I’ve got a use-case where my devices should make GET requests against my API gateway.
What would be the simplest way to have API gateway perform client authentication of the device? Is it possible to use the certificates already generated by IoT Core and used in MQTT?
Authorizing direct calls to AWS services using AWS IoT Core credential provider:
Devices can use X.509 certificates to connect to AWS IoT Core using TLS mutual authentication protocols. Other AWS services do not support certificate-based authentication, but they can be called using AWS credentials in AWS Signature Version 4 format. The Signature Version 4 algorithm normally requires the caller to have an access key ID and a secret access key. AWS IoT Core has a credentials provider that allows you to use the built-in X.509 certificate as the unique device identity to authenticate AWS requests. This eliminates the need to store an access key ID and a secret access key on your device.
Related
I got some problems when try to use AWS IOT Core.
Suppose that I have thousands iot devices and 1 mobile app, 1 backend server.
My thought is I'll provide a common key for devices which has connect policy only, then when their fist connection with aws iot, it wil automate register new credentials with more roles like publish/subscribe.
Is that right?
I've follow some guide on aws documents like JITR but still not work.
My thought is I'll provide a common key for devices which has connect policy only, then when their fist connection with aws iot, it wil automate register new credentials with more roles like publish/subscribe.
It must to register with AWS IoT via certificate signed by your own certificate(CA).
AWS IoT allows the use of a single certificate for an unlimited number of devices to simplify testing but this pattern is strongly discouraged for production use.
I have an IOT device that is not able to generate JWT token. For authenticating with Google IOT core, we need to create jwt token with expiry time. Is there any way to create a static authentication, like username and password as fixed, as it is for local mqtt broker (mosquitto) ?
I think your only solution is to add a proxy IoT client that is able to generate JWTs.
Your devices will message the proxy using whatever mechanism and security you want and the proxy would manage JWTs when communicating with IoT core.
See gateways
I need to get elements from AWS dynamoDB and thrid party https service and merge those results in AWS appSyn and send back the result as graphQL response
Third party service which I am using, expects client side certificate. I am not finding proper AWS documents on how to pass agent using AWS appSync resolver.
I am also not finding documents to store certificate as secret in AWS secret manager.
Is there anyone faced similar problem? Or do you guys have any solution to it?
It depends on the size of your certificate - Secrets for AWS Secrets Manager have various limits such as length in bytes (7168 bytes) or characters (4096) see more here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
But otherwise you should be able to store your certificate using AWS Secrets Manager.
See number item 3 in the following link: https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
Using HTTP Resolvers (or even Lambda Resolvers) you will be able to make http calls to AWS Secrets Manager to obtain the secret.
See links:
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-http-resolvers.html
Adding to Ashwin's answer, According to documentation, HTTP resolver supports only public endpoint at this point and does not seem to have ability to pass a certificate for app to app call
I'm struggling with the client cert and private key embedding or uploading, in order to authenticate with the AWS IoT endpoint assigned to my account. We are currently working in a solution in order to embed that ideal solution of the two certs and the private key at the gateway hardware which will forward the information sent by the sensor in a secure way.
I would like to know if there are any way to connect in the same way of Google IoT (JWT in the password field) o Azure (SAS token in password field) and not have to use the files: private key, CA certificate, certificate x509
The deviced I'm using are MQTT, so I can not use HTTP or similar
There are different possibilities using different protocols, see the Message Broker Protocols topic in the AWS IoT Developer guide: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html
Using the MQTT protocol directly, you have to use certificates, but if you use the MQTT + WebSocket option, you can either use a standard AWS Signature V4 header on the connect request, or you can use a custom authorizer (and your own header on the connect request).
Good starters for understanding those options are
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-authentication.html
I am trying to setup the backend services for consumer IoT device which includes the following activities (4 main high level services). These services are ultimately consumed by a web application or from mobile application through REST API's.
Instead of reinventing the wheel, I am evaluating AWS offerings which should partially or fully match these services. With my limited knowledge and research, I was able to find few AWS offering that matches, however they may not be complete and the most appropriate ones, and hence need advice. Below are the services and my findings.
Self user registration - Cognito with User Pools
Device provisioning (Adding/attaching one or more devices to a user) - No idea on how to handle this with AWS. Can we add the devices as user attributes ? or should we handle them at AWS IoT offering ?
Authentication & Authorization of users and devices - Again Cognito
Secure MQTT broker service for communication between device and users - AWS IoT seems to be matching, however I am not very much aware on configuring them and setting up user level access controls through API's. Can we use AWS IoT here ?
Device provisioning can be generally done in three ways:
Manually, by defining an IoT things in IoT Services. Certificates should be placed on IoT devices.
By using AWS IoT SDKs. AWS Credentials (or Temporary Security Credentials) is needed.
Using AWS CLI.
In IoT services, you can put devices together by adding them in a same group. User can access to the IoT device's data in two ways:
IoT devices save data in Databases and user can access databases and retrieve data.
Defining the application(Mobile App, ...) as an IoT device and putting it in the same group, so the application can subscribe/publish to the topics of different devices. Consider that, all IoT devices have credentials (CA, private and public key) which should be place on IoT devices and it will be needed during communication with AWS Broker. Also the policies for each device should be attached correctly.