A Look at the AWS IoT Ecosystem

The Internet of Things (IoT) enables smart objects to link with various information services that are based on the internet. The IoT cloud platform provides a framework to host applications that link smart objects to internet based services. The IoT cloud platform also provides a way to control smart objects with other smart objects.

AWS IoT is a cloud platform that not only provides an easy way to connect to IoT-enabled devices to the cloud but also can store, analyze and visualize data by making sense out of it.


AWS IoT provides a platform where the sensor grids, aircraft engines, connected cars, factory floors, and the similar things can be connected easily and securely to the cloud and other devices. The cloud connection to IoT devices is fast and lightweight (MQTT or REST), which makes AWS IoT a great fit for devices that have limited processing power, battery life or memory.

AWS IoT Architecture

Let’s take a look at the AWS IoT components:


Things are devices of all types, shapes, and sizes including applications, connected devices, and physical objects. Things measure and control something of interest in their local environment.

Ex: Consider you have a LinkIt One Board to which you have to connect a temperature sensor. The LinkIt One device keeps uploading sensor data to AWS IoT. In AWS IoT, “LinkIt One board + Temperature sensor” represents a virtual device called a “Thing.” Things have names, attributes, and shadows.

1. Thing Name: Unique name given by the user to identify a thing.

2. Thing attributes: The attributes represents the unique features of the thing as the thing serial number etc.

3. Thing Shadows: The shadow represents the current state of the IoT device. The AWS Thing shadow can also be updated by other end devices; this will help us control the IoT-enabled

Example: Consider that there is an IoT-enabled Air conditioner which is constantly sending its current state to the AWS IoT Thing shadow, and assume that the currently reported state of the device is “OFF.”. Now, a user can update the AWS IoT Thing shadow from his mobile phone or laptop and change the desired state (request to change the state) to “ON.” The shadow will compare the “reported state” (reading from the sensor) of the device with the desired state of the device, and if there is a difference between the reported and the desired state, it will send an appropriate response to the device.

Rules Engine

The Rules Engine collects the data sent to the IoT cloud and performs actions based on factors that are present in the collected data and routes them to AWS endpoints like Amazon DynamoDB, AWS Lambda, Amazon Simple Storage Service (S3), Amazon Simple Notification Service (SNS), and Amazon Kinesis. The actions are expressed using an SQL-like syntax. Routing is driven by context and contents of individual messages. For example, routine readings from a temperature sensor could be tracked in a DynamoDB table where as an aberrant reading that exceeds a value stored in the thing shadow can trigger a Lambda function.

Message Broker

The Message Broker implements the MQTT protocol. The Message Broker can scale to contain billions of responsive long-lived connections between things and your cloud applications. Things use a topic-based publish/subscribe model to communicate with the broker. They can publish their state and can subscribe to incoming messages. The publish/subscribe model allows a single device to share its status efficiently with any number of other devices.

Authentication and Authorization

AWS IoT supports mutual authentication and encryption at all levels of connection to end data exchange between AWS IoT and devices without proven identity. It supports AWS method of authentication (called as ‘SigV4’) and X.509 certified based authentication. HTTP connection can use either of these methods while MQTT connection uses certification based authentication, and the WebSocket connection uses Sig v4 connectivity. With AWS IoT, you can use AWS IoT generated certificates or the certificates that are signed by your preferred Certificate Authority (CA).

You can create and deploy certificates and policies for your devices from AWS IoT console or use an API. These device certificates can be activated and associated with the relevant policies that are configured using AWS IAM. Doing this will allows you to revoke access to an individual device instantly if you choose to do so.

Thing Registry

The Thing Registry does the assigning task and allocates a unique identity for each thing. It also helps in the tracking of descriptive metadata like attributes and capabilities for each thing.


With AWS IoT, we can build an IoT end-to-end application, which will collect data from sensors, store collected data, analyze and visualized. The insights we get from the analytics and visualization will help businesses gain efficiencies, improve operations, harness intelligence from an extensive range of equipment, and increase customer satisfaction.

Exploring IoT Through a Use Case

The Internet of Things (IoT) is much more than attaching sensors to things and controlling them through the internet. The concept of IoT holds long-term application capabilities as our day-to-day lives are influenced by smart technologies and people are investing brains to make them a reality, which can only be accomplished by IoT.

Here is an example that explains IoT use case for a logistic company.

IoT Use Case

A logistic company is transporting fish long distances in refrigerated containers. They transport the fish with the utmost care because the fish may spoil if not handled properly during the transit. Also, the company makes an agreement with the merchant that if the fish spoils during transit, then the company needs to compensate the merchant. Therefore, the following parameters are imperative to avoid greater losses.

