Setting up - AWS IoT Core

Setting up

Before you use Device Advisor for the first time, complete the following tasks.

Create an IAM role to be used as your device role

This section shows you how to create an AWS account and add permissions to an IAM user that you can use to run Device Advisor tests on your devices.

  1. Go to the AWS IAM console and log in to the account you use for Device Advisor testing.

  2. First, create a policy that restricts the role permissions to the device thing policies. On the left navigation pane, chose Policies.

  3. Choose Create policy.

  4. Under Create policy, do the following.

    1. Choose IoT for Service.

    2. Under Action, check All IoT actions (iot:*).

    3. Under Resources, you can select all resources. However, for best security practices, restrict client, topic, and topicfilter. If you choose to restrict these resources, follow the steps below.

      1. Choose Specify client resource ARN for the Connect action.

        1. Choose Add ARN.

        2. Specify the region, accountId, and clientId in the visual ARN editor or manually specify the Amazon Resource Names (ARN) of the IoT topics you want to use to run test cases. The clientId is the MQTT clientId your device uses to interact with Device Advisor.

        3. Choose Add.

      2. Choose Specify topic resource ARN for the Receive and 1 more action.

        1. Choose Add ARN.

        2. Specify the region, accountId, and topic name in the visual ARN editor or manually specify the ARNs of the IoT topics you want to use to run test cases. The topic name is the MQTT topic your device use to publish messages to.

        3. Choose Add.

      3. Choose Specify topicfilter resource ARN for the Subscribe action.

        1. Choose Add ARN.

        2. Specify the region, accountId, and topic name in the visual ARN editor or manually specify the ARNs of the IoT topics you want to use to run test cases. The topic name is the MQTT topic your device uses to subscribe to.

        3. Choose Add.

  5. Choose Review policy.

  6. Under Review policy, enter a Name.

  7. Choose Create policy.

  8. On the left navigation pane, Choose Roles.

  9. Choose Create Role.

  10. Under Or select a service to view its use cases, choose IoT.

  11. Under Select your use case, choose IoT.

  12. Choose Next: Permissions.

  13. (Optional) Under Set permissions boundary, Choose Use a permissions boundary to control the maximum role permissions, and then choose the policy you just created.

  14. Choose Next: Tags.

  15. Choose Next: Review.

  16. Enter a Role name and a Role description.

  17. Choose Create role.

  18. Navigate to the role you created.

  19. Choose Attach policies in the Permissions tab, and then choose the policy you created in Step 4.

  20. Choose Attach policy.

  21. Choose Trust relationships tab and choose Edit trust relationship.

  22. Enter this policy:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAwsIoTCoreDeviceAdvisor", "Effect": "Allow", "Principal": { "Service": "iotdeviceadvisor.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  23. Choose Update Trust Policy.

Create a custom-managed policy for your Device Advisor user account

  1. Navigate to the IAM console at https://console.aws.amazon.com/iam/ and log in to your account.

  2. In the left navigation pane, choose Policies.

  3. Choose Create Policy, then choose the JSON tab.

  4. Add the necessary permissions to use Device Advisor. The policy document can be found under Security best practices.

  5. Choose Review Policy.

  6. Enter a Name and Description.

  7. Choose Create Policy.

Create an IAM user to use to run Device Advisor tests

Note

We recommend that you create an IAM user to use when you run Device Advisor tests. Although we don't recommend it, you can also use an IAM Admin user.

  1. Navigate to the IAM console at https://console.aws.amazon.com/iam/ and log in to your account.

  2. In the left navigation pane, Choose Users.

  3. Choose Add User.

  4. Enter a User name.

  5. Select Programmatic access.

  6. Choose Next: Permissions.

  7. Choose Attach existing policies directly.

  8. Enter the name of the custom-managed policy you created in the search box and then select the check box to the left of Policy name.

  9. Choose Next: Tags.

  10. Choose Next: Review.

  11. Choose Create user.

  12. Choose Close.

Device Advisor requires access to your AWS resources (things, certificates, endpoint) on your behalf. Your IAM user must have the necessary permissions. Device Advisor will also publish logs to Amazon CloudWatch if you attach the necessary permissions policy to your IAM user.

Create an AWS IoT thing and certificate

  1. Go to the AWS IoT Core console. Log in to the account you use for Device Advisor testing, and in the left navigation pane, choose Manage.

  2. If you have any existing things, choose Create to create a new thing. Otherwise, on the You don't have any things yet page, choose Register a thing.

  3. On the Creating AWS IoT things page, choose Create a single thing.

  4. On the Add your device to the thing registry page, enter a Name for your thing. Choose Next.

  5. On the Add a certificate for your thing page, choose Create certificate. Notifications appears confirming that your thing and a certificate for your thing are created.

  6. Copy the certificate you created in the previous step to your device. The correct location of the certificate depends on references to the certificate in your device's software or firmware.

Configure your test device

Device Advisor uses the server name indication (SNI) TLS extension to apply TLS configurations. Devices must use this extension when connecting and pass a server name that is identical to the Device Advisor test endpoint.

Device Advisor allows the TLS connection when test is in Running state and denies the TLS connection before and after each test run. For this reason, we also recommend using the device connect retry mechanism to have fully automated testing experience with Device Advisor. If you run a test suite with more than one test case, for instance TLS connect, MQTT connect, and MQTT publish, then we recommend that you have a mechanism built for your device to try connecting to our test endpoint every five seconds. You can then run multiple test cases in sequence in an automated manner.

Note

To make your device software ready for testing we recommend you to have an SDK that can connect to AWS IoT Core and update the SDK with the Device Advisor test endpoint provided for your account.

The command to get the test endpoint is:

aws iot describe-endpoint --endpoint-type iot:DeviceAdvisor --region region