How Amazon IoT works - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Amazon IoT works

Amazon IoT provides cloud services and device support that you can use to implement IoT solutions. Amazon provides many cloud services to support IoT-based applications. So to help you understand where to start, this section provides a diagram and definition of essential concepts to introduce you to the IoT universe.

The IoT universe

In general, the Internet of Things (IoT) consists of the key components shown in this diagram.

The IoT universe


Apps give end users access to IoT devices and the features provided by the cloud services to which those devices are connected.

Cloud services

Cloud services are distributed, large-scale data storage and processing services that are connected to the internet. Examples include:

  • IoT connection and management services

    Amazon IoT is an example of an IoT connection and management service.

  • Compute services, such as Amazon Elastic Compute Cloud and Amazon Lambda

  • Database services, such as Amazon DynamoDB


Devices communicate with cloud services by using various technologies and protocols. Examples include:

  • Wi-Fi/Broadband internet

  • Broadband cellular data

  • Narrow-band cellular data

  • Long-range Wide Area Network (LoRaWAN)

  • Proprietary RF communications


A device is a type of hardware that manages interfaces and communications. Devices are usually located in close proximity to the real-world interfaces they monitor and control. Devices can include computing and storage resources, such as microcontrollers, CPU, memory. Examples include:

  • Raspberry Pi

  • Arduino

  • Voice-interface assistants

  • LoRaWAN and devices

  • Amazon Sidewalk devices

  • Custom IoT devices


An interface is a component that connects a device to the physical world.

  • User interfaces

    Components that allow devices and users to communicate with each other.

    • Input interfaces

      Enable a user to communicate with a device

      Examples: keypad, button

    • Output interfaces

      Enable a device to communicate with a user

      Examples: Alpha-numeric display, graphical display, indicator light, alarm bell

  • Sensors

    Input components that measure or sense something in the outside world in a way that a device understands. Examples include:

    • Temperature sensor (converts temperature to an analog or digital signal)

    • Humidity sensor (converts relative humidity to an analog or digital signal)

    • Analog to digital convertor (converts an analog voltage to a numeric value)

    • Ultrasonic distance measuring unit (converts a distance to a numeric value)

    • Optical sensor (converts a light level to a numeric value)

    • Camera (converts image data to digital data)

  • Actuators

    Output components that the device can use to control something in the outside world. Examples include:

    • Stepper motors (convert electric signals to movement)

    • Relays (control high electric voltages and currents)

Amazon IoT services overview

In the IoT universe, Amazon IoT provides the services that support the devices that interact with the world and the data that passes between them and Amazon IoT. Amazon IoT is made up of the services that are shown in this illustration to support your IoT solution.

Amazon IoT architecture

Amazon IoT device software

Amazon IoT provides this software to support your IoT devices.

Amazon IoT Device SDKs

The Amazon IoT Device and Mobile SDKs help you efficiently connect your devices to Amazon IoT. The Amazon IoT Device and Mobile SDKs include open-source libraries, developer guides with samples, and porting guides so that you can build innovative IoT products or solutions on your choice of hardware platforms.

Amazon IoT Device Tester

Amazon IoT Device Tester for FreeRTOS and Amazon IoT Greengrass is a test automation tool for microcontrollers. Amazon IoT Device Tester tests your device to determine if it will run FreeRTOS or Amazon IoT Greengrass and interoperate with Amazon IoT services.

Amazon IoT Greengrass

Amazon IoT Greengrass extends Amazon IoT to edge devices so they can act locally on the data they generate, run predictions based on machine learning models, and filter and aggregate device data. Amazon IoT Greengrass enables your devices to collect and analyze data closer to where that data is generated, react autonomously to local events, and communicate securely with other devices on the local network. You can use Amazon IoT Greengrass to build edge applications using pre-built software modules, called components, that can connect your edge devices to Amazon services or third-party services.


FreeRTOS is an open source, real-time operating system for microcontrollers that lets you include small, low-power edge devices in your IoT solution. FreeRTOS includes a kernel and a growing set of software libraries that support many applications. FreeRTOS systems can securely connect your small, low-power devices to Amazon IoT and support more powerful edge devices running Amazon IoT Greengrass.