Temperature: The fish needs to be frozen to maintain its highest quality.

Humidity: Important to avoid thawing of frozen fish.

GPS Location: To track the container.

Door Sensor: To alert the company if the truck door is opened.

Human Presence Sensor: To check any human presence in the container.

The company solved the problem efficiently using IoT technology. They embedded different sensors to the container, which collected and sent data to the cloud for analysis. The sensors help track whether the temperature and humidity are under specified conditions, the container is travelling the specified route, the door is not opened during transit, or there is a human presence in the container. If a merchant makes any claims about the quality of the fish, the company will analyze the data collected and find out the exact reason behind the spoiled fish. Also, the company will be updated with the tracking data at a given period (five minutes, two mintues, etc.) so that they can take immediate action if required.

Let’s consider that the company has not adopted and IoT system. The company might suffer huge losses if a merchant makes any false claims by saying that the fish is spoiled during the transit. Also, the company will not know if there were any changes in the container conditions or location. Therefore, the IoT system will promptly help to address all of the discussed problems before causing any major damage. The IoT process flow for this use case is as follows:

Data Collection: Collects data from sensors placed in the container and sends this data to the cloud.

Rule Engine: When cloud receives data it will check for any alerts to be raised. For example, if the container door is opened it sends alert to the company.

Data Storage and Cleansing: Using Big Data tools, the data will be stored.

Data Analysis: If a merchant raises any claims, the data can be analyzed to verify the claim.

Visualization: Generation of reports from the data.


An IoT-enabled end-to-end application will collect data from sensors, store it, analyze it, and visualise it. The insights we get from the data collected will help to improve the entire system and process, thereby improving the systems operations, transparency, profitability, efficiency, and customer satisfaction.

How to Build a Complete IoT Solution with AWS – An Use Case Approach

In future, there will be millions of connected devices, from smart vehicles to smart wearables, generating an ever-increasing amount of data. The IoT cloud platform provides facilitation to collect data, store process and get actionable insights.

AWS IoT along with other services provided by AWS a complete IoT Solution can be build. In this article we will be discussing an IoT uses case and see how to implement the solution.

IoT Use Case

A logistic company is providing transportation services and need to ship items (e.g. fish, meat, etc.) in refrigerated containers. The merchant receiving this service found that sometimes the goods he received gets spoiled. He took insurance from an insurance company for the goods during transit. Over a period of time, the insurance company felt that the merchant is raising false claims, and want to implement a system to avoid this false claims.

The insurance company decided to implement an IoT solution to avoid the false claim. Therefore, considering the following parameters is imperative during transit.

Temperature: The goods needs to be frozen to maintain quality

Humidity: To avoid thawing of frozen goods

GPS Location: To track the route of the container

Door Sensor: To alert the company when the truck door is opened

Human Presence Sensor: To check any human presence in the container

Note: All the sensors are connected to the node (Hardware platform; in this case, LinkIt One/ Edison /Raspberry Pi), and measurement is passed on to the cloud using GPRS connectivity.

By measuring the mentioned parameters, the insurance company can identify if any anomaly has happened during transit. If anomalies are found, they will reject the claim.

For Example, 

  1. Change in Temperature and Humidity may affect the quality of goods – Can be identified using temperature and humidity sensor
  2. Deviation from the predefined route can affect the delivery time – Can be identified using GPS sensor
  3. Opening the door of truck will affect the Temperature, and Humidity maintained inside the truck – this can be identified using door sensor
  4. Stealing of goods can be identified by human presence sensor placed inside the truck

User Case Architecture

IoT Architecture

AWS Components in the Architecture

Node: The Hardware along with sensors connected to a Device (IoT Device) is termed as a node.

Thing: In AWS IoT terminology a ‘Thing’ represents a connected device( a.k.a Node).

Device Gateway: The AWS IoT Device Gateway enables secure and efficient communication between devices and AWS IoT. This can exchange messages using a publish/subscribe model, which allows one-to-one and one-to-many communications. The Data collected by the node is securely published to AWS IoT Device gateway using MQTT protocol.

AWS components

Device Shadow: The device shadow shows the current state of the device or the last known state of the device (if the node is offline). The data published to AWS IoT will reflect in the AWS IoT Device Shadow. The Thing shadow is a JSON document that is used to store the current state of the ‘Thing’

AWS IoT Rules: AWS IoT Rules gives IoT-enabled devices the ability to interact with AWS services. Rules are analyzed, and actions are performed based on the MQTT topic stream. Rules support tasks like these:

  1. Write data received from a device to an Amazon Dynamo DB database
  2. Process messages from a large number of devices using Amazon Kinesis
  3. Send a push notification using Amazon SNS to all users
  4. Save a file to Amazon S3
  5. Send the data from an MQTT message to Amazon Machine Learning to make predictions based on an Amazon ML model.

