant. Admins, at the same time, can track both the state and functionality of each device being notified when service life is expiring.
Are the above-mentioned advantages worth sacrificing a wider choice of the third-party IoT devices in favor of AWS Buttons? It remains questionable from the perspective of new devices that keep appearing in the market. But for today the approach seems still reasonable.
However, Amazon also has a free solution compatible with various devices from the third-party manufacturers. See below.
This operating system for microcontrollers is created for the low-energy devices. Amazon FreeRTOS facilitates the deployment and control over a bunch of such devices through a simplified programming. The system belongs to open source being distributed free of charge. It supports various architectures such as ARM and MIPS. It means that the developers have a free hand to select a chipset from many reliable manufacturers such as
Espressif, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, etc.
Amazon FreeRTOS offers the libraries that provide data encryption along with key management. Besides, the system follows the TLS (TLS v1.2) protocol for connecting the devices with a cloud. In addition, Amazon FreeRTOS allows adding a security code during both the deployment and OTA updates.
Here we can see how Amazon can respond to any allegations relating to a lack of choice between the third-party hardware suppliers. The developers are free to choose whatever they need in order to create a highly customized solution while Amazon FreeRTOS helps them develop the relevant software with an appropriate functionality.
Hence, Amazon is not alien to open source as well.
The simplified programming for the IoT development is not the only type of support that many developers can account on from Amazon. The next service in our review can help meet the challenges related to a non-reliable Internet connection.
The real-world circumstances such as faulty internet connection can prevent many enterprises from implementing the IoT. In order to mitigate such a risk, Amazon offers AWS Greengrass. The solution enables groups of devices to sync with a cloud in a secure manner. Besides, the connected devices can communicate with each other even when the internet connection is interrupted. AWS Greengrass allows the devices to run AWS Lambda functions. Such a combination provides executing serverless functions locally. It means that various Linux-based devices running on both ARM or x86 architectures can use Greengrass Core to execute AWS Lambda code.
This is about the optimization of data flows, in fact. If you have several devices based on Raspberry Pi, for example, your code can run locally on them. In doing so, you can collect data, filter it, and send only what you consider important to a cloud for a subsequent analytics. Such a practice can obviously save your time and money. Hence, in some cases, the solutions based on AWS Greengrass can be more cost-effective than the ones based on AWS IoT Core.
Besides, AWS Greengrass is one of few Amazon services able to run on a very lightweight devices on-premises. It’s a good opportunity for admins to use AWS programming locally. AWS Greengrass seems another Amazon’s incentive which helps the IoT developers convince some hesitating customers, right?
AWS IoT Device Management
The name of the service speaks for itself. And this is about the scale of your IoT environment. The fleet of your devices may comprise hundreds, thousands, and even millions of endpoints. All of them require well-organized control and monitoring. And this is just what AWS IoT Device Management service offers. It helps IoT developers not to care about the scale anymore. A combination of group methods with deployment flexibility enables the developers to create groups of the IoT devices with an individual access policy regardless of the scale of the entire system. In brief, AWS IoT Device Management helps to manage your IoT fleet remotely. Both individually and in groups you can send firmware updates through OTA (over-the-air), troubleshoot functionality and monitor the state of your devices. In addition to the quantitative scalability, the qualitative one takes place since a particular OS of your device is irrelevant to the service. It implies a great variety of devices beginning from a cheap thermometer and up to a luxury autonomous vehicle. Hence, the secure IoT management at scale is realized. Kudos. However, the other service is in charge of the security.
AWS IoT Device Defender
If an IoT service provider has some security practices, they should be implemented into the services somehow. Both authentication of IoT devices and their secure authorization through the continuous audit of the entire fleet belong to the fully managed service AWS IoT Device Defender. There is no doubt that Amazon has acquired a rich experience in the IoT security issues. And the relative recommendations by Amazon are offered in the form of practices that constitute the AWS IoT Device Defender capabilities.
The integration of AWS IoT Device Defender with the other Amazon services are implied - both AWS Greengrass and Amazon FreeRTOS can be integrated with the service automatically. AWS IoT Device Defender can notify the users about problems through AWS IoT console, Amazon CloudWatch, and Amazon SNS. What can such alerts be about?
For example, it can identify an abnormally intensive data traffic between the IoT devices and a cloud that may reflect a data leakage. Also, the service can warn against an unauthorized IP address appearing in a network. It can track various states of your devices such as the number of enabled ports on your device, with what the device is connected, the amount of data the device sends and so on. A regular checking of certificates of the devices regarding their validly and expiry dates is also a useful security practice which is shared by Amazon with the IoT developers via AWS IoT Device Defender.
It is hardly possible to anticipate all possible security problems within the IoT sector since many customized solutions can engender absolutely unique risks. Nevertheless, Amazon shares a set of its best security practices a deviation in which can be identified as a certain alert through AWS IoT Device Defender. Does such an approach meet our expectations? It does, indeed. Does AWS IoT Device Defender guarantee the total security of our IoT system? No, certainly it doesn’t. And we will have to come back to this issue later.
AWS IoT Analytics
Data is money, as many proponents of the contemporary big-data strategies claim. Indeed, it is, but only in case, you can effectively analyze the data to retrieve some valuable information from your data feed. Every IoT solution is totally dependent on the data streams generated by the IoT devices. Amazon offers a special service able to properly format the gigabytes of data continuously arriving from your IoT devices - AWS IoT Analytics. This is a fully managed service which allows performing complex analytics of a large amount of data collected from your IoT devices without having to spend any extra time and money for establishing your own proprietary IoT analytics’ infrastructure.