Amazon IoT control services

Connect to the following Amazon IoT services to manage the devices in your IoT solution.

Amazon IoT Core

Amazon IoT Core is a managed cloud service that enables connected devices to securely interact with cloud applications and other devices. Amazon IoT Core can support many devices and messages, and it can process and route those messages to Amazon IoT endpoints and other devices. With Amazon IoT Core, your applications can interact with all of your devices even when they aren’t connected.

Amazon IoT Core Device Advisor

Amazon IoT Core Device Advisor is a cloud-based, fully managed test capability for validating IoT devices during device software development. Device Advisor provides pre-built tests that you can use to validate IoT devices for reliable and secure connectivity with Amazon IoT Core, before deploying devices to production.

Amazon IoT Device Defender

Amazon IoT Device Defender helps you secure your fleet of IoT devices. Amazon IoT Device Defender continuously audits your IoT configurations to make sure that they aren’t deviating from security best practices. Amazon IoT Device Defender sends an alert when it detects any gaps in your IoT configuration that might create a security risk, such as identity certificates being shared across multiple devices or a device with a revoked identity certificate trying to connect to Amazon IoT Core.

Amazon IoT Device Management

Amazon IoT Device Management services help you track, monitor, and manage the plethora of connected devices that make up your device fleets. Amazon IoT Device Management services help you ensure that your IoT devices work properly and securely after they have been deployed. They also provide secure tunneling to access your devices, monitor their health, detect and remotely troubleshoot problems, as well as services to manage device software and firmware updates.

Amazon IoT data services

Analyze the data from the devices in your IoT solution and take appropriate action by using the following Amazon IoT services.

Amazon IoT Analytics

Amazon IoT Analytics lets you efficiently run and operationalize sophisticated analytics on massive volumes of unstructured IoT data. Amazon IoT Analytics automates each difficult step that is required to analyze data from IoT devices. Amazon IoT Analytics filters, transforms, and enriches IoT data before storing it in a time-series data store for analysis. You can analyze your data by running one-time or scheduled queries using the built-in SQL query engine or machine learning.

Amazon IoT Events

Amazon IoT Events detects and responds to events from IoT sensors and applications. Events are patterns of data that identify more complicated circumstances than expected, such as motion detectors using movement signals to activate lights and security cameras. Amazon IoT Events continuously monitors data from multiple IoT sensors and applications, and integrates with other services, such as Amazon IoT Core, IoT SiteWise, DynamoDB, and others to enable early detection and unique insights.

Amazon IoT SiteWise

Amazon IoT SiteWise collects, stores, organizes, and monitors data passed from industrial equipment by MQTT messages or APIs at scale by providing software that runs on a gateway in your facilities. The gateway securely connects to your on-premises data servers and automates the process of collecting and organizing the data and sending it to the Amazon Cloud.

Amazon IoT Core services

Amazon IoT Core provides the services that connect your IoT devices to the Amazon Cloud so that other cloud services and applications can interact with your internet-connected devices.

A high-level view of Amazon IoT Core that shows the device gateway, message broker, rules engine, device shadow, and the other services it provides

The next section describes each of the Amazon IoT Core services shown in the illustration.

Amazon IoT Core messaging services

The Amazon IoT Core connectivity services provide secure communication with the IoT devices and manage the messages that pass between them and Amazon IoT.

Device gateway

Enables devices to securely and efficiently communicate with Amazon IoT. Device communication is secured by secure protocols that use X.509 certificates.

Message broker

Provides a secure mechanism for devices and Amazon IoT applications to publish and receive messages from each other. You can use either the MQTT protocol directly or MQTT over WebSocket to publish and subscribe. For more information about the protocols that Amazon IoT supports, see Device communication protocols. Devices and clients can also use the HTTP REST interface to publish data to the message broker.

The message broker distributes device data to devices that have subscribed to it and to other Amazon IoT Core services, such as the Device Shadow service and the rules engine.

