Package software.amazon.awscdk.services.iot.alpha
AWS IoT Construct Library
---
The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
AWS IoT Core lets you connect billions of IoT devices and route trillions of messages to AWS services without managing infrastructure.
TopicRule
Create a topic rule that give your devices the ability to interact with AWS services. You can create a topic rule with an action that invoke the Lambda action as following:
Function func = Function.Builder.create(this, "MyFunction")
.runtime(Runtime.NODEJS_LATEST)
.handler("index.handler")
.code(Code.fromInline("\n exports.handler = (event) => {\n console.log(\"It is test for lambda action of AWS IoT Rule.\", event);\n };"))
.build();
TopicRule.Builder.create(this, "TopicRule")
.topicRuleName("MyTopicRule") // optional
.description("invokes the lambda function") // optional
.sql(IotSql.fromStringAsVer20160323("SELECT topic(2) as device_id, timestamp() as timestamp FROM 'device/+/data'"))
.actions(List.of(new LambdaFunctionAction(func)))
.build();
Or, you can add an action after constructing the TopicRule instance as following:
Function func;
TopicRule topicRule = TopicRule.Builder.create(this, "TopicRule")
.sql(IotSql.fromStringAsVer20160323("SELECT topic(2) as device_id, timestamp() as timestamp FROM 'device/+/data'"))
.build();
topicRule.addAction(new LambdaFunctionAction(func));
You can also supply errorAction as following,
and the IoT Rule will trigger it if a rule's action is unable to perform:
import software.amazon.awscdk.services.logs.*;
LogGroup logGroup = new LogGroup(this, "MyLogGroup");
TopicRule.Builder.create(this, "TopicRule")
.sql(IotSql.fromStringAsVer20160323("SELECT topic(2) as device_id, timestamp() as timestamp FROM 'device/+/data'"))
.errorAction(new CloudWatchLogsAction(logGroup))
.build();
If you wanna make the topic rule disable, add property enabled: false as following:
TopicRule.Builder.create(this, "TopicRule")
.sql(IotSql.fromStringAsVer20160323("SELECT topic(2) as device_id, timestamp() as timestamp FROM 'device/+/data'"))
.enabled(false)
.build();
See also @aws-cdk/aws-iot-actions-alpha for other actions.
Logging
AWS IoT provides a logging feature that allows you to monitor and log AWS IoT activity.
You can enable IoT logging with the following code:
Logging.Builder.create(this, "Logging")
.logLevel(LogLevel.INFO)
.build();
Note: All logs are forwarded to the AWSIotLogsV2 log group in CloudWatch.
Audit
An AWS IoT Device Defender audit looks at account- and device-related settings and policies to ensure security measures are in place. An audit can help you detect any drifts from security best practices or access policies.
Account Audit Configuration
The IoT audit includes various audit checks, and it is necessary to configure settings to enable those checks.
You can enable an account audit configuration with the following code:
// Audit notification are sent to the SNS topic
ITopic targetTopic;
AccountAuditConfiguration.Builder.create(this, "AuditConfiguration")
.targetTopic(targetTopic)
.build();
By default, all audit checks are enabled, but it is also possible to enable only specific audit checks.
AccountAuditConfiguration.Builder.create(this, "AuditConfiguration")
.checkConfiguration(CheckConfiguration.builder()
// enabled
.authenticatedCognitoRoleOverlyPermissiveCheck(true)
// enabled by default
.caCertificateExpiringCheck(undefined)
// disabled
.caCertificateKeyQualityCheck(false)
.conflictingClientIdsCheck(false)
.deviceCertificateExpiringCheck(false)
.deviceCertificateKeyQualityCheck(false)
.deviceCertificateSharedCheck(false)
.intermediateCaRevokedForActiveDeviceCertificatesCheck(false)
.ioTPolicyPotentialMisConfigurationCheck(false)
.iotPolicyOverlyPermissiveCheck(false)
.iotRoleAliasAllowsAccessToUnusedServicesCheck(false)
.iotRoleAliasOverlyPermissiveCheck(false)
.loggingDisabledCheck(false)
.revokedCaCertificateStillActiveCheck(false)
.revokedDeviceCertificateStillActiveCheck(false)
.unauthenticatedCognitoRoleOverlyPermissiveCheck(false)
.build())
.build();
Scheduled Audit
You can create a scheduled audit that is run at a specified time interval. Checks must be enabled for your account by creating AccountAuditConfiguration.
