ARC339-R

Best practices for IoT architecture

using AWS smart product solution
Steve Blackwell Beomseok Lee
WW Tech Leader, Manufacturing Solutions Builder
Amazon Web Services Amazon Web Services

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Why and what is a smart product?

Smart product solution introduction

Design decisions of smart product solution

Smart product solution customization

Demo UI
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Manufacturing industry trends

Data is more than Digitally Product-as-a- Connected Sustainability

the “executed” service products
new oil manufacturing
AWS Manufacturing Reference Architecture
Factory ML AWS Cloud
Inference
Customer Connector
SageMaker EMR Redshift
ML Data Warehouse
Factory Machines
QuickSight
Modbus Business
Intelligence
IoT Greengrass IoT Greengrass IoT Core Kinesis S3 AWS Glue Athena
Connectors Edge/GW Manufacturing
Data Lake
OPC-UA
Lambda DynamoDB Lambda Connected Vehicles
IoT SiteWise IoT Analytics Business Logic
Historian Kinesis IoT Core

SNS IoT Events Connected Products

Transfer for SFTP Smart Product
MES
Data Ingestion

Enterprise Workloads E&D Workloads

(SAP ERP/CRM) (PLM/HPC/CAE)
Outposts Amazon Forecast
Local Servers Storage
Gateway
EBS EC2 API EBS EC2 Batch AppStream
DMS RDS EC2
Manufacturing Applications
Snowball Edge

Business Function Inputs

Marketing – Sales
Plant Maintenance
https://awsreferencearchitecture.com/manufacturing Production
Supply Chain - Logistics
 YIELD LIFECYCLE MGMT
QUALITY IMPROVEMENTS

Smart
Factory
product

PRODUCT LOYALTY
UPTIME CUSTOMER SATISFACTION

Manufacturing
flywheel

R&D
NPS

New product
introduction

LOWER CHANGEOVER
CHANGEOVER
Smart Product Use Cases
Customer Engagement
Remote Control &
Analytics & ML
Usage & Fleet Analytics Management

OEM Ecosystem
As a Service
AR/VR Telemetry
New Business Models
Zero Downtime Smart Product

Condition Based Monitoring

Product Optimization Embedded Compute
Connectivity

Quality
Predictive Maintenance Security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Smart product solution
The smart product solution is a deployable reference architecture
demonstrating the “art of the possible” and enabling manufacturers to
jump-start development of innovative smart product services
• Default devices: HVAC (heating, ventilation, and air conditioning)

- Visit Smart Product Solution website.

https://aws.amazon.com/solutions/smart-product-solution/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Smart product solution architecture
AWS IoT Owner web console
Device Defender

Command status
Amazon SNS Amazon S3 Device
AWS IoT Amazon CloudFront
bucket users
Device Defender

AWS Lambda Telemetry analytics pipeline

AWS IoT Amazon QuickSight

Analytics AWS Amplify

Device command
API service
Event message Smart product data
AWS IoT Core
proxy

HVAC devices
Amazon API Amazon Cognito
with AWS IoT
Just-in-time Gateway
Greengrass core
registration AWS Lambda Amazon DynamoDB
or IoT device SDK
Notification service

AWS Lambda
AWS Lambda Amazon SNS AWS Lambda
Device registration process
{
"templateBody" : "... ”,
IoT rule Create rule and Attach provisioning "roleArn" : ”... ”
Lambda function template and role to CA }

SELECT * FROM Connect to IoT Connect to IoT

$aws/events/certificates/
registered/#
Register certificate
(Status = PENDING_ACTIVATE)

Register certificate
Send MQTT event
(Status = PENDING_ACTIVATE)

Rule on MQTT event

Just-in-time registration triggers Lambda
Lambda function

Lambda Run provisioning

- attach policies workflow for device
- create and attach thing
- activate certificate
Just-in-time registration
Owner web console

Amazon SNS Amazon S3 Device

AWS IoT Amazon CloudFront
bucket users
Device Defender

AWS Lambda

AWS IoT Amazon QuickSight

Analytics AWS Amplify

Device command
API service
Smart product data
AWS IoT Core

HVAC devices
Amazon API Amazon Cognito
with AWS IoT
Just-in-time Gateway
Greengrass core
registration AWS Lambda Amazon DynamoDB
or IoT device SDK

AWS Lambda
AWS Lambda Amazon SNS AWS Lambda
Just-in-time registration workflow

AWS IoT Core

IoT MQTT protocol

New certificate
HVAC device Device gateway IoT certificate IoT policy Registration table
CN=<<unique thing name>> Creates IoT policy Updates
and attaches to IoT certificate
device status
IoT device certificate

$aws/events/certificates/registered/#

IoT rule Just-in-time registration

Lambda function

1. Creates policy
2. Attaches policy to certificate
3. Attaches certificate to thing
Smart product solution IoT policy
Action Resource

iot:Connect • arn:aws:iot:${region}:${accountId}:client/${iotThingName}

iot:GetThingShadow • arn:aws:iot:${region}:${accountId}:thing/${iotThingName}

iot:UpdateThingShadow • arn:aws:iot:${region}:${accountId}:thing/${iotThingName}

• arn:aws:iot:${region}:${accountId}:topic/${telemetryTopic}/${iotThingName}
• arn:aws:iot:${region}:${accountId}:topic/${eventTopic}/${iotThingName}
iot:Publish
• arn:aws:iot:${region}:${accountId}:topic/${commandTopic}/${iotThingName}
• arn:aws:iot:${region}:${accountId}:topic/$aws/things/${iotThingName}/shadow/*

• arn:aws:iot:${region}:${accountId}:topicfilter/$aws/things/${iotThingName}/shadow/*
iot:Subscribe
• arn:aws:iot:${region}:${accountId}:topicfilter/${commandTopic}/${iotThingName}

• arn:aws:iot:${region}:${accountId}:topic/$aws/things/${iotThingName}/shadow/*
iot:Receive
• arn:aws:iot:${region}:${accountId}:topic/${commandTopic}/${iotThingName}
How to search registered devices
• Use AWS IoT Device Management fleet indexing to find devices easily.

