By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Mqtt connection between the user's iot devices and the user's phone

0

I want the communication to be done with publish and subcribe methods over mqtt. I don't want to use Shadow services.

With the JITR method, devices can easily authentication with the AWS IoT by using device certificate that was signed by my unique CA. Each device has a unique certificate and a unique policy associated with that certificate. The following policy has only been added to a device's certificate.

Device's client id is = edb656635694fb25f2e6d50f361c37d64aa31e72118224df19f151ee70cc2923

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:<REGION>:<USER-ID>:client/edb656635694fb25f2e6d50f361c37d64aa31e72118224df19f151ee70cc2923"
    },
..........
.........
  ]
}

The user who buys the IOT device performs the following steps during registration with the iot device:

  1. Sign up the AWS Cognito Service.
  2. Policy name and client id info are sent from the iot device to the phone via Bluettoth.
  3. It registers the Cognito identity with Policy using AttachPolicy.

https://imgur.com/a/hfWqjkD

I found out that it only accepts a single connection with the client id. That's why the above didn't work.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:<REGION>:<USER-ID>:client/edb656635694fb25f2e6d50f361c37d64aa31e72118224df19f151ee70cc2923",
        "arn:aws:iot:<REGION>:<USER-ID>:client/mobileUser1"
      ]
    },

When I changed the identity as above, the system worked. With this method, I was able to restrict the resources of both iot devices and phone users. But I did the above process manually(adding a new line to policy), What should I do for mass production?

At the same time, another iot device will have its own policy. How can the user communicate with iot devices? At the same time, more than one client can be paired to an iot device. I think I'm on the wrong way please guide me.

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreAmazon CognitoInternet of Things (IoT)
Language
English
AWS-User-8111104
asked 2 years ago374 views
1 Answer
0

HI,

I would suggest you look into this solution https://docs.aws.amazon.com/solutions/latest/smart-product-solution/architecture.html for a more scalable approach in a scenario where you have devices and users, typical of a smart product application.

For your specific question, if you the certificate or the Cognito Identity is associated to an IoT Thing, you can use the policy variable in the Resource definition as follow:

{
        "Effect": "Allow",
        "Action": [
          "iot:Connect"
        ],
        "Resource": [
          "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
        ]
}

Note that the IoT Thing associated with the device certificate should be different from the IoT Thing associate with the Cognito Identity.

AWS
EXPERT
MassimilianoAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content