Jan Metzner. Solutions Architect Mobile/IoT EMEA, Amazon Web Services. 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Size: px

Start display at page:

Cameron Skinner
6 years ago
Views:

Jan Metzner Solutions Architect Mobile/IoT EMEA, Amazon Web Services

2 Welche Themen werden wir in diesem Webinar behandeln? Authentifizierung und Authorisierung Kommunikation über das Device/Thing Shadow

3 AWS IoT AUTHENTICATION AUTHORIZATION Secure with mutual authentication and encryption RULES ENGINE Transform messages based on rules and route to AWS Services AWS Services P Services DEVICE SDK Set of client libraries to connect, authenticate and exchange messages MESSAGE BROKER Communicate with devices via MQTT and HTTP REGISTRY Identity and Management of your things AWS IoT API SHADOW Persistent thing state during intermittent connections APPLICATIONS

4 Talking to Things DynamoDB Amazon Kinesis Lambda

5 Mutual Auth TLS

6 Talking to Non-Things DynamoDB Amazon Kinesis Lambda

7 AWS Auth + TLS

8 One Service, Two Protocols MQTT + Mutual Auth TLS AWS Auth + HTTPS Server Auth TLS + Cert TLS + Cert Client Auth TLS + Cert AWS API Keys Confidentiality TLS TLS Protocol MQTT HTTP

9 Back To Certs and Keys

10 AWS-Generated Keypair CreateKeysAndCertificate()!

11 Actual Commands $ aws iot create-keys-and-certificate --set-as-active { "certificatearn": "arn:aws:iot:us-east-1: :cert/d7677b0 SNIP 026d9", } "certificatepem": "-----BEGIN CERTIFICATE----- SNIP -----END CERTIFICATE-----", "keypair": { "PublicKey": "-----BEGIN PUBLIC KEY----- SNIP -----END PUBLIC KEY-----", "PrivateKey": "-----BEGIN RSA PRIVATE KEY----- SNIP -----END RSA PRIVATE KEY-----" }, "certificateid": "d7677b0 SNIP 026d9"

12 AWS-Generated Keypair CreateKeysAndCertificate()!

13 Client Generated Keypair CSR

14 Client Generated Keypair CreateCertificateFromCSR(CSR)! CSR

15 Actual Commands $ openssl genrsa out ThingKeypair.pem 2048 Generating RSA private key, 2048 bit long modulus e is (0x10001) $ openssl req -new key ThingKeypair.pem out Thing.csr Country Name (2 letter code) [XX]:US State or Province Name (full name) []:NY Locality Name (eg, city) [Default City]:New York Organization Name (eg, company) [Default Company Ltd]:ACME Organizational Unit Name (eg, section) []:Makers Common Name (eg, your name or your server's hostname) []:John Smith Address []:jsmith@acme.com

16 Actual Commands $ aws iot create-certificate-from-csr \ --certificate-signing-request file://thing.csr \ --set-as-active { } "certificatearn": "arn:aws:iot:us-east-1: :cert/b5a396e SNIP b", "certificatepem": "-----BEGIN CERTIFICATE----- SNIP -----END CERTIFICATE-----", "certificateid": "b5a396e SNIP b"

17 Private Key Protection Test & Dev $ openssl genrsa -out ThingKeypair.pem 2048 Generating RSA private key, 2048 bit long modulus e is (0x10001) $ ls -l ThingKeypair.pem -rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem $ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem -r ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem

18 Private Key Protection Software Threats chroot SELinux OTP Fuses

19 Private Key Protection Hardware Threats TPMs Smartcards Locks and Boxes FIPS-style hardware

20 Identity Federation DynamoDB Amazon Kinesis Lambda

Data Access Control AWS APIs { } "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:getthingshadow" ],

21 Data Access Control AWS APIs { } "Version":" ", "Statement":[ { "Effect":"Allow", "Action":[ "iot:connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:getthingshadow" ], "Resource":[ "arn:aws:iot:us-east-1: :thing/mything"] }, { "Effect":"Allow", "Action":[ "iot:publish" ], "Resource":[ "arn:aws:iot:us-east-1: : topic/$aws/things/mything/shadow/update"] } ] DynamoDB Amazon Kinesis Lambda