In fact, AWS IoT Analytics is a means of automation of all sophisticated steps you need to proceed to analyze data from your IoT devices. The service helps to filter, select, process, and enrich your data streams before sending them to a cloud storage for a deeper subsequent analytics. Thus, it is possible to collect and save only valuable data through some special mathematical manipulations for data processing. For example, you can enrich your data with some metadata such as a type of a device along with its location while some “bad data” occurred due to inaccurate measurements can be cleansed. Later on, you can send both planned and individual queries through an embedded SQL data requester to provide your data analysis. Moreover, the true deep analytics can be achieved with the help of the available machine learning tools. Hence, AWS IoT Analytics can be a relevant default service for the majority of the IoT developers along with their customers.
Suppose, it’s time to get down to the very essence of Amazon’s IoT solution. Let’s practices a little bit on dealing with AWS IoT.
AWS IoT Core
AWS IoT Core is probably the most significant service among the Amazon’s basic ones dedicated to the IoT. It provides a connection of the physical IoT endpoints to a cloud through a reliable scaling. AWS IoT Core is in charge of establishing a full interaction between IoT devices with their peripheral software and the AWS IoT services mentioned above.
In order to start working with AWS IoT, let’s arrange a trial connection of a test device containing a microcontroller along with the following sensors HDC1080 -(temperature, humidity), BME280 -(pressure), MH-Z19 - (CO2), CCS811 - (eCO2, tVOC) to AWS IoT Core for a trial data transmission.
The secure connection of the device is essential in our case. One of the most popular methods of providing a secure data transfer is using end-to-end encryption via TLS 1.2. protocol. Only few solution based on microcontrollers can meet TLS 1.2. due to a lack of computing power. This time we use ESP32 since the microcontroller is one of the most accessible solutions.
First, we should create our AWS username while our ESP32 microcontroller should be connected to the Internet.
After Login, and open the AWS IoT console at https://aws.amazon.com/iot. On the Welcome page, choose Get started.
If this is your first time using the AWS IoT console, you see the Welcome to the AWS IoT Console page. In the left navigation pane, choose Manage to expand the choices, and then choose Things.
On the page that says You don't have any things yet, choose Register a thing. (If you have created a thing before, choose Create).
A thing represents a device whose status or data is stored in the AWS Cloud. This stored status or data is called the device's shadow. The Device Shadow service maintains a shadow for each device connected to AWS IoT.
Type a name for the thing, and then choose Next.
After that, we should create certificates for a secure connection.
Then we should load the certificates, click “Done”, and get the authorized Thing
Then, we should go to Secure and choose Policies to create a policy.
On the Create a policy page, in the Name field, type a name for the policy. In the Action field, type iot:*. In the Resource ARN field, type *. Select the Allow check box. This allows your Raspberry Pi to publish messages to AWS IoT.
iot:* -policy to subscribe and publish using this certificate
* -all the clients can publish/subscribe to this thing using this certificate
In the left navigation pane, under Security, choose Certificates.
In the box for the certificate you created, choose ... to open a drop-down menu, and then choose Attach policy.
In the box for the certificate you created, choose ... to open a drop-down menu, and then choose Attach thing.
The final step comes to an activation of the certificate:
In the box for the certificate you created, choose ... to open a drop-down menu, and then choose Active
Let’s consider our ESP32 microcontroller already pre-configured for interaction with AWS IoT when Rest API Endpoint, port, and protocol are known as well as all necessary certificates are available.
Now we need to check a possibility to transfer data between ESP32 and a cloud of AWS IoT. Go to Manage, click our thing test-ESP32, on the left menu choose Interact and copy a topic address below the line “Update to this thing shadow”.
After that, subscribe for the selected topic and wait for the data.
In a few seconds, we will see the data successfully received by the MQTT broker.
Finally, we can collect, analyze, and visualize our data with the help of either AWS IoT service or our own solutions.
A fly in the ointment
All aforementioned look too positive, right? It’s quite explainable since the very capitalization of Amazon implies that its IoT developers are far from being just a yard team. Nevertheless, there is one issue which can be accepted as a specific drawback of the entire approach of Amazon to the IoT services. We should come back to the security practices again. A telling example won’t hurt.
Just take a look at what is advised by a professional who promotes AWS IoT services from the security perspective. In contrast to the whole content praising AWS IoT for the iron-concrete security it provides, the final advise come to some trivial suggestions such as changing default passwords, using encryption, assigning dedicated IoT stuff etc. If we replace AWS IoT with some much poorer solution in that content, the suggestions would keep sounding not less relevant. Better safe than sorry? Redundant overreaction?
Not, in fact. This is a sad truth which implies quite a significant share of a human factor which still has to be involved in the security practices no matter whether they belong to Amazon or to some other IoT service provider. And a human factor always implies errors and misuse.
So, which technology is missed by the Amazon’s IoT developers in terms of security? We dare to assume that it’s time for such a digital giant as Amazon to start developing solutions based on the DLT (Distributed Ledger Technology). Once the very nature of DLTs implies the elimination of a human factor from digital interactions to some extent, nothing prevents Amazon from using IOTA Tangle, Hashgraph, or even a proprietary custom distributed ledger in the AWS IoT solutions. Even a simple trial DLT-based solution having quite a limited functionality would be better than nothing since following the promising IT trends (undoubtedly, DLT is one of the hottest trends nowadays!) would represent Amazon as the most progressive IoT service provider. And, who knows, maybe the trivial security suggestions about default passwords and registered devices should not even be necessary anymore.
We’ve done our best in representing the basic features of the AWS IoT services in the present post. Hope you will appreciate our efforts. In addition to the already described AWS and Predix platforms, we are going to examine the other IoT solutions such as IBM Watson, MS Azure, and Google IoT. Please follow our posts and suggest us what else in the IoT environment you want us to study.