Amazon IAM: Amazon IAM: AWS Identity and Access Management helps users with secured control access to AWS resources. However, permission has to be granted by the account holder to AWS IoT to access these AWS resources. Users can use IAM to control who can use their AWS resources. The users can also control which AWS resource can have permission to accesses/manipulate other AWS resources.

Amazon Kinesis Streams: Amazon Kinesis Streams can continuously capture and store terabytes of data per hour and hundreds and thousands of sources. Amazon Kinesis can perform low-level processing on streams of data. Data records are accessible for a default of 24 hours from the time they are added to a stream. This time frame is called the retention period and is configurable in hourly increments from 24 to 168 hours (1 to 7 days).

EC2 Instance: An EC2 instance is a virtual server in Amazon’s EC2 (Elastic Compute Cloud)

Kinesis Client Library: The Amazon Kinesis Client Library (KCL) helps applications consume and process data from an Amazon Kinesis stream. The KCL takes care of several complex tasks that are associated with distributed computing, such as load-balancing across multiple instances, addressing to instance failures, and checkpointing processed records. The KCL acts as an intermediary between record processing logic and Streams.

Simple Storage Service (S3): Amazon S3 provides developers and IT teams with secure, durable, highly-scalable cloud storage. Amazon S3 is easy to use object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web. Amazon S3 is carefully engineered to meet the requirements for scalability, reliability, speed, low-cost, and simplicity. Each object in S3 can be managed with an object life cycle by using lifecycle configuration. Lifecycle configuration enables you to simplify the lifecycle management of your objects such as automatically sending less frequently accessed objects to low-cost storage alternatives like Amazon Glacier and scheduled deletions of the objects.

Amazon Glacier: Amazon Glacier is a low-cost storage service that provides secure, flexible and durable storage for data backup and archival. Customers can reliably store their data for only about $0.007 per gigabyte per month with Amazon Glacier. It enables any business to easily and cost-effectively retain data for months, years, or decades.

Amazon Dynamo DB: Amazon DynamoDB is a fast and flexible NoSQL database service for applications that need consistent single-digit millisecond latency at any scale. Dynamo DB allows a user to create database tables that can store and retrieve any amount of data, and serve any level of request traffic. Dynamo DB automatically spreads the data and traffic for the tables over a sufficient number of servers to handle throughput and storage requirements, while maintaining consistent and fast performance.

Amazon QuickSight: Amazon QuickSight is a very fast, cloud-powered business intelligence (BI) service that makes it easy for all employees to build visualizations, perform ad-hoc analysis, and quickly get business insights from their data. Amazon QuickSight uses a new, Super-fast, Parallel, In-memory Calculation Engine (“SPICE”) to perform advanced calculations and render visualizations rapidly. Amazon QuickSight easily connects to other AWS data services like Amazon Redshift, Amazon RDS, Amazon Dynamo DB, Amazon S3, and Amazon Kinesis. It can upload CSV, TSV, and spreadsheet files or connect to third-party data sources such as Salesforce.

Amazon Cognito: A smart mobile device can securely connect AWS IoT using AWS Cognito, which provides a secure way to access AWS services from Android and iOS mobile applications. Amazon Cognito also allows mobile applications to authenticate users through social identity providers such as Facebook, Twitter, and Amazon with SAML identity solutions.

AWS Short Notification Service (SNS): SNS is a fully managed push notification service that allows you send individual messages to large numbers of recipients. Amazon SNS makes it simple and cost-effective to send push notifications to mobile device users, email recipients or even send messages to other distributed services.

Solution for the Use Case

The above architecture diagram is the proposed solution for the logistics company, which is using services provided by AWS. The sensors are attached to Hardware board LinkIt One (node) that collects data from the sensors. In IoT scenario, a node represents a ‘Thing’ in our case the ‘Thing’ is the ‘Truck.’

In AWS IoT terminology a ‘Shadow’ is a virtual representation of ‘Thing’. The entire sensor data passed on from truck (via Node) to the AWS IoT is available in the ‘Shadow’.

To update available data at node to ‘Shadow’ and access data available in ‘Shadow’ AWS has given ‘Device SDK’.

In the above use case, the state of the logistic truck (node) (i.e., the temperature, humidity, location of the truck, human presence in the truck and truck door status) is published to the AWS Device gateway using MQTT protocol. The status of the truck published to the device gateway will reflect in the AWS IoT Device Shadow. Any mobile device authenticated by Amazon Cognito can retrieve the latest state stored in the device shadow. The current status of the truck such as current location or the temperature of the container can be monitored remotely from any mobile device.

