2. Services Description AWS IoT Azure IoT
Identity of
Devices Registry of Devices
• Device Registry
• Contains Device ID, meta data, Credentials (Authentication),
Authorization (Policy).
• Can categorize things in to Thing Types and Thing Groups.
• Can store meta data information and query meta data
information
• Also support indexing on the device registry for querying
data from the registry.
• Identity Registry
• Contains Device ID, Credentials (Authentication)
• Store the meta data in device twin.
• Additional Meta data can be stored outside of Registry.
• Does not support expressive querying.
• Recommended only for device
management/provisioning.
Not for High Throughput operations
Security
Authentication Mechanism (for Devices)
• X 509 Certificates - Generated by AWS or CA signed or Self
Signed
• Recommended - X509 Certificates
• Supports rotation of certifications
• X509 Certificates - Self Signed or CA signed.
• Security Token - IoT Hub uses security tokens to
authenticate devices and services to avoid sending keys
on the wire. Tokens are signed using either Shared
Access Signature(SAS) key or Symmetric key.
• Azure IoT Hub grants access to endpoints by verifying a
token against the shared access policies and identity
registry security credentials.
• Supports rotation of keys (thru Provisioning service)
Authorization Mechanism (for Devices)
• Policy - Permissions which are attached to the Certificates.
(AWS IoT Policy)
• Certificates gets attached to the device.
• Permissions and Shared Access Policy
• A token signed with a shared access key grants access
to all the functionality associated with the shared
access policy permissions.
• A token signed with a device identity's symmetric key
only grants the Device Connect permission for the
associated device identity.
3. Services Description AWS IoT Azure IoT
Device Provisioning
• Bulk Provisioning - Preconfigure the IoT solution
with necessary Device Credential Information.
• Just in Time Provisioning - Provisions the device
when the device first connects to the IoT. No Pre-
configuration required per device on the cloud.
• Bulk Provisioning - Supported. Facilitated
by using provisioning templates.
Just in Time Provisioning - Supported.
Need to configure a CA certificate and
Provisioning Templates ahead of time
before the device connects
Bulk Provisioning - Supported through Jobs/Bulk
Imports.
Just In Time provisioning - Supported through
Provisioning Service. (X509 Certificates, TPM –
Trusted Platform Module/HSM)
Device Content Management
• Ability to modify the content of the connected
device including application code, firmware updates
• Supported through AWS Jobs API.
• Define a job that instructs a set of
devices to download and install
application or firmware updates, reboot,
rotate certificates, or perform remote
troubleshooting operations (more of a
pull mechanism by the device when it
connects to IoT)
• Supported. (Jobs) Has two options.
• For scenario which require immediate
response,(like Reboot or factory Reset) - Use
Direct method
• For scenario which does not require immediate
response. (configuration, firmware updates) -
Use Device Twins.
Device life Cycle
Management
• Monitoring
• Retire Devices (and Revoke Devices)
• Monitoring – Cloudwatch Alarms, logs,
events, CloudTrail, AWS IoT metrics
• Retire/Revoke - Revoke Device
Certificate, deactivate Device certificate,
Deactivate CA Certificate.
• Monitoring - Azure monitor, Azure Resource
health
• Retire/Revoke - Use IoT Hub registry to revoke
Device Identity or Credentials. Device Identity
Can be deleted as well.
4. Azure IoT Scenarios
• Scenario 1 – Device Provisioning - Provisioning a device using Just-In-Time Registration (Azure IoT)
• Scenario 2 – Device Provisioning – Provision the device with desired S/W Configuration (Azure IoT)
• Scenario 3 – Device Provisioning – Block the Provisioning of a Device during Just in time Provisioning (Azure IoT)
• Scenario 4 – Device Content Management-Configure the devices with desired Software Configuration (Azure IoT)
• Scenario 5 – Customer did not pay. Disable the Service (AZURE IoT)
• Scenario 6 – Device compromised. Revoke the Device. (AZURE IoT)
• Scenario 7 – Retire a Device (AZURE IoT)
AWS IoT Scenarios
• Scenario 1 – Device Provisioning - Provisioning a device using Just-In-Time Registration (AWS IoT)
• Scenario 2 – Device Provisioning – Provision the device with desired S/W Configuration (AWS IoT)
• Scenario 3 – Device Provisioning – Block the Provisioning of a Device during Just in time Provisioning (AWS IoT)
• Scenario 4 – Device Content Management-Configure the devices with desired Software Configuration (AWS IoT)
• Scenario 5 – Customer did not pay. Disable the Service (AWS IoT)
• Scenario 6 – Device compromised. Revoke the Device. (AWS IoT)
• Scenario 7 – Retire a Device (AWS IoT)
5. Assumptions
• Authentication
• X.509 based authentication is recommended and is far more secure since they are based on asymmetric keys.
