AWS IoT Device Provisioning

AWS IoT Device Provisioning

With the advancement in the field of IoT, Customers are building globally distributed IoT solutions with AWS. To implement global IoT solution, devices are built with required sensors and features and shipped across the globe. Devices then connect to AWS IoT and sends performance data to cloud. A device that connects to AWS IoT must be provisioned in an AWS Region. However, when devices are shipped globally, you don’t know in which AWS IoT Region the device will connect when it starts operation. To solve this issue AWS has described a process known as AWS IoT Device Provisioning.

Key Challenges for Provisioning an IoT Device

  • A device must be designed to work with AWS IoT Core.
  • The device should be created as a thing in the registry.
  • Its X.509 certificate must be registered and associated with the thing.
  • An IoT policy must be attached to the certificate.
  • The device must know the AWS IoT endpoint.

Global Device Provisioning

To automate global device provisioning, we use an architecture as shown below.

aws iot devices provisioning

The device sends a provisioning request to an Amazon API Gateway endpoint with the device id as the things name. Amazon API Gateway calls an AWS Lambda function, which implements a method to find the best region for the device and then provisions the device in that region. The best region is the one geographically closest to the device. A lambda function is written which uses the device IP address (https://ipstack.com API’s are used to get geolocation of IP address) to get the geolocation of device and closest AWS Region.

Upon successful provisioning, the following are returned to the device:

  • A private key.
  • A X.509 certificate.
  • The AWS IoT endpoint.

Provisioning Process

Here is the workflow for provisioning a device:

  • The device sends a provisioning request to Amazon API Gateway with things name as parameter. Sample provisioning request: {‘thing-name’: ‘wm101’}
  • Amazon API Gateway calls the AWS Lambda function
  • The AWS Lambda function performs the following steps:
    • Determines if the device is a provisioning candidate by performing a lookup for the thing name in a DynamoDB table. The Lambda function checks if the statusattribute for the device (thing-name) is set to  If so, the device will be provisioned. If not, an error message will be returned. Sample entry in DynamoDB: {“thing-name”: “wm101”, “status”: “unprovisioned”}
    • Calculates the best AWS Region for IoT. The calculation finds the shortest distance between the location of the device’s IP address and an AWS Region.
    • Provisions the device. That means the device will be created in the device registry. A certificate and a key will be created. If one does not already exist, an IoT policy will be created, too.
    • Updates the DynamoDB table with the time and the region in which the device has been provisioned.
    • Returns the answer, in JSON format. The answer contains the IoT endpoint, certificate, and private key.
  • After receiving the response, the device stores the key, certificate and endpoint. The device is now ready to immediately interact with the AWS IoT Core.
Disclaimer: articles and thoughts published on PLMES do not necessarily represent the company's views but solely the views or interpretations of the author(s); reviews, insights, and mentions of publications, products, or services do neither constitute endorsement nor recommendations for purchase or adoption.