Link Search Menu Expand Document


IoT Basics

  • 📒 [Homepage]( ∙ [User guide]( ∙ [FAQ]( ∙ [Pricing](
  • **IoT** is a platform for allowing clients such as IoT devices or software applications ([examples]( to communicate with the AWS cloud.
  • Clients are also called **devices** (or **things**) and include a wide variety of device types.  Roughly there are three categories of device types that interact with IoT services by sending message over an IoT protocol to the IoT Pub/Sub-style message broker, which is called the IoT **Device Gateway**:
    • Send messages only: For example, the [AWS IoT Button]( on an [eddystone beacon](
    • Send, receive, and process messages: For example, a simple processing board, such as a **Raspberry Pi** ([quick start guide](, or an Alexa device, such as the [Echo or Echo Dot]( These are designed to work with the [Alexa skills kit](, a programmable voice-enabled service.
  • AWS has a useful [quick-start]( (using the Console) and a [slide presentation]( on core topics.
  • IoT terms:
    • AWS [**IoT Things**]( (metadata for devices in a [registry]( and can store device state in a JSON document, which is called a [**device shadow**](  Device metadata can also be stored in [**IoT Thing Types**]( This aids in device metadata management by allowing for reuse of device description and configuration for more than one device.  Note that IoT Thing Types can be deprecated, but not changed — they are immutable.
    • AWS [**IoT Certificates**]( (device authentication) are the logical association of a unique certificate to the logical representation of a device. This association can be done in the Console.  In addition, the public key of the certificate must be copied to the physical device. This covers the authentication of devices to a particular AWS Device Gateway (or message broker). You can associate an AWS IoT certificate with an IoT device or you can [register your own CA (Certificate Authority) with AWS](, generate your own certificate(s) and associate those certificates with your devices via the AWS Console or cli.
    • AWS [**IoT Policies**]( (device/topic authorization) are JSON files that are associated to one or more AWS IoT certificates. This authorizes associated devices to publish and/or subscribe to messages from one or more MQTT topics.
    • AWS [**IoT Rules**]( are SQL-like queries which allows for reuse of some or all device message data, as described in [this presentation, which summarizes design patterns with for IoT Rules](
    • Shown below is a [diagram]( which summarizes the flow of messages between the AWS IoT services:

How AWS IoT Works

IoT Greengrass

  • 📒 Homepage
  • 🐥Greengrass is a software platform that extends AWS IoT capabilities allowing Lambda functions to be run directly on local devices. It also enables IoT devices to be able to securely communicate on a local network without having to connect to the cloud.
    • Greengrass includes a local pub/sub message manager that can buffer messages if connectivity is lost so that inbound and outbound messages to the cloud are preserved. Locally deployed Lambda functions can be triggered by local events, messages from the cloud, or other sources.
    • Greengrass includes secure authentication and authorization of devices within the local network and also between the local network and the AWS cloud. It also provides secure, over-the-air software updates of Lambda functions.
  • Greengrass core software includes a message manager object, Lambda runtime, local copy service for IoT Thing (or device) shadows, and a deployment agent to manage Greengrass group configuration.
  • Greengrass groups are containers for selected IoT devices settings, subscriptions and associated Lambda functions. In a Greengrass group a device is either a Greengrass core or an IoT device which will be connected that particular Greengrass core.
  • The Greengrass core SDK enables Lambda functions to interact with the AWS Greengrass core on which they run in order to publish messages, interact with the local Thing Shadows service, or invoke other deployed Lambda functions.
  • The AWS Greengrass Core SDK only supports sending MQTT messages with QoS = 0.
  • Shown below is a diagram which shows the architecture of AWS IoT Greengrass services:

IoT Greengrass

IoT Alternatives and Lock-in

  • AWS, Microsoft and Google have all introduced IoT-specific sets of cloud services since late 2015. AWS was first, moving their IoT services to [general availability]( in Dec 2015. Microsoft released their set of IoT services for Azure in [Feb 2016](  Google has only previewed, but not released their IoT services [Android Things]( and [Weave](
  • Issues of lock-in center around your devices —  [protocols]( (for example MQTT, AMQP), message formats (such as, JSON vs. Hex...) and security (certificates).