• The presentation assumes that the device would use X.509 based authentication.
• Individual device (Leaf) certificates would be signed by either CA signed or Self signed intermediate certificates.
• This would be required for Just-in-Time provisioning as any certificate signed by the intermediate certificates would be
authenticated.
• This eliminates the need for mappings/entries for individual devices before provisioning.
• Authorization
• Authorization is achieved through AWS IoT Policy (AWS) and Shared Access Policy (Azure IoT).
• This presentation assumes that each device will NOT have individual authorization policy for accessing the IoT.
• Group of devices will share the same policy.
• This eliminates the need for mappings/entries for individual devices before provisioning.
• Provisioning
• This presentation assumes that the devices would use Just-In-Time provisioning instead of Bulk provisioning for devices.
• Just-In-Time provisioning approach is far more advanced and eliminates the need for mappings/entries for individual
devices before provisioning.
• Just-in-provisioning involves the device to be provisioned when the device first connects to IoT solutions.
6. Role which is responsible for manufacturing the hardware device itself. This
presentation assumes that certificates (private key) is embedded within the
HSM of the device by the device manufacturer.
Role which is responsible for configuring/flashing the IoT SDK and the initial
version of IoT application client on the device itself.
Role which is responsible for configuring the provisioning rules, IoT
Configuration or anything which is required on the cloud.
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
Roles - Assumptions
Note:The roles are used for better understanding of the responsibilities however these responsibilities are usually automated using CLI, API or other automation tools.
7. Services Azure IoT Build Blocks Description
Registry IoT Identity Registry Device Identity, Credentials, Access Policy are stored in the IoT Identity Registry
Provisioning Device Provisioning Service
Service responsible for Just-in-Provisioning of an IoT device. (HTTPS Service). Global Service.
Supports Geo-sharding.
Supports Three types of Enrollment/assignment
Evenly Assign the devices to get connected to different IoT Hubs
Assign the devices based on latency.
Assign it based on Static Configuration (Supports Group and Individual enrollments)
Note: This presentation assumes we are using assignment based on Group enrollment.
Authorization Shared Access Policy
The permissions/authorization is achieved through Shared Access Policy. Usually
any client which comes with a Device Identity gets assigned "DeviceConnect" permissions.
Software Configurations Device Twins
Device twins are JSON documents that store device state information including metadata,
configurations, and conditions. Azure IoT Hub maintains a device twin for each device that you
connect to IoT Hub. Back office sets the "desired" state on the device twin. The device reads the
"desired" state from device twin and does the necessary configuration and reports the status thru
"reported" state.
Bulk executions Jobs
Jobs API used for bulk execution/configuration changes on the devices using either
device twin or direct access method. This presentations uses only device twin for s/w
configurations on the device.
Grouping Devices/Device meta data Device Twins
Any meta data for the device, grouping information can be specified in device twin using tags. Used
for querying the list of devices based on tags to identify target devices for bulk
executions/configurations.
Azure IoT Service and Building Blocks
8. Device Life CycleRetire
Plan
Provision
ConfigureMonitor
• Securely Provision new devices to IoT Hub.
• Use IoT Hub Registry to create flexible device identities.
• Use Device Provisioning Service to perform Just-in-time
provisioning
• or Use bulk provisioning of devices using a job.
• Plan for device meta data scheme for Bulk
management operation on devices.
