Best Practice 25.2 – Use programmatic techniques to provision devices at scale - IoT Lens Checklist

Best Practice 25.2 – Use programmatic techniques to provision devices at scale

Scaling the onboarding and provisioning of a large device fleet can be a bottleneck if there is even one manual step per device. Programmatic techniques define patterns of behavior for automating the provisioning process such that authenticated and authorized devices can onboard at any time. This practice ensures a well-documented, reliable, and programmatic provisioning mechanism that is consistent across all devices devoid of any human errors.

Recommendation 25.2.1 – Embed provisioning claims into the devices that are mapped to approval authorities recognized by the provisioning service

  • Generate a provisioning claim and embed it into the device at the time of manufacturing.

  • AWS IoT Core can generate and securely deliver certificates and private keys to your devices when they connect to AWS IoT for the first time, using AWS IoT Fleet Provisioning.

Recommendation 25.2.2 – Use programmatic bootstrapping mechanisms, if you are bringing your own certificates

  • Determine if you will or won’t have device information beforehand

  • If you don’t have device information beforehand, use just-in-time provisioning (JITP).

    • Enable automatic registration and associate a provisioning template with the CA certificate used to sign the device certificate.

    • For example, when a device attempts to connect to AWS IoT by using a certificate signed by a registered CA certificate, AWS IoT loads the template from the certificate and initiates the JITP workflow.

  • If you have device information beforehand, use bulk registration.

    • Specify a list of single-thing provisioning template values that are stored in a file in an S3 bucket.

    • o Run the start-thing-registration-task command to register things in bulk. Provide provisioning template, S3 bucket name, a key name, and a role ARN to the command.