Creating Device Clouds
A device cloud is created in a specific region so you have control and privacy over your device data.
If you are evaluating Ioto, you can connect to the pre-built eval cloud at eval.ioto.me. The evaluation cloud is perfect for quickly connecting Ioto devices to the cloud to test the platform.
To connect to the eval cloud, define the product property in the Ioto device.json5 configuration file. Set it to the value the Builder evaluation product ID from the product list. The default Ioto source code download has this property already defined in the device.json5 file.
When you are ready, you can create one or more device clouds to segment your products and devices. A single device cloud can be created for all your devices or you can segment your devices into fleets, each with their own device cloud.
For privacy and governance, you may need to separate the device data for specific users into separate fleets. These can have a dedicated device cloud to ensure total data isolation for those users.
Creating a Device Cloud
When creating a device cloud, you specify a cloud name and select an AWS region to locate your device data.
Choose a unique name to identify the cloud configuration within your account.
Enter the appropriate AWS cloud region that is closest to the location of your devices. For example, if your devices are on the US east coast, consider using the US East region and enter: "us-east-1".
You can create two types of device clouds:
- Hosted by EmbedThis
- Dedicated in your own AWS account
A hosted device cloud is a device cloud for your devices and customers that is hosted by EmbedThis on secure AWS IoT infrastructure. You do not need to have or manage your own AWS account to use a hosted device cloud.
A dedicated device cloud is created in your AWS account so you have the ultimate in the control and privacy of your device data. With a dedicated device cloud, device data goes directly from your devices to the device cloud in your AWS account. The device data is not sent through EmbedThis servers.
A dedicated cloud has additional capabilities including:
- Full access to AWS services
- No data storage or I/O limits
- Enhanced security
- Custom cloud-side logic
- Fully bespoke device manager with custom components
Dedicated Device Clouds
A dedicated device cloud requires that you have your own AWS account. We recommend you use a fresh account without any other applications or AWS resources.
When creating a dedicated device cloud, you can optionally control the permissions used in your AWS account via the following AWS roles and policies:
- AWS IAM Role
- Device IAM Role
- IoT Policy
EmbedThis controls access to your AWS account via an AWS IAM role. This role grants limited access to your account for EmbedThis Builder.
The IAM role is created in your account via an AWS CloudFormation template. The template creates the necessary IAM role and resources to enable Builder services in your account.
Once your cloud account is connected, Builder will create the necessary cloud resources in your account, including a device DynamoDB database and service Lambda.
Device Keys IAM Role
The device cloud can create and manage AWS IAM access keys for your devices that can be used to enable devices to issue requests to the device cloud and directly to AWS services.
When creating the cloud, you can specify the name of a custom IAM role that defines the permissions for the access keys given to devices.
The device cloud will generated temporary IAM access keys based on this role.
Most device communications with the cloud are performed using the MQTT protocol. When Ioto provisions the device, it initializes the MQTT channel using an IoT policy that controls what resources the device can access and what commands the device can initiate.
You can specify the name of a custom IoT policy to precisely control what capabilities the device will have via MQTT.