June 01, 2020     3min read    |    Difficulty: 1/5  

AWS IoT - Device Creation


Welcome to the AWS IoT - Device Creation brick. In this overview we'll go through creating a brand new AWS IoT Device along with some best practices you might want to follow including

  • Create an AWS IoT Thing
  • Create an AWS IoT Policy
  • Attach an AWS IoT Policy to an AWS IoT Thing

The outcome of this short guide is to help you generate a simple set of certificates with appropriate permissions for use on your small IoT project.

Prerequisites

The following are prerequisites to using this guide

  • AWS Account (Free Tier is acceptable)
  • Note your Account ID, this can be retrieved from the Account section of your AWS account and it will look something like this: 012345678912
  • A device, or system that will use your IoT configuration to send/receive data.
  • Two topics in mind for Sending (Pub) and Receiving (Sub) data. In this demo we'll use the following
    • iot-demo-pub - Publish topic (data being sent to AWS IoT)
    • iot-demo-sub - Subscribe topic (data received from AWS IoT)

AWS IoT - Pub/Sub overview
AWS IoT - Pub/Sub overview

Create an AWS IoT Thing

Navigate to the AWS IoT portal and select Manage > Things, then Register a thing. This will begin the semi-guided device creation process.

AWS IoT Register a thing menu
AWS IoT Register a thing menu

Next click Register a single AWS IoT thing. Later on in your AWS IoT adventures there might be a reason why you'd want to deploy many devices as once, however for today we'll stick to one device.

AWS IoT Create a single thing
AWS IoT Create a single thing

Now for the most difficult part of any project, naming things! Give your device a unique name to your account (region).

Note: You can have devices with the same name in different accounts, or in different AWS regions, however in the same region/account they must be unique.

AWS IoT Device naming
AWS IoT Device naming

Don't worry about any of the other settings on this device naming page, scroll to the bottom (past device types, groups and searchable attributes) and click Next.

Next we need to generate some new certificates. Click the One-click certificate creation button.

AWS IoT Create certificates
AWS IoT Create certificates

The next screen is very important, you will only get one opportunity to download the certificates required for your device to communicate.

Think of device certificates as keys to your car, only one set exist and you need to look after them if you want to be able to get in

You need to:

  • Download a copy of all the 3 certificate (these are the three links with the Download buttons)
  • Download the root CA for AWS IoT (this also has a Download button, but it links off to another page. You can find a link to the actual certificate here)
  • Click Activate to activate the certificate

AWS IoT Download certificates
AWS IoT Download certificates

Here's an example of a folder full of time that you should have when you are done (the names with vary for you).

AWS IoT Certificate folder
AWS IoT Certificate folder

Once the certificates are saved and activated, click the Done button, as we need to create a policy before we can attach it

AWS IoT Done button
AWS IoT Done button

Create an AWS IoT Policy

Head back to the AWS IoT main portal and navigate to Secure > Polices then click Create a policy

AWS IoT Create a policy
AWS IoT Create a policy

You will now be asked to name your policy and in our case we're just going with demo-policy.

The policy name, like the device name must be unique to your account + region.

Now comes the slightly more complicated part, we want to lock down our policy so that it can only perform very specific accounts in our account. To do this, click the Advanced mode button under the Add statements box

AWS IoT Policy naming
AWS IoT Policy naming

Do you remember how we needed your AWS Account ID in the prerequisites? You need to substitute it in the policy document below (replacing the 012345678912). Here's a list of what each statement does

  • iot:Connect - Allows any client ID to connect to AWS IoT using the certificate / device we created
  • iot:Subscribe - Allows your device to subscribe to the iot-demo-sub topic
  • iot:Receive - Allows your device to receive data from the iot-demo-sub topic
  • iot:Publish - Allows your device to publish data to the iot-demo-pub topic

Note that if you are not in the us-east-1 region you will also need to change the region as well.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-1:012345678912:client/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-1:012345678912:topicfilter/iot-demo-sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-1:012345678912:topic/iot-demo-sub"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-1:012345678912:topic/iot-demo-pub"
    }
  ]
}

Once the policy statements are in, click the Create button to proceed.

AWS IoT Policy Statements
AWS IoT Policy Statements

Attach an AWS IoT Policy to an AWS IoT Thing

The final step is to attach the policy we just created to the device certificate we made in step one. To accomplish this, navigate to Secure > Certificates and click on the new certificate that was created for you in the first step.

AWS IoT Select certificate
AWS IoT Select certificate

You will be presented with some details about your certificate, but for now click Policies then Actions in the top right corner. From the dropdown click Attach policy.

AWS IoT Attach policy
AWS IoT Attach policy

Select the policy we created in step two and then click Attach

AWS IoT select demo-policy
AWS IoT select demo-policy

Summary

Congratulations! You created a new AWS IoT Device that is ready for use on your next IoT project. You can use the certificates that we downloaded in step one to connect and interact with the topics we gave permission too in step two.

If you had any issues setting things up, or you have other questions, please let me know by reaching out on Twitter @nathangloverAUS or dropping a comment below.

devopstar

DevOpStar by Nathan Glover | 2020