Just as we did for the recent AWS Storage Day, we are making several pre-re:Invent announcements related to AWS IoT. Here’s what I’ve got for you today:

Secure Tunneling – You can set up and use secure tunnels between devices, even if they are behind restrictive network firewalls.

Configurable Endpoints – You can create multiple AWS IoT endpoints within a single AWS account, and set up a unique feature configuration on each one.

Custom Domains for Configurable Endpoints – You can register your own domains and server certificates and use them to create custom AWS IoT Core endpoints.

Enhanced Custom Authorizers – You can now use callbacks to invoke your own authentication and authorization code for MQTT connections.

Fleet Provisioning – You can onboard large numbers of IoT devices to the cloud, providing each one with a unique digital identity and any required configuration on its first connection to AWS IoT Core.

Alexa Voice Service (AVS) Integration – You can reduce the cost of producing an Alexa built-in device by up to 50% and bring Alexa to devices that have very limited amounts of local processing power and storage.

Container Support for AWS IoT Greengrass – You can now deploy, run, and manage Docker containers and applications on your AWS IoT Greengrass-enabled devices. You can deploy containers and Lambda functions on the same device, and you can use your existing build tools and processes for your IoT work. To learn more, read about the Docker Application Deployment Connector.

Stream Manager for AWS IoT Greengrass – You can now build AWS IoT Greengrass applications that collect, process, and export streams of data from IoT devices. Your applications can do first-tier processing at the edge, and then route all or selected data to an Amazon Kinesis Data Stream or AWS IoT Analytics for cloud-based, second-tier processing. To learn more, read AWS IoT Greengrass Adds Docker Support and Streams Management at the Edge and Manage Data Streams on the AWS IoT Greengrass Core.

Let’s dive into these powerful new features!

Secure Tunneling

This feature addresses a very common customer request: the need to access, troubleshoot, and fix IoT devices that are behind a restrictive firewall. This feature is of special relevance to medical devices, utility meters, and specialized hardware with an IoT aspect.

You can set up a secure tunnel on port 443 that uses TLS 1.2 encryption, and then use a local proxy to move commands and data across the tunnel. There are three elements to this feature:

Management APIs – A new set of APIs allow you to open ( OpenTunnel ), close ( CloseTunnel ), list ( ListTunnels ), and describe ( DescribeTunnels ) secure tunnels. Opening a tunnel generates a tunnel id and a pair of client access tokens: one for the source device and another for the destination device.

Local Proxy – A proxy that runs on both ends of the connection, available here in open source form. For IoT-registered devices, the client access token is passed via MQTT to the device, which launches a local proxy on each device to initiate a connection to the tunneling service. The client access token and tunnel id are used to authenticate the connection for each source and destination device to the tunneling service.

Tunneling Service – This service implements the tunnel, and connects the source and destination devices.

I can use the AWS IoT Console to create and manage tunnels. I click on Manage and Tunnels, then Open New:

I give my tunnel a description, select a thing, configure a timeout, add a tag, and click Open New:

Then I download the client access tokens for the source and destination:

To learn more read the Developer Guide and Introducing Secure Tunneling for AWS IoT Device Management.

Custom Domains for Configurable Endpoints

This feature gives you the ability to create custom AWS IoT Core endpoints, each with their own DNS CNAME and server certificate. This allows you to keep your brand identity without any software updates.

To learn more, read Custom Domains.

Configurable Endpoints

This feature gives you additional control of your AWS IoT Endpoints by enabling you to customize aspects such as domain and authentication mechanism as well as create multiple endpoints in the same account. This allows you to migrate to AWS IoT while keeping your existing endpoints (perhaps hardwired into devices already out in the field) unchanged and maintaining backwards compatibility with hard-to-update devices in the field.

To learn more, read Configurable Endpoints.

Enhanced Custom Authorizers

This feature allows you to use our own identity and access management implementation to authenticate and authorize traffic to and from your IoT devices. It works with all protocols supported by AWS IoT Core, with support for identities based on a bearer token or on a username/password pair. The enhancement supports custom authentication & authorization over MQTT connections, and also includes simplified token passing for HTTP and WSS connections.

To learn more, read Custom Authorizers.

Fleet Provisioning

This feature makes it easy for you to onboard large fleets of IoT devices to AWS IoT Core. Instead of spending time and resources to uniquely configure each IoT devices at the time of manufacturing, you can now use AWS IoT Core’s fleet provisioning feature to get your generic devices uniquely configured when the device makes its first connection to AWS IoT Core. The configuration can include X.509 certificates, MQTT client identity, serial numbers, and so forth. Fleet Provisioning uses JSON templates that contain device-side configuration, cloud-side configuration, and a proof-of-trust criterion. Trust can be based on an attestable entity such as a bootstrap X.509 certificate, or a local connection to a branded mobile app or onboarding beacon.

To learn more, read the Fleet Provisioning Developer Guide.

Alexa Voice Service (AVS) Integration

This feature lowers the cost of producing an Alexa built-in device up to 50% by offloading compute & memory intensive audio workloads from a physical device to a new virtual Alexa built-in device in the cloud. This lets you integrate AVS on devices with less than 1 MB of RAM and ARM Cortex ‘M’ class microcontrollers (including the new NXP MCU-Based Solution for Alexa Voice Service) and brings Alexa to products such as light switches, thermostats, and small appliances. The devices can take advantage of the new AWS IoT Core features listed above, as well as existing AWS IoT features such as Over the Air (OTA) updates.

To learn more, read Introducing Alexa Voice Service (AVS) Integration for AWS IoT Core.

— Jeff;