• Device Twin and Device meta Data
• Type of device Credentials to be used
• Replace or decommission devices after a failure,
upgrade cycle, or at the end of the service lifetime.
• Use the device twin to maintain device info if the
physical device is being replaced, or archived if being
retired.
• Use the IoT Hub identity registry for securely revoking
• device identities and credentials.
• Monitor overall device collection health, the status of ongoing
operations, and alert operators to issues that might require their
attention.
• Apply the device twin to allow devices to report real time
operating conditions and status of update operations.
• Build powerful dashboard reports that surface the most
immediate issues by using device twin queries.
• (Azure Monitor, Azure Health)
• Facilitate Bulk configuration changes
or firmware updates on devices.
• Use either Direct Method or Device Twin (in bulk
using jobs)
9. Precondition
• Device not registered inAzure IoT Identity Registry, Individual Leaf Device Certificate signed by intermediate certificate available.
PostCondition
• Device is registered in the Azure IoT Identity Registry.
• The credentials are associated with the device in the Identity Registry.
• DeviceTwin created.
• Device provisioning is complete.
• Device is connected to the appropriate Azure IoT Hub
IoT Device
1. Manufactures the device and installs
Certificates (private key in HSM) – Once Per device
2. Installs Initial version of Azure IoT Client/SDK and initial version of application
- Once Per device
Azure Device
Provisioning Service
Azure IoT Identity
Registry
Azure IoT
3. Create IoT Hub, Subscription, Shared Access Policy (Done once for all devices)
4. Create and Link Device Provisioning service to IoT Hub (Done once)
5. ConfigureGroup enrollment rules by associating, root and intermediate certificates (one per group)
6. Calls DPS during first time when it
connected to internet. – Once Per device
7.Verifies the credentials, Registers the
device in Identity Registry and returns the
IoT Hub Information
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
10. Precondition
• Device not registered inAzure IoT Identity Registry, Individual Leaf Device Certificate signed by intermediate certificate available.
PostCondition
• Device is registered in the Azure IoT Identity Registry.
• DeviceTwin created and Device and Device is connected to the appropriate Azure IoT Hub
• Device configured with desired S/W Configuration and Device provisioning is complete.
IoT Device
1. Manufactures the device and installs
Certificates (private key in HSM) – Once Per device
2. InstallsAzure IoT Client, SDK and initial version of application
- Once Per device
Azure Device
Provisioning Service
Azure IoT Identity
Registry
Azure
IoT
3. Create IoT Hub, Subscription, Shared Access Policy (Done once for all devices)
4. Create and Link Device Provisioning service to IoT Hub (Done once)
5. ConfigureGroup enrollment rules by associating, root and intermediate certificates & desired Configuration (one per group)
7. Calls DPS during first time when it connected
to internet. – Once Per device
8. Credentials are verified and the device is registered.
Device
Twin
9. Device connects and works with device twin to do
the necessary configuration and periodically updates
the status.
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
11. Precondition
• Device not registered inAzure IoT Identity Registry, Individual Leaf Device Certificate signed by intermediate certificate available.
PostCondition
• Device is NOT registered in the Azure IoT Identity Registry.
• Device is blocked from Device Provisioning.
IoT Device
1. Manufactures the device and installs
Certificates (private key in HSM) – Once Per device
2. InstallsAzure IoT Client, SDK and initial version of application
- Once Per device
Azure Device
Provisioning Service
Azure IoT Identity
Registry
Azure IoT
3. Create IoT Hub, Subscription, Shared Access Policy (Done once for all devices)
4. Create and Link Device Provisioning service to IoT Hub (Done once)
5. ConfigureGroup enrollment rules by associating, root and intermediate certificates (one per group)
7. Calls DPS during first time when it connected
to internet. – Once Per device 8. Credentials are not valid since the device
is blacklisted.
6. Create Individual Enrollment record to black list the device
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
12. Precondition
• Device is registered and active in theAWS IoT Device Registry
PostCondition
• Device is configured with the desired configuration.