Amazon IoT Core for LoRaWAN

Amazon IoT Core for LoRaWAN makes it possible to set up a private LoRaWAN network by connecting your LoRaWAN devices and gateways to Amazon without the need to develop and operate a LoRaWAN Network Server (LNS). Messages received from LoRaWAN devices are sent to the rules engine where they can be formatted and sent to other Amazon IoT services.

Rules engine

The Rules engine connects data from the message broker to other Amazon IoT services for storage and additional processing. For example, you can insert, update, or query a DynamoDB table or invoke a Lambda function based on an expression that you defined in the Rules engine. You can use an SQL-based language to select data from message payloads, and then process and send the data to other services, such as Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, and Amazon Lambda. You can also create rules that republish messages to the message broker and on to other subscribers. For more information, see Rules for Amazon IoT.

Amazon IoT Core control services

The Amazon IoT Core control services provide device security, management, and registration features.

Custom Authentication service

You can define custom authorizers that allow you to manage your own authentication and authorization strategy using a custom authentication service and a Lambda function. Custom authorizers allow Amazon IoT to authenticate your devices and authorize operations using bearer token authentication and authorization strategies.

Custom authorizers can implement various authentication strategies; for example, JSON Web Token verification or OAuth provider callout. They must return policy documents that are used by the device gateway to authorize MQTT operations. For more information, see Custom authentication and authorization.

Device Provisioning service

Allows you to provision devices using a template that describes the resources required for your device: a thing object, a certificate, and one or more policies. A thing object is an entry in the registry that contains attributes that describe a device. Devices use certificates to authenticate with Amazon IoT. Policies determine which operations a device can perform in Amazon IoT.

The templates contain variables that are replaced by values in a dictionary (map). You can use the same template to provision multiple devices just by passing in different values for the template variables in the dictionary. For more information, see Device provisioning.

Group registry

Groups allow you to manage several devices at once by categorizing them into groups. Groups can also contain groups—you can build a hierarchy of groups. Any action that you perform on a parent group will apply to its child groups. The same action also applies to all the devices in the parent group and all devices in the child groups. Permissions granted to a group will apply to all devices in the group and in all of its child groups. For more information, see Managing devices with Amazon IoT.

Jobs service

Allows you to define a set of remote operations that are sent to and run on one or more devices connected to Amazon IoT. For example, you can define a job that instructs a set of devices to download and install application or firmware updates, reboot, rotate certificates, or perform remote troubleshooting operations.

To create a job, you specify a description of the remote operations to be performed and a list of targets that should perform them. The targets can be individual devices, groups or both. For more information, see Jobs.


Organizes the resources associated with each device in the Amazon Cloud. You register your devices and associate up to three custom attributes with each one. You can also associate certificates and MQTT client IDs with each device to improve your ability to manage and troubleshoot them. For more information, see Managing devices with Amazon IoT.

Security and Identity service

Provides shared responsibility for security in the Amazon Cloud. Your devices must keep their credentials safe to securely send data to the message broker. The message broker and rules engine use Amazon security features to send data securely to devices or other Amazon services. For more information, see Authentication.

Amazon IoT Core data services

The Amazon IoT Core data services help your IoT solutions provide a reliable application experience even with devices that are not always connected.

Device shadow

A JSON document used to store and retrieve current state information for a device.

Device Shadow service

The Device Shadow service maintains a device's state so that applications can communicate with a device whether the device is online or not. When a device is offline, the Device Shadow service manages its data for connected applications. When the device reconnects, it synchronizes its state with that of its shadow in the Device Shadow service. Your devices can also publish their current state to a shadow for use by applications or other devices that might not be connected all the time. For more information, see Amazon IoT Device Shadow service.

Amazon IoT Core support service

Amazon Sidewalk Integration for Amazon IoT Core

Amazon Sidewalk is a shared network that improves connectivity options to help devices work together better. Amazon Sidewalk supports a wide range of customer devices such as those that locate pets or valuables, those that provide smart home security and lighting control, and those that provide remote diagnostics for appliances and tools. Amazon Sidewalk Integration for Amazon IoT Core makes it possible for device manufacturers to add their Sidewalk device fleet to the Amazon IoT Cloud.

For more information, see Amazon IoT Core for Amazon Sidewalk.