3

I built a couple of test IoT hardware devices for home automation which I want to control with an Android app I also wrote. The app will be used by several people.

My plan is to use Amazon IoT Core to let the apps send MQTT commands to the IoT devices.

Since my hardware devices are not very powerful (ESP8266 architecture) I'm going to authenticate via the Signature Version 4 (SigV4) scheme. This auth scheme is useful when the hardware device is not powerful enough to authenticate via the standard privatekey/certificate method; it requires a pair of key/secret IAM credentials to be hardcoded into the device firmware (instead of the certificate and private key).

I then created a test "thing" in the IoT Core console and I can successfully send commands from the apps to the devices (and receive data from the devices and show them on the apps).

My question is, do I need to create as many "things" as the IoT devices? Since each device will have its own IAM credentials, can I just use one shared "thing" for all the IoT devices?

I can't find any best practice online, not even on the official documentation.

Gianluca Ghettini
  • 11,129
  • 19
  • 93
  • 159

1 Answers1

1

The short answer is, don't go there. A thing is a logical entity in AWS. The reason to use many things is that you can:

  1. Group them
  2. Create a certificate for each one (with policies)
  3. Use the shadow to manage the thing state
  4. Search them

While you can do what you are saying, using IAM for things is not what AWS had in mind. IAM is supposed to be used by humans. You could use strong names and passwords, but you find it difficult to manage, and you hit the 5000 policies limit pretty quickly. You can give all your device the same username and password, but then how would you revoke a single one when needed.

I'm not a hardware expert but if you really can't use certificates then you don't really need things but do have a look at AWS STS that will let you create temp credentials for your device. You'll have to manage the login process somehow (not using AWS) and then generate an access key and secret key for each device.

Itamar Kerbel
  • 2,508
  • 1
  • 22
  • 29
  • Using IAM for IoT devices is totally expected by Amazon when using MQTT over WebSocket (like my IoT devices are doing). Please see https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html – Gianluca Ghettini Nov 15 '21 at 12:18
  • I'm not sure what you are referring to. If you mean the Signature V4 then this is just a process to sign HTTP requests to AWS. You still need an access key and secret key to sign them. You can get the key pair from IAM but you'll have a limit of 5000 so STS is there to solve your problem. If you never going to have more than 5000 devices I guess you could use IAM. – Itamar Kerbel Nov 15 '21 at 13:33
  • Also, maybe I was not clear about STS. For STS, you'll need a single IAM user on the backend that will authenticate the devices and generate temp access key, secret key and return them to the device. This way if you have control on your devices and can revoke their access whenever you like to. I hope this is clearer. – Itamar Kerbel Nov 15 '21 at 13:37