How to populate the DynamoDB table before the pre-provisioning hook Lambda runs?
Hi there!
We are using fleet provisioning by claim to provision our devices. We plan to have the pre-provisioning hook using a Lambda function. It is recommended to perform additional verification logic, such as checking hardware secret against a DynamoDB table for verified devices.
How do we implement the verification logic if we do not have a table for the list of verified devices? We cannot manually add the serial numbers or Mac addresses to the table. Is there a method to automate this step?
Can we introduce a step before the fleet provisioning process to dynamically insert an entry into the DynamoDB table for a verified device? Is there any other way to implement the pre-provisioning hook using a Lambda function?
- Newest
- Most votes
- Most comments
Hi. There are lots of ways this could be done, but one way is to bake it into your manufacturing process. As each device or batch of devices is produced, the MAC addresses or serial numbers etc are appended to the database. This might be a script that runs at the factory, perhaps part of the automated flashing and testing of each device on the manufacturing line. So your script would use the AWS SDK or CLI to add the new entries to the database.
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hi Greg, thanks for the response. I believe this would be the most recommended approach. Thanks for sharing all the ideas. Can there be another approach in case we cannot build a database in advance?
These optional checks are to try to make sure that it's a valid device that's trying to use fleet provisioning. Making sure in some way other than it just having a valid claim certificate. So you kind of need to know something about the valid devices, ahead of time. Maybe you know the MAC address range, and it just has to be in range. Or it sends a serial number and you regex it to make sure it's the right format and length, and not a repeat of something already provisioned. These approaches are weaker than an allow list.