Dedicated Device Clouds

Dedicated device clouds are created in an AWS account that you own and control. As such, you have full access to all AWS services in your account.

The Ioto service provides additional capabilities for dedicated clouds:

Uploading device log files to AWS CloudWatch
Storing state in AWS IoT shadows
Executing server-side processing logic in response to AWS EventBridge events triggered by device data or metrics.
Use a custom domain to address a Device Manager.
Unlimited message traffic.
Ability to invoke AWS services directly from the device.

When you create a dedicated device cloud, the Builder and Ioto will create the following AWS resources in your AWS account:

An AWS DynamoDB database registry of your devices.
An AWS DynamoDB database exclusively for your device data.
AWS DynamoDB streams to replicate device data to and from the cloud.
An AWS API Gateway to authorize remote API access to device data.
An AWS Cognito User Pool to authenticate user access.
An AWS CloudFront and S3 site for the Ioto Device Manager site.
AWS Route53 domain for the Ioto Device Manager site.
AWS Lambda functions for cloud-side device management.
IAM Roles to restrict remote access.
AWS IoT Core policies and message routing rules.
AWS IoT Things to model your devices in the cloud.

Enabling IAM Keys

To interact with AWS services, the Ioto agent must be configured to request IAM access keys. This is enabled by setting the services.cloud.keys property in the device.json5 configuration file.

{
    services: {
        cloud: {
            keys: true
        }
    }
}

When the agent starts, it will retrieve from the Ioto service a set of IAM access keys to sign AWS API requests.

Data Lake

Amazon S3 is an object storage service offering scalable data storage with strong data availability and security guarantees.

The Ioto agent provides convenience APIs to make uploading data or files to S3 efficient and easy.

To upload a file in the Ioto agent, use awsPutFileTS3 API:

status = awsPutFileToS3("us-east-1", "MyBucket", "file.dat", "./file.data");

This call will upload the file "./file.data" to the bucket "MyBucket" on S3. The file will be saved in the bucket as "file.dat". The returned status will be a HTTP status code of 200 if successful.

CloudWatch Logs

Ioto can export logs from the local device into CloudWatch Logs for secure cloud-side storage.

Ioto Log capture offers two capabilities:

Export and save the Ioto Log to CloudWatch
Capture and export any device O/S log file to CloudWatch

Enabling Cloud Logs

To enable exporting log files to the device cloud, set the services.logs property in the config.json5 file to true.

{
    services: {
        cloud: {
            keys: true,
            logs: true
        }
    }
}

To export logs, you must have the keys property set to true to enable generation of the IAM access keys that grant access to AWS CloudWatch.

Exporting the Ioto Log

By default, the Ioto trace log is saved to /var/log/ioto.log.

To save this to the cloud, change the trace.path property in the config.json5 file to be set to "cloud".

    trace: {
        path: 'cloud'
        group: 'log-group-name',
        stream: 'log-stream-name',
    }

This will cause all messages sent to the Ioto log to be saved to the specified CloudWatch group and stream name. If the group and stream are unset, they default to: "Ioto" and "agent".

Enabling O/S Log File Export

Ioto can monitor, capture and export any file to S3. Ioto will monitor the length of the file and if new data is written to the log, it will be efficiently captured and written to CloudWatch.

To configure log files for monitoring, define the log files in the logs.files property of the config.json5 configuration file. For example:

{
    logs: {
        files: [
            { path: '/var/log/sys*log', group: 'ioto', stream: '{hostname}' }
        ],
    }
}

The files property contains any number of log definitions. Each definition specifies the local filename and the destination CloudWatch group and stream name.

The file pathname may contain the wild cards "*" and "?". This is useful for log files that have a varying portion such as a date or version component in the name.

The stream property can use tokens such as "{hostname}" which is expanded at runtime with the local hostname of the device.

AWS IoT Shadow State

The AWS IoT Device Shadow service offers convenient storage for small device state (up to 8K).

Shadows are capable of handling limited state for intermittently connected devices. When a device is not connected, updates to the shadow state in the cloud are stored until the device is next connected. Then, once connected, the changes are sent to the device for action.

Ioto makes it easy to use shadow state by automatically connecting to the AWS IoT Shadow service and by providing an easy get/set API on the device.

The Ioto agent automatically initializes an AWS Shadow state connection and subscribes to the required MQTT topics for data synchronization.

When shadows updates are received from the cloud, the agent saves these in a local shadow state file called shadow.json5. When the agent reboots, the local shadow state is read to be immediately available while the AWS cloud shadows are consulted for any updates.

We recommend using synchronized database tables rather than AWS Shadows as they offer increased data storage and more flexibility in accessing device data.

Features

Local copy of AWS IoT Device Shadow on device.
Convenience device API to get / set shadow state properties.
Controllable state synchronization with AWS IoT Shadows.
Local persistence of shadow state.

Cloud Auditing

When using a dedicated device cloud, it is best practice to enable AWS CloudTrail on your AWS device cloud account to track user and API changes and activity on your account.

From the AWS Docs:

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Visibility into your AWS account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account. Optionally, you can enable AWS CloudTrail Insights on a trail to help you identify and respond to unusual activity.

IAM Access Keys

Ioto can automatically generate and distribute IAM access keys to devices so the device can interact with the Device Cloud or AWS services.

The IAM keys are temporary access keys that expire each hour. The Ioto agent will automatically refresh these keys as required.

Enabling IAM Keys

To enable generation of temporary IAM keys, set the keys property of the services.cloud property in the Ioto agent config/ioto.json5 configuration file to true.

{
    services: {
        cloud: {
            keys: true
        }
    }
}

When the keys property is set to true, the Ioto agent will retrieve from your Device Cloud a set of temporary IAM credentials that can be used to sign AWS API requests using the Ioto agent aws APIs or to use with the AWS C API SDK.

These keys will be automatically refreshed 20 minutes before expiring, so you can rely on using these keys to be valid for 20 minutes.

IAM Role

The generated keys are based on the Device Cloud IAM role in the device cloud. This defaults to the IAM role named: IotoDeviceAccess. However, you can change this using the Builder Site to any custom role you choose.

You should follow the principle of least privilege and ensure all privileges granted to your devices are scoped to specific resources. They should only grant access to AWS APIs that are absolutely required.