IoT Tips

  • **Getting started with Buttons:** One way to start is to use an [**AWS IoT Button**](  AWS provides a number of code samples for use with their IoT Button, you can use the AWS IoT console, click the “connect AWS IoT button” link and you'll be taken to the  AWS Lambda console.  There you fill out your button’s serial number to associate it with a Lambda. (As of this writing, AWS IoT buttons are only available for sale in the US.)
  • **Connections and protocols:** It is important to understand the details of about the devices you wish to connect to the AWS IoT service, including how you will secure the device connections, the device protocols, and more. Cloud vendors differ significantly in their support for common IoT protocols, such as MQTT, AMQP, XMPP. AWS IoT supports **secure MQTT**, **WebSockets** and **HTTPS**.
  • Support for **device security** via certificate processing is a key differentiator in this space.  In August 2016, AWS added [just-in-time registrations]( for IoT devices to their services.
  • **Combining with other services:** It’s common to use other AWS services, such as AWS Lambda, Kinesis and DynamoDB, although this is by no means required.  Sample IoT application reference architectures are in this [screencast](
  • **Testing tools:**
    • To get started, AWS includes a lightweight MQTT client in the AWS IoT console. Here you can create and test sending and receiving messages to and from various MQTT topics.
    • When testing locally, if using MQTT, it may be helpful to download and use the open source [Mosquitto broker]( tool for local testing with devices and/or device simulators
    • Use this [MQTT load simulator]( to test device message load throughout your IoT solution.

IoT Gotchas and Limitations

  • 🔸**IoT protocols:** It is important to verify the exact type of support for your particular IoT device message protocol. For example, one commonly used IoT protocol is [MQTT]( Within MQTT there are [three possible levels of QoS in MQTT](  AWS IoT supports MQTT [QoS 0]( (fire and forget, or at most once) and QoS 1(at least once, or includes confirmation), but *not* QoS 2 (exactly once, requires 4-step confirmation).  This is important in understanding how much code you’ll need to write for your particular application message resolution needs.  Here is a [presentation about the nuances of connecting](
  • 🔸The ecosystems to match **IAM users or roles** to **IoT policies** and their associated authorized AWS IoT devices are immature. Custom coding to enforce your security requirements is common.
  • ❗A common mistake is to misunderstand the importance of IoT **device** **security**.  It is imperative to associate *each* device with a unique certificate (public key). You can generate your own certificates and upload them to AWS, or you can use AWS generated IoT device certificates. It’s best to read and understand AWS’s own guidance on this [topic](
  • 🔸There is only one **AWS IoT Gateway** (endpoint) per AWS account. For production scenarios, you’ll probably need to set up multiple AWS accounts in order to separate device traffic for development, test and production. It’s interesting to note that the [Azure IoT Gateway]( supports configuration of multiple endpoints, so that a single Azure account can be used with separate pub/sub endpoints for development, testing and production
  • 🔸**Limits:** Be aware of [limits](, including device message size, type, frequency, and number of AWS IoT rules.

IoT Code Samples

  • [Simple Beer Service]( is a surprisingly useful code example using AWS IoT, Lambda, etc.
  • [IoT-elf]( offers clean Python sample using the AWS IoT SDK.
  • [IoT Button projects]( on Hackster include many different code samples for projects.
  • [5 IoT code examples]( a device simulator, MQTT sample, just in time registration, truck simulator, prediction data simulator.
  • [AWS Alexa trivia voice example]( is a quick-start using Alexa voice capability and Lambda.
  • Some Raspberry Pi examples include the [Beacon project](, [Danbo](, and [GoPiGo](