Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dickson Yue, AWS Solutions Architect
9/15/2017
Building Powerful IoT apps with
AWS IoT and Websockets
AWS Startup Day – Hong Kong

2. Outline
• MQTT recap
• WebSockets: what and why?
• Authentication and Authorization
• Demo + Code

3. AWS IoT

4. Publish / Subscribe
Standard Protocol Support
MQTT, HTTP, WebSockets
Long Lived Connections
Receive signals from the cloud
Secure by Default
Connect securely via X509 Certs
and TLS 1.2 Client Mutual Auth

5. MQTT PubSub Topic Subscriptions
PUBLISH
weather-station/echo-base/temperature
SUBSCRIBE
weather-station/echo-base/temperature
weather-station/echo-base/#
weather-station/+/temperature

6. Comparing protocols
MQTT
• Lightweight
• Bidirectional
HTTP
• Broad support (browsers)
• Request-reply
Client Server Client Server

7. AWS IoT protocol comparison
Capability MQTT HTTP
Publish Yes Yes
Subscribe Yes No

8. WebSockets to the rescue
GET wss://…/mqtt?X-Amz-Signature=…
Connection: Upgrade
Sec-WebSocket-Protocol: mqtt
…
Upgrade?
OK
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
HTTP

9. WebSockets to the rescue
HTTP
MQTT
SUBSCRIBE
PUBLISH
…

10. AWS IoT protocol comparison
*Using WebSockets to upgrade HTTP connections to MQTT connections
Capability MQTT HTTP
Publish Yes Yes
Subscribe Yes Yes*

11. Outline
• MQTT recap
• WebSockets: what and why?
• Authentication and Authorization
• Demo + Code

12. Securing AWS Resource Access

13. Authentication vs authorization
Authentication:
Prove your identity
Authorization:
Restrict access

14. Authentication for devices
Device credentials
• Private key (authenticate the device)
• Certificate (register the device with IoT)
• Root CA cert (authenticate IoT)

15. Authentication for devices
Administrator
CreateCertificate
Generate CSR
Generate
Private Key
Certificate

16. Connect through MQTT libary
import paho.mqtt.client as mqtt
def init():
global client
try:
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.clientid = clientid
client.tls_set( "../../certs/root.pem",
certfile="../../certs/grove-cert.pem",
keyfile="../../certs/grove-privateKey.pem",
tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None )
client.connect("data.iot.us-east-1.amazonaws.com", 8883, 10)
client.loop_forever()
except:
print "Mqtt Unexpected error:", sys.exc_info()[0]

17. HTTP
curl --tlsv1.2
--cacert root.pem --cert pi01-cert.pem --key pi01-privateKey.pem
-X POST -d "{ "serialNumber": "G030JF053216F1BS", "clickType":
"SINGLE", "batteryVoltage": "2000mV" }"
"https://a1omffl4uase1e.iot.us-east-
1.amazonaws.com:8443/topics/iotbutton/virtualButton?qos=1"

18. AWS IoT protocol comparison
Capability MQTT HTTP
Publish Yes Yes
Subscribe Yes No
Certificate Auth Yes Yes
Sig V4 Auth No Yes

19. AWS IoT protocol comparison
Capability MQTT HTTP
Publish Yes Yes
Subscribe Yes No
Certificate Auth Yes Yes
Sig V4 Auth No Yes

20. AWS IoT protocol comparison
Capability MQTT HTTP
Publish Yes Yes
Subscribe Yes Yes*
Certificate Auth Yes Yes
Sig V4 Auth Yes* Yes
*Using WebSockets to upgrade HTTP connections to MQTT connections

21. Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT

22. Unauthenticated end-users

23. Unauthenticated access for end-users
Amazon
Cognito
Get Credentials
AssumeRole

24. Connect through JavaScript
var region = c.AWS.region; //'ap-northeast-1'
var iotEndpoint = c.AWS.iotEndpoint;
var identityPoolId = c.AWS.identityPoolId;
AWS.config.region = region;
AWS.config.credentials =
new AWS.CognitoIdentityCredentials({ IdentityPoolId: identityPoolId });
AWS.config.credentials.get(function(){
var signedUrl = getSignedUrl();
initClient(signedUrl);
});
var requestUrl = 'wss://' + host + canonicalUri + '?' + canonicalQuerystring;
//Unauthenticated

25. Unauthenticated access for end-users
Amazon
Cognito
Get Credentials
AssumeRole
AWS STS
AWS IAM
permissions
role
temporary
security
credentials

26. Unauthenticated access for end-users
Amazon
Cognito
AWS STS
AWS IAM
permissions
role
WebSocket Connect
temporary
security
credentials
Allowed?
Yes!

