By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Multiple IoT devices to multiple things

0

Hello there AWS team!

I'm currently working with the ESP32 platform to create a device that connects to AWS and sends/receives data.

The idea is that I will have multiple ESP32 devices. At this moment what I'm doing is that I create a Thing per each device. So, if I have 3 devices, I need to create 3 Things, with their respective certificate and key.

JITP helped me but I noticed each firmware will be different for each device. For example, device 1 will have firmware 1 with certificate 1 and key 1. The same thing will happen for devices 2, 3, and so on.

I'm doing OTA with these devices and since every firmware needs to be different due to the certificates, keys, and thingname... I'm facing an unscalable wall.

Is there any option that helps with this?

The only option I can think of right now is to use 1 Thing in AWS IoT Core, and all my devices in the field will have the same certificate and key. I feel that is not a good practice, but the other option seems way worse.

Thanks a lot in advance

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreSecurity, Identity, & ComplianceInternet of Things (IoT)AWS IoT Device ManagementIAM Policies
Language
English
juanGomez
asked a year ago730 views
2 Answers
1

If I understand it, your current firmware has both code and credentials built in? If that's the case and the firmware (code) is common for the three things, look to use multiple partitions and store your credentials and configuration in one partition (such as nvs), and the firmware in another. Then when an OTA update is applied, you can download just the new code, restart the device, and have the code use the unchanged credentials in the other, untouched, partition.

It's a good idea to figure out a partition scheme ahead of time. For instance, two firmware partitions (A/B) allow for rollback to known working firmware in the case an OTA job fails.

Also, if possible, consider using a secure element to store the private key associated with the thing's X.509 certificate. This can reduce someone extracting the key from the device.

That leads into the best practice of unique credentials per devices. While AWS IoT does support a single certificate/key used across multiple connections (things), it's an anti-pattern. If the key is compromised on one thing, the entire fleet has been compromised. With unique credentials per thing, the blast radius is just that thing.

Hope this helps, please follow up if needed.

AWS
Gavin_A
answered a year ago
0

storing the credentials can solve part of my problems. That's an option I can use.

On the other hand, when I do JITP I need to create a "Thing name", this Thing name must match the "Thing name" variable I'm using in my firmware to connect my device to AWS.

So, if I have 3 devices, I will have 3 Thing names, all 3 being different in the firmware.

I can see that starts to become a little messy.

Reading about provision by claim it seems this option uses the same certificate for all the Things, is that possible to implement in ESP32 without using AWS IoT SDK for embedded C?

juanGomez
answered a year ago
  • Greg_B EXPERT
    a year ago

    Similar to how the certificates should be separate from the firmware image, so should the thing name. Customers often use metadata, like a serial number, as the thing named. In regards to the certificate, as Gavin explained, you should not use the same certificate on every device. The claim certificate is only intended as a temporary birthing certificate; your devices would implement the fleet provisioning workflow to each obtain a unique certificate.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content