Mobile Users as Things { } "Version":"2012-10-17", "Statement":[ {

com:aud}"] }, { "Effect":"Allow", "Action":[ "iot:publish" ], "Resource":[

22 Mobile Users as Things { } "Version":" ", "Statement":[ { "Effect":"Allow", "Action":[ "iot:connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:getthingshadow" ], "Resource":[ "arn:aws:iot:us-east-1: : thing/${cognito-identity.amazonaws.com:aud}"] }, { "Effect":"Allow", "Action":[ "iot:publish" ], "Resource":[ "arn:aws:iot:us-east-1: :topic/$aws/things/ ${cognito-identity.amazonaws.com:aud}/shadow/update"] } ] DynamoDB Amazon Kinesis Lambda

Data Access Control - MQTT { "Resource":"*" "Version":"2012-10-17", }, { "Statement":[ "Effect": { "Allow", "Effect":"Allow", "Action": ["iot:connect", "iot:publish"], "Action":[

23 Data Access Control - MQTT { "Resource":"*" "Version":" ", }, { "Statement":[ "Effect": { "Allow", "Effect":"Allow", "Action": ["iot:connect", "iot:publish"], "Action":[ "Resource":"iot:Connect" [ ], "Resource":"*" "arn:aws:iot:us-east-1: :topic/foo/bar", }, { "arn:aws:iot:us-east-1: :topic/foo/baz" "Effect":"Allow", ] }] "Action":[ "iot:publish" ], } "Resource":[ "arn:aws:iot:us-east-1: : topic/$aws/things/mything/shadow/update"] DynamoDB ] } { "Version": " ", "Statement": [{ "Effect":"Allow", "Action":[ "iot:connect" ], }, { "Effect":"Allow", "Action":[ "iot:subscribe", "iot:receive" ], "Resource":[ "arn:aws:iot:us-east-1: : topicfilter/$aws/things/mything/shadow/*" ] } Amazon Kinesis Lambda

AWS IoT Thing Shadow Thing Report its current state

state from shadow Shadow Shadow Shadow reports

metadata and version Mobile App Set the desired

24 AWS IoT Thing Shadow Thing Report its current state to one or multiple shadows Retrieve its desired state from shadow Shadow Shadow Shadow reports delta, desired and reported states along with metadata and version Mobile App Set the desired state of a device Get the last reported state of the device Delete the shadow

25 AWS IoT Shadow Flow 1. Device Publishes Current State 5. Device Shadow sync s updated state Shadow 3. App requests device s current state 4. App requests change the state 6. Device Publishes Current State AWS IoT 7. Device Shadow confirms state change 2. Persist JSON Data Store Device SDK

26 Demo Thing Shadow look at:

AWS IoT AUTHENTICATION AUTHORIZATION Secure with mutual authentication and encryption RULES ENGINE Transform messages based on rules and route to AWS Services AWS Services - - - - - 3P Services

27 AWS IoT AUTHENTICATION AUTHORIZATION Secure with mutual authentication and encryption RULES ENGINE Transform messages based on rules and route to AWS Services AWS Services P Services DEVICE SDK Set of client libraries to connect, authenticate and exchange messages MESSAGE BROKER Communicate with devices via MQTT and HTTP REGISTRY Identity and Management of your things AWS IoT API SHADOW Persistent thing state during intermittent connections APPLICATIONS

28 Simple Pay as you go and Predictable Pricing Pay as you go. No minimum fees $5 per million messages published to, or delivered in US East (N. Virginia), US West (Oregon), EU (Ireland) $8 in Asia Pacific (Tokyo) AWS IoT Free Tier 250,000 Messages Per Month Free for first 12 Months

Thank You Jan Metzner @janmetzner 2015, Amazon Web

AWS IoT Overview. July 2016 Thomas Jones, Partner Solutions Architect

AWS IoT Overview. July 2016 Thomas Jones, Partner Solutions Architect AWS IoT Overview July 2016 Thomas Jones, Partner Solutions Architect AWS customers are connecting physical things to the cloud in every industry imaginable. Healthcare and Life Sciences Municipal Infrastructure