27. User-specific policies
{
"Effect": "Allow",
"Action": ["iot:Publish", "iot:Subscribe"]
"Resource": [
"arn:*:topic/home/123_aws_ave",
"arn:*:topicfilter/home/123_aws_ave"
]
}
{
"Effect": "Allow",
"Action": ["iot:Publish", "iot:Subscribe"]
"Resource": [
"arn:*:topic/home/456_iot_ln",
"arn:*:topicfilter/home/456_iot_ln"
]
}
Policy for Alice, Bob: Policy for Chuck:

28. Fine-grained access control
SUB home/456_iot_ln
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
SUB home/123_aws_ave/#
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck

29. Fine-grained access control
PUB home/123_aws_ave/door_1/open
SUB home/123_aws_ave/#
PUB home/123_aws_ave/light_1/on
SUB home/123_aws_ave/#
PUB home/123_aws_ave/door_1/open
Alice
Bob
Chuck

30. Policy variables for Cognito users
AWS IAM
PUBLISH foo/us-east-1:abcdef-my-cognito-id
temporary
security
credentials
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}"
]
}

31. Policy variables for Cognito users
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": [
"arn:*:topic/foo/${cognito-identity.amazonaws.com:sub}"
]
}
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:YOUR_IDENTITY_POOL_ID'
});
AWS.config.credentials.get(function(err)) {
if (err) { return; }
var cognitoId = AWS.config.credentials.identityId;
mqttClient.connect(...);
mqttClient.publish('foo/' + cognitoId);
});
permissions
role

32. Outline
• MQTT recap
• WebSockets: what and why?
• Authentication and Authorization
• Demo + Code

33. http://bit.ly/awsiotws

34. Authentication for end-users

35. Configuring Cognito with AWS IoT
UnauthenticatedAuthenticated

36. Authenticated access for end-users
Amazon
Cognito
Get Credentials
temporary
security
credentials
AWS STSAWS IAM
permissions
role
temporary
security
credentials

37. Connect through JavaScript
var region = c.AWS.region; //'ap-northeast-1'
var iotEndpoint = c.AWS.iotEndpoint;
var identityPoolId = c.AWS.identityPoolId;
AWS.config.region = region;
AWS.config.credentials =
new AWS.CognitoIdentityCredentials(
{ IdentityPoolId: c.AWS.identityPoolId,
Logins: {'graph.facebook.com': fbresponse.authResponse.accessToken }
});
AWS.config.credentials.get(function(){
var signedUrl = getSignedUrl();
initClient(signedUrl);
});
var requestUrl = 'wss://' + host + canonicalUri + '?' + canonicalQuerystring;
//Authenticated
//After fb.login

38. Connect through JavaScript
function initClient(requestUrl) {
var clientId = String(Math.random()).replace('.', '');
var client = new Paho.MQTT.Client(requestUrl, clientId);
mqttClient = client;
var connectOptions = {
onSuccess: function() {
client.subscribe(topiclightbulb);
client.subscribe(topicgrove);
},
useSSL: true, timeout: 3, mqttVersion: 4,
onFailure: function() { console.error('connect failed'); }
};
client.connect(connectOptions);
client.onConnectionLost = onConnectionLost;
client.onMessageArrived = onMessageArrived;
}
//Subscribe topics
//Subscribe topics

39. Authenticated access for end-users
Amazon
Cognito
AWS STS
AWS IAM
permissions
role
WebSocket Connect
temporary
security
credentials
Allowed?
Yes!
IoT
topic
IoT
shadow
IoT
policy

40. Authenticated access for end-users
Amazon
Cognito
AWS STS
AWS IAM
permissions
role
WebSocket Connect
temporary
security
credentials
Allowed?
Yes!
IoT
topic
IoT
shadow
IoT
policy
Create, Attach
Policy for Alice,
Bob, and Chuck

41. Authenticated
• End-users sign in
• Customize user-specific policy
in AWS IoT
• Users cannot access AWS IoT
until IoT policy is attached
Cognito Identities in AWS IoT
Unauthenticated
• No sign-in (anonymous)
• Use IAM role policy and policy
variables to restrict access
• No user-specific policy
in AWS IoT

42. Chicken and egg: when to attach the policy?
• Users cannot connect until they have a policy in IoT
• Policy cannot be attached without knowing the user’s
CognitoId
Solution: attach a policy when the user first connects!

43. On-demand registration
Amazon
Cognito
AWS
Lambda
CONNECT
Access denied
New User
(already
signed in)
Get Credentials
temporary
security
credentials
(no policy for user)

44. On-demand registration (continued)
Amazon
Cognito
AWS
Lambda
Register()Create, Attach
Policy
New User
IoT
policy
CONNECT
OK!
context.identity.cognitoIdentityId

45. Lambda Code – Attach Principal Policy
'use strict';
var AWS = require('aws-sdk');
AWS.config.region = 'us-east-1';
var iot = new AWS.Iot();
exports.handler = (event, context, callback) => {
var cognitoid = ‘';
if (typeof context.identity !== 'undefined') {
cognitoid = context.identity.cognitoIdentityId;
var params = {
policyName: 'cognito-user-access', /* required */
principal: cognitoid /* required */
};
iot.attachPrincipalPolicy(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
}
};

46. What permissions to attach?
• Start with minimal permissions
• Dynamically generate or attach your policy base on user

47. Wrapping up
• WebSockets makes IoT interactive
• Authentication for humans is different than devices
• Use Lambda to drive user registration, pairing
• Getting started with the AWS IoT Device SDK is easy
• AWS IoT WebSockets, Rules Engine, Shadow and
Lambda makes server-less applications easy

48. Thank you!
Dickson Yue