IAM endpoint AWS IoT Core endpoints AWS IoT Greengrass V2 endpoints AWS IoT SiteWise endpoints AWS KMS endpoint Secrets Manager endpoint AWS STS endpoint Amazon S3 endpoints Systems Manager endpoints

Required service endpoints for AWS IoT SiteWise Edge gateways

To set up connections with the AWS services required for the AWS IoT SiteWise Edge gateway, configure endpoints for the following AWS services:

AWS Identity and Access Management (IAM)
AWS IoT Core
AWS IoT Greengrass V2
AWS IoT SiteWise
AWS Key Management Service (AWS KMS)
AWS Secrets Manager
AWS Security Token Service (AWS STS)
Amazon Simple Storage Service (Amazon S3)
AWS Systems Manager

Unless noted as optional, the endpoints in this section are required by the AWS IoT SiteWise Edge gateway or to adhere to AWS recommendations and security best practices. Set up and test these endpoints before creating the gateway.

Note

Values that need to be customized for your deployment configuration are in angle brackets (<>). For a complete list of AWS Regions, see AWS Regions in AWS General Reference.

IAM endpoint

The following is the required service endpoint for AWS Identity and Access Management (IAM). For more information, see IAM endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`iam.amazonaws.com`	443	TCP	Outbound	Edge device to IAM

AWS IoT Core endpoints

The following are the service endpoints for AWS IoT Core. For more information, see AWS IoT Core endpoints. In this table, prefix is your account-specific prefix for AWS IoT Device Management - jobs data endpoints (AWS IoT Core documentation).

Destination endpoint	Port	Protocol	Direction	AWS CLI commands	Description
`<prefix-ats>.iot.<region>.amazonaws.com`	443	TCP	Outbound	`aws iot describe-endpoint --endpoint-type iot:Data-ATS`	Edge device to the account-specific AWS IoT data plane
`<prefix>.credentials.iot.<region>.amazonaws.com`	443	TCP	Outbound	`aws iot describe-endpoint --endpoint-type iot:CredentialProvider`	Edge device to authenticate AWS IoT Core calls by using a built-in X.509 client certificate
`<prefix>.jobs.iot.<region>.amazonaws.com`	443	TCP	Outbound	`aws iot describe-endpoint --endpoint-type iot:Jobs`	Edge device to the AWS IoT Core control plane

AWS IoT Greengrass V2 endpoints

The following are the service endpoints for AWS IoT Greengrass V2. For more information, see AWS IoT Greengrass V2 endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`greengrass.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to the AWS IoT Greengrass V2 control plane
`greengrass-ats.iot.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to the AWS IoT Greengrass data plane

AWS IoT SiteWise endpoints

The following are the service endpoints for AWS IoT SiteWise. For more information, see AWS IoT SiteWise endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`data.iotsitewise.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to the AWS IoT SiteWise data plane
`iotsitewise.<region>.amazonaws.com`	443	TCP	Outbound	(Optional) Edge device to the AWS IoT SiteWise service plane
`api.iotsitewise.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to the AWS IoT SiteWise control plane
`model.iotsitewise.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to the AWS IoT SiteWise model control plane
`edge.iotsitewise.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to the AWS IoT SiteWise edge API operations
`monitor.iotsitewise.<region>.amazonaws.com`	443	TCP	Outbound	(Optional) Edge device to an AWS IoT SiteWise Monitor portal

AWS KMS endpoint

The following is the service endpoint for AWS Key Management Service (AWS KMS). For more information, see AWS KMS endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`kms.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to AWS KMS

Secrets Manager endpoint

The following is the service endpoint for AWS Secrets Manager. For more information, see Secrets Manager endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`secretsmanager.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to Secrets Manager

AWS STS endpoint

The following is the service endpoint for AWS Security Token Service (AWS STS). For more information, see AWS STS endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`sts.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to AWS STS

Amazon S3 endpoints

The following are the service endpoints for Amazon Simple Storage Service (Amazon S3). For more information, see Amazon S3 endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`s3.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to all S3 buckets in the AWS Region
`*.s3.amazonaws.com`	443	TCP	Outbound	Edge device to any S3 bucket for downloading all AWS IoT Greengrass V2 components, including AWS provided components
`*.s3.<region>.amazonaws.com`	443	TCP	Outbound	(Optional) Edge device to any S3 bucket in the AWS Region for downloading all AWS IoT Greengrass V2 components, including AWS provided components

Systems Manager endpoints

The following are the service endpoints for AWS Systems Manager. For more information, see Systems Manager endpoints.

Destination endpoint	Port	Protocol	Direction	Description
`ssm.<region>.amazonaws.com`	443	TCP	Outbound	Edge device to Systems Manager
`ssmmessages.<region>.amazonaws.com`	443	TCP	Outbound	(Optional) Edge device to Session Manager

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture options

Next steps