This document explains the process of provisioning a device using claim certificates and a Lambda function. This solution addresses the challenge of dealing with certificate sizes that surpass the memory limitations of the device within the AWS IoT ecosystem. It also provides a step-by-step guide on how to set up the demo environment and run the simulation.
AWS IoT allows devices to securely connect to the cloud and exchange data through various protocols such as MQTT, HTTP, and WebSocket. When a device connects to AWS IoT, it needs to be registered and assigned a unique certificate for secure communication. One way to accomplish this is by using claim certificates, which are shared among multiple devices.
One challenge with using claim certificates is that the size of the issued certificate might exceed the memory limit of the device. In such cases, we need to find an alternative solution to register the device without exceeding the memory limit.
Our proposed solution is to use a Lambda function to register the device on behalf of the device. The Lambda function can break down the received certificate into smaller chunks and publish them to the device. This approach ensures that the device can receive the certificate without exceeding its memory limit.
Here is a high-level flow diagram of the proposed solution:
Here are the steps involved in setting up the demo environment and running the simulation:
- Create an AWS IoT message rule for a desired device provisioning topic to trigger the Lambda function.
- Assign the process of registering the device to the Lambda function.
- The device connects with a claim certificate to the AWS IoT endpoint.
- The device publishes to the device provisioning topic with its ID and extra information used to create certificate.
- The Lambda function registers the device based on the published information.
- The Lambda function breaks down the received certificate into smaller chunks.
- The Lambda function publishes the chunked certificate to the device.
- The device stores the new certificate.
- The device reconnects using the new certificate.
Securing the process of publishing a certificate back to the device via Lambda involves careful considerations. To ensure controlled communication exclusively between the Lambda function and the device, certain restrictions should be implemented.
One of the primary steps involves crafting policies to manage the certificate claiming process. These policies should grant the device specific permissions, specifically enabling it to both publish and subscribe to a designated topic. These permissions should be tied to the unique device ID. Formulating a policy in line with these requirements would resemble the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iot:Publish", "iot:Receive"],
"Resource": [
"arn:aws:iot:<region>:<account>:topic/<topic>/${iot:ClientId}/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:<region>:<account>:topicfilter/<topic>/${iot:ClientId}/*"
]
}
]
}
<region>
is the AWS region<account>
is the AWS account number<topic>
is the topic in which a device will request a certificate
Note
- Ensure that the AWS credentials you provide possess adequate permissions for CDK execution. For the sake of the demonstration, it's advisable to grant administrative privileges.
Install the dependencies using npm:
npm ci
Use the following command to generate a claim certificate and its permissions used by the Lambda function:
./cli.sh generate-lambda-provision-certificate <topic> <templateName>
Replace <topic>
with the designated topic's name, where the device will
initiate a certificate request. Similarly, replace <templateName>
with the
name of the provision template. This template, responsible for configuring cloud
and device settings within AWS IoT, will be automatically generated during the
CDK deployment process in this demonstration, see
Fleet.ts.
Set up the demo environment by running the commands.
npx cdk bootstrap # if this is the first time you use CDK in this account
npx cdk deploy
To demonstrate how the device connects using the claim certificate and requests a new certificate, run the following command:
./cli.sh generate-claim-certificate # if this is the first time you run the device simulator
./cli.sh simulate-device
Upon execution, you will receive two messages containing the newly acquired certificate and private key.
Execute the following command to destroy the stack:
npx cdk destroy --force
To revoke the Lambda claim certificate, run the following command:
./cli.sh generate-lambda-provision-certificate -X <topic> <templateName>
To revoke the claim certificate, take this step:
./cli.sh generate-claim-certificate -X