I would like to leverage AWS IoT to offer a service to my customers. Customers can be both "thing" owners or data consumers. The added value is given by computational stuff on the platform. Is such a scenario possible? I would like to implement a REST API to let users register their own things and maintain the association with Customers and things, but I don't want the thing to require my Amazon credentials in order to push data. Is such a scenario possible?
You could issue individual certificates for each of your customers. AWS IOT already supports this.
AWS can generate the certificates for you or you could generate and sign your own certificates. You'll probably prefer to issue your own certificates since allows you to fine control your customers accesses, this feature is also supported by AWS Iot. To generate and sign your certificates you could use tools such as openSSL.
AWS IoT already supports REST API out of the box
Last step is how you'll charge your customers. You can create a rule that will copy all messages to a lambada function that will work as an aggregator and count how much messages each of your customers sent. This last step is a little bit tricky since you'll have to know the device names of your customers.
Related
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
Say you have a bunch of on premise applications (that are your potential publishers).. can we have them (sitting in some private network), publish message on to an AWS eventBus/eventBridge, so that the target subscribers can take it forward from there... Does hybrid AWS help here?
If so, can you share some links on achieving the same
That should be very straight forward - you can use the put events endpoint of any AWS SDK for EventBridge.
You'll need an IAM user with which to call the API via access key/secret key.
From a networking perspective, you'll need to be able to hit the AWS API endpoints.
Here's the method to use in Python.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/events.html#EventBridge.Client.put_events
I understand Aws IoT from a device perspective that it should connect with a certificate and sync with its shadow and push messages to topics. But I struggle to understand from the perspective of a Web App or a Mobile App. My basic questions are,
How to register an Application with AWS IoT?
What is the Authentication and Authorization mechanism for Applications?
How to grant an App access to a set of devices?
How can the App listen to messages from devices of interest?
How can the App send a command to device? I understand this is by
updating Device's shadow?
Generally, if you want to connect any application (Mobile, Web,...) to any AWS Services, you should consider two things. First, using AWS SDKs which you can find them here. Second, the application should have correct Authentication and Authorization attached to a user/group defined in IAM or Cognito.
In regards to your questions:
For registering an application in AWS IoT, first it should be defined as an IoT thing and with correct policies, it can publish/subscribe to topics. Consider that, you should put certificates into the device. For connecting to AWS IoT services you can use AWS IoT SDKs, more information can be found here.
2 & 3. It depends on your project. You can define your application to have access to a specific thing in AWS IoT or you can define it to access all things in AWS IoT service (using IAM, Cognito or Temporary Security Credentials). You should consider correct policies for your application. You can find more information about authentication and authorization for AWS IoT here.
AWS IoT has MQTT broker which handles the communication between entities that publish or subscribe to a topics. So if the application wants to get data from specific device, it should subscribe to the topic that things publish to.
It can be done by publishing data to a topic which thing has subscribed to.
Thing shadow is actually the digital twin of actual thing so it should contains information which is related to the thing such as available resources, etc.
I would like to send a verification code to a specific user (only one) via email or text message. I have successfully done so through Amazon SES but I have not attempted through Amazon SMS yet. I have found myself going down the rabbit hole of investigating AWS Pinpoint.
It seems to me Pinpoint is meant for mass user messaging (text/email) rather than one-of individual messaging. I'm hoping I gathered that correctly.
My question, is there an advantage/disadvantage of using Pinpoint over Amazon SES and SMS for my use case?
This may be addressed by the Pinpoint FAQ
Q: I already use Amazon SNS or Amazon SES. What do I gain by switching
to Amazon Pinpoint?
In typical Amazon SNS and Amazon SES use cases, you have to set up
your application to manage each message's audience, content, and
delivery schedule. These same features are built in to Amazon
Pinpoint. With Amazon Pinpoint, you can create message templates,
delivery schedules, highly-targeted segments, and full campaigns.
Pinpoint also appears to be able to push notifications to users through the users preferred contact mechanism. This means that you are not limited to SMS and you reach your users with activation codes through the means they want to be reached. It also allows two-way communication.
The Pinpoint homepage also says:
You can send direct messages—such as order confirmations, welcome
messages, and one-time passwords—using the console or the Amazon
Pinpoint REST API. You can also use the API to build custom
applications that deliver campaign and transactional messages across
multiple channels.
This suggest it is suitable for your uses, though it has additional mass-communication features you do not currently need.
In addition to above points mentioned by #Freiheit you can send and receive SMS messages through Amazon Pinpoint. This will help you to track user response and create surveys, reviews and quiz like scenarios.
Check this AWS Documentation link
I'd like to run some stateless Java services on the Bitnami stack on AWS that will be consumed by apps... and of course to access these I'd need some type of authentication and authorization.
Previously with this type of architecture I've chucked an API gateway in front of them, to which the developer would subscribe. And AWS provides an API gateway, nice.
HOWEVER, while reading up on how to set this up on AWS I came across 'AWS Cognito' which is supposedly designed specifically for this same purpose.
So my question is are these two solutions comparable - are they doing the same thing?
And if-so, then what are the pros and cons of each, when would choose one over the other?
Basically because you are targeting the user level you should use Cognito; as it does provide you with authentication, reseting passwords for the user, and of course
signing up workflow. Moreover it provides user information to the admin, as well as two factor authentication, by using the user's mobile phone.
If you want to authorize the application to use an api then you use the API Gateaway.
The Cognito, is designed for user interaction it has an api for Java, JavaScript, iOS, and Android, so you can
implement the interaction with it at any level; as you wish. You also not getting changed if your user base is less than 50k.