DeviceTwins
1. Query the DeviceTwin meta data to identity
the target group of devices
2. Create a Job to use device twin with desired Configuration
Azure IoT Job IoT Device
3. Performs
Configuration
4. Updates the reported status periodically
IoT Cloud Solution
Provider/Operator
13. Precondition
• Device is registered and active in the Azure IoT Identity Registry
Post Condition
• The device will not be able to connect to the Azure IoT. Enable the device in the registry if the service needs to be restored.
Azure IoT Identity
Registry
1. Disable the Device in the Registry
IoT Cloud Solution
Provider/Operator
14. Precondition
• Device is registered and active in the Azure IoT Identity Registry
Post Condition
• The device will not be authenticated and will not be able to connect to the Azure IoT
Azure IoT Identity
Registry
1. Revoke the Credential associated with the
device
Azure IoT Device
Provisioning Service
2. Blacklist the device/credential using individual enrollmentIoT Cloud Solution
Provider/Operator
15. Precondition
• Device is registered and active in the Azure IoT Identity Registry
Post Condition
• Device is not registered. (The device has to go thru provisioning if it needs to be reused)
Note: Same scenarios is applicable if a customer cancels the service.
Azure IoT Identity
Registry
1. Delete the Device from the Registry
IoT Cloud Solution
Provider/Operator
16. AWS IoT Service and Building Blocks
Services AWS IoT Build Blocks Description
Registry Device Registry
Device Identity, Credentials, Access Policy are stored in the IoT Device Registry
Detail Device meta data can also be stored in the Device registry. Provides indexing and query
capabilities on the registry.
Provisioning AWS IoT
AWS IoT provides the device provisioning services. (No explicit mention of provisioning service as
such like azure IoT DPS)
Authorization IoT Policy
The permissions/authorization is achieved through IoT Policy. IoT Policy are defined and gets
attached to the certificate and the certificate gets attached to the device in the device registry
(during provisioning)
Software Configurations &
Bulk executions Jobs
Bulk s/w configuration or remote operations on a number of devices are configured through AWS
IoT Jobs. The Jobs are of two types.
SNAPSHOT - used on fixed number devices.
CONTINUOUS - A continuous job is one that continues to run and is executed when a change is
detected in a target.A continuous job can be used to onboard or upgrade devices as they are added
to a group.
Specify Rollout to indicate how quickly the device need to be notified of the job.
Job Document - contains the details of the job that need be performed.
Grouping Devices Thing Group, Thing Types
Device can be grouped in to Thing Group and/or Thing Types. Facilitates in identifying a group if a
s/w configuration needs to be done on a specific group.
17. Device Life CycleRetire
Plan
Provision
ConfigureMonitor
• Securely Provision new devices to AWS IoT.
• Use Device Registry to create flexible device identities.
• Use Just-in-time provisioning or Use bulk provisioning
of devices using a job.
• Plan for device meta data scheme for Bulk
management operation on devices.
• Plan for Thing Groups and Thing Types for bulk
operations
• Type of device Credentials to be used
• Replace or decommission devices after a failure,
upgrade cycle,
or at the end of the service lifetime.
• Use the Device registry for securely revoking
• device identities and credentials.
• Monitor overall device collection health, the status of ongoing
operations,
and alert operators to issues that might require their attention.
• AWS Cloud Watch (metrics, events, logs), Cloud Trail
• Facilitate Bulk configuration changes
Using AWS Jobs
18. Precondition
• Device not registered inAWS IoT Device Registry, Individual Leaf Device Certificate signed by intermediate certificate available.
PostCondition
• Device is registered in the AWS IoT Device Registry.
• The credentials are associated with the device in the Device Registry.
• Device provisioning is complete.
• Device is connected to theAWS IoT
IoT Device
1. Manufactures the device and installs
Certificates (private key in HSM) – Once Per device
2. InstallsAzure IoT Client, SDK and initial version of application
- Once Per device
AWS IoT
AWS IoT Device
Registry
3. Create IoT Hub (Done once for all devices)
4. Upload the Root, Intermediate Certificates, Provisioning templates and
enable auto registration on the certificates, attach policy
5. CallsAWS IoT during first time when it
connected to internet. – Once Per device 6.Verifies the credentials,
Registers the device in Device
Registry
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
19. Precondition
• Device not registered inAWS IoT Device Registry, Individual Leaf Device Certificate signed by intermediate certificate available.
