Internet of Things has been a disruptive technological intervention in recent times. It has emerged as a new way of increasing the expansion of the connected devices ecosystem. As the attention towards IoT continues to increase in recent times, it is evident to look for common platforms such as Amazon Web Services that allow the development and deployment of credible IoT solutions. AWS IoT is one of the notable platforms that can help in communication between IoT devices.
Therefore, the attention on AWS IoT Device provisioning has increased recently with the large-scale use of AWS cloud for ensuring the functionality of IoT devices. Although AWS IoT provides a completely managed service for ensuring secure communications among IoT devices, it is important to know the best practices for provisioning devices on AWS IoT.
Enroll Now: AWS IoT Core Device Provisioning Training Course
The following discussion serves insights into the significance of provisioning in IoT device management followed by reflection on the basics of AWS IoT, such as its definition and components. However, the major highlight of the discussion would be the different use cases and ideal options for provision devices for AWS IoT. Then, readers could find out a guide on device provisioning in AWS IoT with the help of a bootstrap certificate.
What is Device Provisioning in IoT Device Management?
It is easy to be excited about diving right into provisioning in an AWS IoT tutorial. However, it is important that you know what is provisioning and its importance for managing IoT devices. Installing an IoT device is not the end of the job, as many would think. You have to ensure frequent monitoring, updates, troubleshooting errors, and add new functionalities to improve the productivity of IoT devices.
Device provisioning is one of the fundamental aspects of IoT device management. Basically, device provisioning is the process of registering a device on the network of IoT devices. When you install a sensor and configure it for securely uploading data with real-time updates in the data monitored by the sensor, then it is classified as a device provisioning. So, the configuration of a sensor to utilize the data it collects is device provisioning in IoT.
What is AWS IoT?
Let us reflect on the basics of AWS IoT before starting with AWS IoT device provisioning. AWS IoT is the combination of cloud services that help in connection with IoT devices to AWS cloud services and other devices. AWS IoT facilitates device software for easier integration of IoT devices in AWS IoT-based solutions.
AWS IoT is functional in terms of the selection of the most ideal and updated technologies for cloud-based solutions. AWS IoT could provide reliable support for different compatible devices to ensure integration and development of IoT devices with AWS IoT. The notable components in AWS IoT include message broker, thing registry, security and identity service, rules engine, and thing shadows.
As discussed already, AWS IoT device provisioning is essential for ensuring the desired functionality of an IoT device according to specified configurations. However, it is important to create the necessary resources before you start the provisioning process. The resources are essential for secure communication between AWS IoT and your devices. Here are the important resources that you can create in the provisioning process.
IoT Thing is basically an entry in the AWS IoT device registry with each thing having a unique set of attributes and a name. The IoT Thing should be associated with a physical device, and their definition requires a thing type. Users can also group things into thing groups. Even if an IoT Thing is not mandatory for AWS IoT device provisioning, it can support the efficient management of the device fleet. Users could make the most of IoT Thing for searching devices by thing attributes, thing type, and thing groups.
IoT policy is essential for defining the operations that a device could address in AWS IoT. IoT policies are generally related to the device certificate, and when devices present their certificate to AWS IoT, they receive the permissions according to the policy.
The most important requirement for device provisioning with AWS IoT is a certificate for devices to communicate with each other. IoT devices generally use X.509 certificates for addressing mutual authentication on AWS IoT. Users can enable registration of an existing certificate or generate and register a new certificate with AWS IoT.
A certificate is associated with a device through attachment with the IoT thing representing the device. In addition, users should also make a copy of the certificate and the related private key on the device itself. Certificates are an essential requirement for all IoT devices to connect with AWS IoT.
Aspiring to build your career in AWS IoT? Go through the quick AWS IoT tutorial will help you understand the basic and advanced concepts of AWS IoT service. Let’s get ahead!
Use Cases for Device Provisioning in AWS IoT
Now, let us take a look at the different approaches for AWS IoT device provisioning and installation of unique client certificates. Here are the different ways for device provisioning and the ideal use case scenarios that suit them.
Installation of Device Certificates before Delivery
You can choose Just-in-Time Registration (JITR) or Just-in-Time Provisioning (JITP) for cases where you want to install distinct client certificates securely on different IoT devices before delivery for use to the end-user. JITP and JITR enable the registration of the certificate authority (CA) with AWS IoT. Therefore, the CA is immediately recognized upon the connection of a device. The provisioning of the device in AWS IoT happens on the first connection with the details of the provisioning template.
No Apps Can be Used for Installing Device Certificates
The next important use case of AWS IoT device provisioning involves the inability of end-users to use the app for the installation of certificates on IoT devices. Provisioning, by the claim, is an ideal process for providing a claim certificate to all IoT devices. The claim certificate is shared by other devices, and the AWS IoT registers a device on its first connection with a claim certificate.
The provisioning template helps in registering a device on AWS IoT while issuing a unique client certificate for each device to access AWS IoT. As a result, users could access automatic provisioning benefits for a device in their connection with AWS IoT.
Use of Apps for Installing Device Certificates
Another significant use case of AWS IoT device provisioning is related to cases where end-users could use apps for installing certificates on IoT devices. This use case implies that you don’t have the ability to secure the installation of distinct client certificates on IoT devices before delivery to the end-user. The best alternative, in this case, is provisioning by a trusted user process.