In the above use case, the AWS IoT Rules Engine serves two purposes,

  1. The rules engine will continuously monitor the current device status, (i.e. current state published to the device gateway from the node). If the temperature or humidity increases, then their threshold values, or if someone opens the refrigerated container’s door in middle of transport, or if the driver of the truck varies from his specified route, the AWS IoT rules engine will trigger emergency alert by sending a push notification, email or SMS to the mobile phone of an admin of the logistics company using Amazon SNS (Short Notification Service).
  2. The rules engine will send the data that is published to the Device Gateway to Amazon Kinesis Streams for further processing and analysis of the data.

The logistic company can have hundreds of trucks. Monitoring and keeping track of all the trucks simultaneously can be tedious. So all the data from hundreds of trucks is sent to Amazon Kinesis Streams where simple processing is done and send to Dynamo DB and S3 from which data will be extracted by Amazon Quick Sight for Business Intelligence and Visual analytics.

Using this solution, the insurance company can keep track of each and every truck for which it gives service if trucks are deviating from the agreed upon conditions as per the insurance, the insurance claimed will not be honored. Now the Insurance Company have the data to show its client when a claim is raised. Thus avoiding the false claim.

Reference: https://aws.amazon.com/documentation/

Authentication of Edge-Device in AWS IoT

Security is the major concern for any IoT system even if it is just some inconsequential data. Because the future of the technology is IoT and an IoT system can be built to control something as insignificant as a thermostat to something as significant as autopiloting a car. AWS has not taken IoT security as an afterthought but as a security-first while designing their AWS IoT platform. AWS IoT uses MQTT to receive messages from the edge devices. Since MQTT doesn’t have a strong security (it has a minimal password based security), they use ‘Mutual authentication TLS’ i.e. the device authenticates the AWS IoT server, and the AWS IoT server authenticates the device.


Certificates used for mutual authentication:

  1. Server Certificate(AWS IoT server)
  2. Device Certificate(IoT Device)
  3. Root CA Certificate(VeriSign)

Keys used with mutual authentication:

  1. Public Key (AWS IoT server)
  2. Private Key (AWS IoT server)
  3. Public Key (IoT Device)
  4. Private Key (IoT Device)

Server Certificate: It is a digital certificate issued to AWS IoT by VeriSign CA, used to authenticate AWS IoT server.

Device Certificate: Can be either generated by AWS IoT or signed by a trusted CA certificate. This certificate will be copied into the IoT Device and will be used for device authentication.

Root CA Certificate: A root certificate is a self-signed certificate, created by the CA authority. All certificates below the root certificate inherit the trustworthiness of the root certificate. In mutual authentication TLS, the device as well as the AWS IoT server, possess X.509 certificates and a private key.

Working of Mutual TLS:

  1.  The Edge Device will send a ClientHello message to AWS IoT server.
  2.  The server will responds back with a ServerHello message to the Edge device.
  3.  AWS IoT Server sends Certificate message, which contains the server’s certificate.
  4.  Server requests client’s certificate in CertificateRequest message so that the connection can be mutually  authenticated.
  5.  Server concludes its part of the negotiation with ServerHelloDone message.
  6.  The Edge Device will verify that the server certificate is signed by a trusted certification authority. The Edge device  will a list of Root.  certificates of trusted certification authorities In our case Verisign root certificate.
  7.  After verification of the server certificate, the Edge Device will respond with Certificate message, which contains  the Edge Device  certificate.
  8.  The Edge Device will send session key information (encrypted with AWS IoT server’s public key) in  ClientKeyExchange message.
  9.  Edge Device sends a CertificateVerify message to let the AWS server know it owns the sent certificate.
  10.  Edge Device sends ChangeCipherSpec message to activate the negotiated options for all future messages it will  send.
  11.  Edge Device sends a Finished message to let the server check the newly activated options.
  12.  Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
  13.  Server sends a Finished message to let the Edge Device check the newly activated options.

The procedure of authentication of edge device by AWS IoT:

The Edge Device certificate, public and private keys are generated, when a ‘Thing’ is created in AWS IoT. This device certificate and the both the keys are copied into the device memory along with a VeriSign root certificate.

When the device wants to connect and send a message to AWS IoT, it will fallow of Mutual TLS process to authenticate both the Edge Device and the AWS IoT server.

Once Mutual TLS authentication is done the data points(Status of a device or temperature of a room) exchanged between the edge device and the AWS IoT server will be encrypted using session key created by the edge device during Mutual TLS process, thereby securing all communications between the Edge device and the AWS IoT server.

Reference: https://aws.amazon.com/iot/how-it-works/