AccountAuditConfiguration config;
// Daily audit
ScheduledAudit dailyAudit = ScheduledAudit.Builder.create(this, "DailyAudit")
.accountAuditConfiguration(config)
.frequency(Frequency.DAILY)
.auditChecks(List.of(AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK))
.build();
// Weekly audit
ScheduledAudit weeklyAudit = ScheduledAudit.Builder.create(this, "WeeklyAudit")
.accountAuditConfiguration(config)
.frequency(Frequency.WEEKLY)
.dayOfWeek(DayOfWeek.SUNDAY)
.auditChecks(List.of(AuditCheck.CA_CERTIFICATE_EXPIRING_CHECK))
.build();
// Monthly audit
ScheduledAudit monthlyAudit = ScheduledAudit.Builder.create(this, "MonthlyAudit")
.accountAuditConfiguration(config)
.frequency(Frequency.MONTHLY)
.dayOfMonth(DayOfMonth.of(1))
.auditChecks(List.of(AuditCheck.CA_CERTIFICATE_KEY_QUALITY_CHECK))
.build();
-
ClassDescription(experimental) Defines AWS IoT Audit Configuration.(experimental) A fluent builder for
AccountAuditConfiguration.(experimental) Properties for defining AWS IoT Audit Configuration.A builder forAccountAuditConfigurationPropsAn implementation forAccountAuditConfigurationProps(experimental) Properties for an topic rule action.A builder forActionConfigAn implementation forActionConfig(experimental) The AWS IoT Device Defender audit checks.(experimental) The types of audit checks.A builder forCheckConfigurationAn implementation forCheckConfiguration(experimental) The day of the month on which the scheduled audit takes place.(experimental) The day of the week on which the scheduled audit takes place.(experimental) The frequency at which the scheduled audit takes place.(experimental) Represents AWS IoT Audit Configuration.Internal default implementation forIAccountAuditConfiguration.A proxy class which represents a concrete javascript instance of this type.(experimental) An abstract action for TopicRule.Internal default implementation forIAction.A proxy class which represents a concrete javascript instance of this type.(experimental) Represents AWS IoT Logging.Internal default implementation forILogging.A proxy class which represents a concrete javascript instance of this type.(experimental) Defines AWS IoT SQL.(experimental) The type returned from thebind()method inIotSql.A builder forIotSqlConfigAn implementation forIotSqlConfig(experimental) Represents AWS IoT Scheduled Audit.Internal default implementation forIScheduledAudit.A proxy class which represents a concrete javascript instance of this type.(experimental) Represents an AWS IoT Rule.Internal default implementation forITopicRule.A proxy class which represents a concrete javascript instance of this type.(experimental) Defines AWS IoT Logging.(experimental) A fluent builder forLogging.(experimental) Properties for defining AWS IoT Logging.A builder forLoggingPropsAn implementation forLoggingProps(experimental) The log level for the AWS IoT Logging.(experimental) Defines AWS IoT Scheduled Audit.(experimental) A fluent builder forScheduledAudit.(experimental) Construction properties for a Scheduled Audit.A builder forScheduledAuditAttributesAn implementation forScheduledAuditAttributes(experimental) Properties for defining AWS IoT Scheduled Audit.A builder forScheduledAuditPropsAn implementation forScheduledAuditProps(experimental) Defines an AWS IoT Rule in this stack.(experimental) A fluent builder forTopicRule.(experimental) Properties for defining an AWS IoT Rule.A builder forTopicRulePropsAn implementation forTopicRuleProps