AWS IoT
At the edges of the IoT world, you’ll find actuators and sensors. There are plenty of commands to send, and way too much data to deal with. But job #1 is secure management – how do you design a device that you can identify and connect with 100% certainty that it hasn’t been hacked (and never will be)?
ARTIK and AWS IoT together provide an incredibly secure way of doing this.
- The CA certificate chain is pre-registered to AWS IoT, but individual device certificates do not need to be pre-registered
- ARTIK sets up an SSL/TLS-secured channel without ever exposing the private key to applications
- Without ever having seen the device or its certificate, AWS IoT receives the certificate on the initial connection attempt and safely verifies it before proceeding
- AWS IoT assigns the device a Certificate ID with its just-in-time registration (JITR) feature; the device is now online.
What it means: A “self-managing” secure ecosystem, where “ownership” of the device can be transferred from OEM/ODM to service provider, and from end user to end user, with ease.
Once connected, you have the whole AWS world at your command.
– Send photos from your ARTIK surveillance system to the AWS S3 file bucket.
– Scan the files for unknown objects with AWS Rekognition.
– Upgrade your ARTIK capabilities on-the-fly by sending an AWS Lambda function.
All of this happens with no fear of interception, thanks to ARM® TrustZone® technology and the ARTIK Secure Execution Environment (SEE) – the private key stays private.
AWS IoT Articles
You're ready to begin! We recommend following the articles below in the order shown.
| Service | Tutorial Description |
|---|---|
| AWS IoT - Overview | Publishing IoT data and receiving commands, using MQTT |
| AWS IoT - JIT Register | Provisioning ARTIK boards with keys and certificates |
| AWS Lambda - JIT Register | Servicing the connection event in the cloud |
| AWS Greengrass | Deployment of encapsulated compute modules (AWS Lambda functions) |
Setting Up AWS Tools
Amazon AWS cloud-based tools can significantly increase the capabilities of ARTIK modules. The article here describes how to get started, by:
- Setting up your account
- Installing the AWS CLI
- Configuring your credentials.
Get AWS Account
Follow the AWS sign-up instructions to be able to access the various AWS services we'll need. All are free for introductory use.
Note that you may need to choose the same geographic area in all your AWS services to guarantee interoperability among them.
Install Amazon AWS CLI
While Greengrass does not require installation of the AWS CLI, you'll find the CLI makes configuration and debug a lot easier.
The AWS CLI wants to operate from a Python 3.5 environment, which will interfere with the normal Python 2.7 environment used by other ARTIK utilities. You could follow the instructions to set up the AWS CLI in a virtual environment, but it may not work the way shown in the AWS article. Here's what worked for us.
1 2 3 4 5 6 | apt install python-pip apt install python3-pip apt install python3-venv pyvenv ~/cli-ve source ~/cli-ve/bin/activate pip install --upgrade awscli |
Type
aws --version
to verify that the AWS CLI installed correctly.
Going forward, you'll use just
source ~/cli-ve/bin/activate
to enter the Python 3.5 environment, and
deactivate
to exit. You can type python in each environment to see whether you're in Python 2.7 or 3.5.
Handling Credentials
Get credentials
Under your account information, find your security credentials. Then create a new access key and keep it and the secret key on the screen for the next step.
Configure credentials
On your ARTIK board, enter:
aws configure
You can now copy and paste your key and secret key. AWS creates a hidden directory and file ~/.aws/credentials with the information, which will be accessed by the CLI, S3, Greengrass, and any other AWS services you have.
For region, you can choose us-west-2 which will be appropriate for the AWS Greengrass article and should work for other articles as well.