Skip to content

Creating Device Clouds

Cloud Configure

A device cloud is created in your AWS account in a specific region so you have total control and privacy over your device data. You can create one or more device clouds to segment your products and devices.

Data Privacy

You can create one or more device clouds. One device cloud can be created for all your devices or you can segment your devices into fleets each with their own device cloud.

For privacy and governance, you may need to separate the device data for specific users into separate fleets. These can have a dedicated device cloud to ensure total data isolation for those users.

Creating a Device Cloud

When creating a device cloud, you specify a cloud name and select an AWS region to locate your device data.

Cloud Name

Choose a unique name to identify the cloud configuration within your account.

Enter the appropriate AWS cloud region that is closest to the location of your devices. For example, if your devices are on the US east coast, consider using the US East region and enter: "us-east-1".

IAM Role

EmbedThis controls access to your AWS account via an AWS IAM role. This role grants limited access to your account for EmbedThis Builder.

The IAM role is created in your account via an AWS CloudFormation template. The template creates the necessary IAM role and resources to enable Builder services in your account.

Once your cloud account is connected, Builder will create the necessary cloud resources in your account including a device DynamoDB database and service Lambda.

Device Keys IAM Role

The device cloud can create and manage AWS IAM access keys for your devices that can be used to enable devices to issue requests to the device cloud and directly to AWS services.

When creating the cloud, you can specify the name of a custom IAM role that defines the permissions for the access keys given to devices.

The device cloud will generated temporary IAM access keys based on this role.

IoT Policy

Most device communications with the cloud are performed using the MQTT protocol. When Ioto provisions the device, it initializes the MQTT channel using an IoT policy that controls what resources the device can access and what commands the device can initiate.

You can specify the name of a custom IoT policy to precisely control what capabilities the device will have via MQTT.

Deleting Device Clouds

If you delete a cloud, Builder will remove the cloud template and all the resources it created. This will remove the device database and any AWS IOT configuration.