PostCondition
• Device is registered in the AWS IoT Device Registry. Device provisioning is complete.
• Device is connected to the appropriate AWS IoT. Device is configured with the desired configuration specified in the Job.
IoT Device
1. Manufactures the device and installs
Certificates (private key in HSM) – Once Per device
2. InstallsAzure IoT Client, SDK and initial version of application
- Once Per device
AWS IoT
AWS IoT Device
Registry
3. Create IoT Hub (Done once for all devices)
4. Upload the Root, Intermediate Certificates, Provisioning templates and
enable auto registration on the certificates, attach policy
6. CallsAWS IoT during first time when it
connected to internet. – Once Per device
7. Credentials are authenticated &
the device is registered
5. Configure a AWS (CONTINUOUS Job) target it to aThing Group. Specify the rollout to indicate the target devices to be
notified of the job immediately.
AWS IoT Job
8. Device connects, gets notified of the pending job and executes the
necessary S/W Configuration and periodically updates the status
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
20. Precondition
• Device not registered inAWS IoT Device Registry, Individual Leaf Device Certificate signed by intermediate certificate available.
PostCondition
• Device is NOT registered in the AWS IoT Device Registry.
• Device is blocked from Device Provisioning.
IoT Device
1. Manufactures the device and installs
Certificates (private key in HSM) – Once Per device
2. InstallsAzure IoT Client, SDK and initial version of application
- Once Per device
AWS IoT
AWS IoT Device
Registry
3. Create IoT Hub (Done once for all devices)
4. Upload the Root, Intermediate Certificates, Provisioning templates and
enable auto registration on the certificates, attach policy
6. CallsAWS IoT during first time when it
connected to internet. – Once Per device
7. Credentials are NOT
authenticated since the device
certificate is revoked
5. Upload the device certificate and revoke it to black list it.
Device Manufacturer
Device Solution Provider
IoT Cloud Solution
Provider/Operator
21. Precondition
• Device is registered and active in theAWS IoT Device Registry
Note:
• Job Document – specifies the remote operations that needs to be performed on the device.
• SNAPSHOT job completes after the job is completed on the target. CONTINUOUS Job continues to run when the change is detected in a target
(Applicable to use cases where the devices need to be updated as they are added to a group.
• Target – could beThing Group or list of devices. Rollout – Indicates how quickly the device need to be notified of the job.
PostCondition
• Device is configured with the desired configuration.
AWS IoT Device
Registry
1. Query the Device Registry to identity
the target group of devices
2. Create a SNAPSHOT Job with Job Document,
Target devices, and Rollout parameter
AWS IoT Job IoT DeviceAWS IoT /Topics
3. Notifies the job is available
for the device
4. Retrieve Job Information
5. Performs
Configuration
6. Updates the job
execution status
IoT Cloud Solution
Provider/Operator
22. Precondition
• Device is registered and active in the AWS IoT Device Registry
Post Condition
• The device will not be authenticated and will not be able to connect to the AWS IoT. Reactivate the certificate if the service
needs to be restored.
AWS IoT Device
Registry
1. Deactivate the Certificate associated with the device
IoT Cloud Solution
Provider/Operator
23. Precondition
• Device is registered and active in the AWS IoT Device Registry
Post Condition
• The device will not be authenticated and will not be able to connect to the AWS IoT
AWS IoT Device
Registry
1. Revoke the Certificate associated with the device.
IoT Cloud Solution
Provider/Operator
24. Precondition
• Device is registered and active in the AWS IoT Device Registry
Post Condition
• Device is not registered. (The device has to go thru provisioning if it needs to be reused)
Note: Same scenarios is applicable if a customer cancels the service.
AWS IoT Device
Registry
1. Deactivate certificate
2. Detach the Certificate from the device
3. Delete the Device from the Registry
IoT Cloud Solution
Provider/Operator