The trusted user helps the end-user with a known account to bring simplicity to the device manufacturing process. Rather than a unique client certificate, the devices have temporary certificates that help the devices in connecting to AWS IoT for five minutes only. In this 5-minute time gap, a trusted user can obtain a unique client certificate for installing on the device. The limited life of a claim certificate reduces the risk of compromised certificates.
Workflow for Device Provisioning with AWS IoT
So, now you know the important tenets in provision devices for AWS IoT. The next step in the discussion would directly refer to the process of device provisioning on AWS IoT. The overview of the device provisioning workflow is an essential requirement for developing a basic understanding of AWS IoT device provisioning. The AWS IoT device provisioning workflow follows three distinct steps, such as device assembly, device registration, and device activation. Let us take an in-depth look at all these steps for finding out more about device provisioning on AWS IoT.
The device assembly stage is an integral part of the manufacturing process of IoT devices. Device assembly refers to the process of a supplier burning a certificate on the device. This process involves the manufacture of devices with distinct bootstrap certificates. The device assembly approach should also follow certain conditions. The first condition implies the registration of a CA certificate with AWS IoT Core and enabling auto-registration. The second condition in device assembly process refers to manufacturing of a device with a device certificate developed with the CA certificate registered with the device.
The second step in AWS IoT device provisioning is device registration. Device registration is a reliable process for registration of devices as a thing in the AWS IoT Core. The important steps in the device registration process for provisioning devices on AWS IoT are as follows,
- Registration of the IoT Thing and bootstrap certificate
- Creation of IoT policies and attaching them to the bootstrap certificate
- Establishing a relationship between the IoT thing and bootstrap certificate
- Facilitate the final certificate in AWS IoT Core
- Addition of the IoT thing to an AWS IoT thing type or thing group
Most importantly, it is essential for users to address an important prerequisite for starting the device registration process. The device supplier should give a list of permitted devices, known as a whitelist. The whitelist could be a list of device IDs or just other attributes. The next important concern for users is to verify the allow list file for validating if the device is fully vetted by the supplier.
It is also important to check that a customer-specific CA has signed the bootstrap certificate. Users can start the device registration process in AWS IoT device provisioning with different methods. The most commonly used method for device provisioning on AWS IoT with a bootstrap certificate is Just-in-Time Registration (JITR). You can utilize the JITR feature in AWS IoT by addressing certain conditions.
The foremost condition is the requirement of a specific device ID integrated as a Common Name on the device certificate of an IoT device. The next condition involves the storage of the device that allows list files in an AWS service like Amazon S3. You can find the following steps in the working of the JITR process for device registration on AWS IoT.
- Connection of device or IoT thing to AWS IoT Core by leveraging MQTT alongside the bootstrap certificate
- Detection of an unregistered certificate signed with a registered CA by AWS IoT Core, using JITR followed by automatic registration and disconnection of the device
- Activation of Certificate Activator AWS Lambda function for verification of allowing list after disconnection of the device
- Successful verification leads to the activation of the certificate by the Lambda function. The Lambda function also helps in starting the device provisioning workflow containing an association of certificate and policies, creation of a final certificate, and creation of thing type or group.
The final stage in the AWS IoT device provisioning refers to device activation. Device activation happens in the case of devices that are powered on for the first time, followed by a connection with AWS IoT endpoints with a bootstrap certificate. The connection between the device and AWS IoT ensures downloading the final certificate of the device, including comprehensive privileges. The general architecture and workflow in the device activation process for AWS IoT device provisioning comprise of the following steps.
- Connection of the device to AWS IoT Core with a bootstrap certificate followed by the device receiving a certificate rotation job
- Receipt of the ‘get certificate’ message on the device
- Response of CertificateRotation Lambda function to the device through a pre-signed URL related to an operational certificate
- Fetching operational certificate from S3 bucket by the device
- Rotation of the certificate by the device and reconnecting to AWS IoT endpoints
The final aspect in the device provisioning workflow refers to the best practice of allowing the least possible privileges. Therefore, the bootstrap certificate should be configured with just the right amount of privileges that can help in completing the processes in the AWS IoT Device provisioning workflow. The best practices include connection to AWS IoT Core with the device ID as MQTT client ID, publishing and subscribing to MQTT topics needed for certificate rotation, and subscription to the specific AWS IoT Job topics of a device.
On a concluding note, you can clearly notice the various stages involved in the AWS IoT device provisioning workflow. The growth in the adoption of IoT devices and the integration of AWS and IoT ecosystem with AWS IoT is evident. These are indeed credible factors to start learning about AWS IoT.
Apart from the best practices outlined here, you can explore a massive repository of information on AWS official documentation. For example, you can discover more about the security best practices essential for device provisioning in AWS IoT. A deeper understanding of the AWS IoT architecture and its working could be helpful in improving your expertise in the provisioning of AWS IoT devices. Start learning more now.
To learn and become a pro in AWS IoT, enroll in the AWS IoT Core Device Provisioning Training Course. AWS Certified Machine Learning Specialty is the certification that validates your skills in IoT, AI, and Machine Learning. If you are aspiring to get AWS Machine Learning Specialty certification, our online course and practice tests for the AWS Certified Machine Learning Specialty Exam will help you achieve your goal. Start your preparation now to become certified!
- Upcoming Cloud Computing Trends for 2021 - December 28, 2020
- Introduction to Apache Cassandra - December 23, 2020
- CyberSecurity Career Roadmap: Start a Career in Cybersecurity - December 19, 2020
- Upcoming DevOps Trends for 2021 - December 13, 2020
- Device Provisioning with AWS IoT - December 10, 2020