Device Provisioning - IoT Lens

Device Provisioning

In IoT, device provisioning is composed of several sequential steps. The most important aspect is that each device must be given a unique identity and then subsequently authenticated by your IoT application using that identity.

As such, the first step to provisioning a device is to install an identity. The decisions you make in device design and manufacturing determines if the device has a production-ready firmware image and/or unique client credential by the time it reaches the customer. Your decisions determine whether there are additional provisioning-time steps that must be performed before a production device identify can be installed.

Use X.509 client certificates in IoT for your applications — they tend to be more secure and easier to manage at scale than static passwords. In AWS IoT Core, the device is registered using its certificate along with a unique thing identifier. The registered device is then associated with an IoT policy. An IoT policy gives you the ability to create fine-grained permissions per device. Fine-grained permissions ensure that only one device has permissions to interact with its own MQTT topics and messages.

This registration process ensures that a device is recognized as an IoT asset and that the data it generates can be consumed through AWS IoT to the rest of the AWS ecosystem. To provision a device, you must enable automatic registration and associate a provisioning template or an AWS Lambda function with the initial device provisioning event.

This registration mechanism relies on the device receiving a unique certificate during provisioning (which can happen either during or after manufacturing) which is used to authenticate to the IoT application, in this case AWS IoT. One advantage of this approach is that the device can be transferred to another entity, and be re-provisioned, allowing the registration process to be repeated with the new owner’s AWS IoT account details.

Registration Flow

Figure 1: Registration Flow

  1. Set up the manufacturing device identifier in a database.

  2. The device connects to API Gateway and requests registration from the CPM. The request is validated.

  3. Lambda requests X.509 certificates from your Private Certificate Authority (CA).

  4. Your provisioning system registered your CA with AWS IoT Core.

  5. API Gateway passes the device credentials to the device.

  6. The device initiates the registration workflow with AWS IoT Core.