Connect devices to AWS IoT
Devices connect to AWS IoT and other services through AWS IoT Core. Through AWS IoT Core, devices send and receive messages using device endpoints that are specific to your account. The AWS IoT Device SDKs support device communications using the MQTT and WSS protocols. For more information about the protocols that devices can use, see Device communication protocols.
The message broker
AWS IoT manages device communication through a message broker. Devices and clients publish messages to the message broker and also subscribe to messages that the message broker publishes. Messages are identified by an application-defined topic. When the message broker receives a message published by a device or client, it republishes that message to the devices and clients that have subscribed to the message's topic. The message broker also forwards messages to the AWS IoT rules engine, which can act on the content of the message.
AWS IoT message security
Device connections to AWS IoT use X.509 client certificates and AWS signature V4 for authentication. Device communications are
secured by TLS version 1.3 and AWS IoT requires devices to send the Server Name Indication
(SNI) extension
AWS IoT device data and service endpoints
Important
You can cache or store the endpoints in your device. This means you won't need
to query the DescribeEndpoint API every time when a new device is
connected. The endpoints won't change after AWS IoT Core creates them for your
account.
Each account has several device endpoints that are unique to the account and support specific IoT functions. The AWS IoT device data endpoints support a publish/subscribe protocol that is designed for the communication needs of IoT devices; however, other clients, such as apps and services, can also use this interface if their application requires the specialized features that these endpoints provide. The AWS IoT device service endpoints support device-centric access to security and management services.
To learn your account's device data endpoint, you can find it in the Settings
To learn your account's device endpoint for a specific purpose, including the
device data endpoint, use the describe-endpoint CLI command shown
here, or the DescribeEndpoint REST API, and provide the
endpointType
aws iot describe-endpoint --endpoint-typeendpointType
This command returns an iot-endpoint in the following
format:
account-specific-prefix.iot.aws-region.amazonaws.com
Every customer has an iot:Data-ATS and an iot:Data
endpoint. Each endpoint uses an X.509 certificate to authenticate the client. We
strongly recommend that customers use the newer iot:Data-ATS endpoint
type to avoid issues related to the widespread distrust of Symantec certificate
authorities. We provide the iot:Data endpoint for devices to retrieve
data from old endpoints that use VeriSign certificates for backward compatibility.
For more information, see Server
Authentication.
|
Endpoint purpose |
|
Description |
|---|---|---|
|
AWS IoT Core - data plane operations |
|
Used to send and receive data to and from the message broker, Device Shadow, and Rules Engine components of AWS IoT.
|
| AWS IoT Core - data plane operations (legacy) |
|
iot:Data returns a VeriSign signed data endpoint
provided for backward compatibility. MQTT 5 is not supported on
Symantec (iot:Data) endpoints. |
|
AWS IoT Core credential access |
|
Used to exchange a device's built-in X.509 certificate for temporary credentials to connect directly with other AWS services. For more information about connecting to other AWS services, see Authorizing Direct Calls to AWS Services. |
|
AWS IoT Device Management - jobs data operations |
|
Used to enable devices to interact with the AWS IoT Jobs service using the Jobs Device HTTPS APIs. |
|
AWS IoT Device Advisor operations |
|
A test endpoint type used for testing devices with Device Advisor. For more information, see Device Advisor. |
|
AWS IoT Core data beta (preview) |
|
An endpoint type reserved for beta releases. For information about its current use, see Domain configurations. |
You can also use your own fully-qualified domain name (FQDN), such as
example.com, and the associated server certificate to
connect devices to AWS IoT by using Domain configurations.
AWS IoT Device SDKs
The AWS IoT Device SDKs help you connect your IoT devices to AWS IoT Core and they support MQTT and MQTT over WSS protocols.
The AWS IoT Device SDKs differ from the AWS SDKs in that the AWS IoT Device SDKs support the specialized communications needs of IoT devices, but don't support all of the services supported by the AWS SDKs. The AWS IoT Device SDKs are compatible with the AWS SDKs that support all of the AWS services; however, they use different authentication methods and connect to different endpoints, which could make using the AWS SDKs impractical on an IoT device.
Mobile devices
The AWS Mobile SDKs support both MQTT device communications, some of the AWS IoT service APIs, and the APIs of other AWS services. If you're developing on a supported mobile device, review its SDK to see if it's the best option for developing your IoT solution.