AWS IoT
Device
Management
Event message proxy
Owner web console

Amazon S3 Device
bucket Amazon CloudFront users

AWS Amplify

API service
Event message Smart product data
AWS IoT Core
proxy

HVAC devices
Amazon API Amazon Cognito
with AWS IoT
Gateway
Greengrass core
AWS Lambda Amazon DynamoDB
or IoT device SDK
Notification service

AWS Lambda Amazon SNS AWS Lambda

Event message proxy workflow

AWS IoT Core

IoT MQTT protocol

Publish event message
HVAC device Device gateway Event table Setting table Amazon SNS topic

Insert event message Check user alert level

IoT device certificate Send SMS*

smartproduct/event/#

IoT rule Event message proxy Notification Service

Lambda function Lambda function

Heavy Workload

* Sending SMS through

Amazon Simple Amazon Kinesis Amazon Simple Notification
Queue Service Service is not supported in the
whole regions.
Another option: using managed service for IoT events

• Easily ingest operations data

• Trigger a range of actions
• Scalability
• Integration with analytics tools
and other AWS services
Telemetry analytics pipeline

Telemetry analytics pipeline

AWS IoT Amazon QuickSight

Analytics

AWS IoT Core

HVAC devices
with AWS IoT
Greengrass core
or IoT device SDK
Possible services to analyze IoT telemetry data

AWS IoT Analytics Amazon Kinesis Amazon Simple

Data Analytics Storage Service

• Designed specifically for IoT
• Storage of time-series data
• Device-specific data
enrichment
• Queries on large datasets
• Predictive fleet maintenance
• General-purpose tool
designed to easily process
streaming data
• Real-time processing
• Build your own data
analytics solution
• One message, one object
• Integration with other AWS
analytics services including
Amazon Athena
Telemetry analytics workflow

AWS IoT Core AWS IoT Analytics

IoT MQTT protocol

Publish telemetric
HVAC device message Device gateway Channel Pipeline Data store Dataset

Convert temperature
and time
IoT device certificate

smartproduct/telemetry/#
Telemetry Lambda
IoT rule function
Pipeline Lambda function activity

Input format Output format

{ {

"createdAt": "2019-10-02T22:09:02", ...

"deviceId": "device-id", "actualTemperatureC": 22.22,

"actualTemperature": 72, "targetTemperatureC": 21.94,

"targetTemperature": 71.5, "sentAtUtc": "2019-10-02T22:09:02",

"sentAt": "2019-10-02T22:09:02", "createdAtUtc": "2019-10-02T22:09:02"

"timestamp": 1570054142005 }

}
Amazon QuickSight integration
Device command
Owner web console

Command status
Amazon S3 Device
bucket Amazon CloudFront users

AWS Lambda

AWS Amplify

Device command
API service
Smart product data
AWS IoT Core

HVAC devices
Amazon API Amazon Cognito
with AWS IoT
Gateway
Greengrass core
Amazon DynamoDB
or IoT device SDK

AWS Lambda
Device command workflow

AWS IoT Core

IoT MQTT protocol Execute commands on UI

Subscribe/Publish command IoT reported IoT desired
state state Device
HVAC device Device gateway IoT shadow Command service
Lambda function users
Publish command topic
Insert command
IoT device certificate

smartproduct/command/#
Update command Command table
IoT rule Command status
Lambda function
Two different ways to handle remote commands

{ {
"desired": { "commandId": "uuid-of-command",
"targetTemperature": "68" "deviceId": "device-unique-id",
}, "status": "pending",
"reported": { "details": {
"targetTemperature": "70" "targetTemperature": "70"
}, }
"delta": { }
"targetTemperature": "68"
}
}
AWS IoT Device Defender
AWS IoT
Device Defender

AWS IoT Amazon SNS

Device Defender

AWS IoT Core

Account audit configuration
Check name Severity Resource type Enabled

Authenticated Cognito role overly permissive Critical Cognito pool True

CA certificate revoked but device certificates still active Critical CA certificate True

Device certificate shared Critical Device certificate True

IoT policies overly permissive Critical Policy True

Unauthenticated Cognito role overly permissive Critical Cognito pool True

Device identity shared High Client ID True

CA certificate expiring Medium CA certificate True

Device certificate expiring Medium Device certificate True

Revoked device certificate still active Medium Device certificate True

Logging disabled Low Account settings True

Summary of best practices
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CI/CD pipeline
Continuous Integration/Continuous Delivery Pipeline

AWS CodeCommit AWS CodePipeline AWS CodeBuild AWS Cloud AWS CloudFormation
Development Kit

Smart Product Solution has its own CI/CD pipeline, so when code
change happens, CI/CD pipeline automatically builds the source code
and deploy again.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources

Visit the smart product solution

website:
https://aws.amazon.com/solutions/
smart-product-solution/
Learn to architect with AWS Training and Certification
Resources created by the experts at AWS to propel your organization and career forward

Free foundational to advanced digital courses cover AWS services and

teach architecting best practices

Classroom offerings, including Architecting on AWS,

feature AWS expert instructors and hands-on labs

Validate expertise with the AWS Certified Solutions Architect - Associate

or AWS Certification Solutions Architect - Professional exams

Visit aws.amazon.com/training/path-architecting/

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Beomseok Lee Steve Blackwell
beomseok@amazon.com stevbla@amazon.com

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.