Connect devices to Amazon IoT
Devices connect to Amazon IoT and other services through Amazon IoT Core. Through Amazon IoT Core, devices send and receive messages using device endpoints that are specific to your account. The Amazon IoT Device SDKs support device communications using the MQTT and WSS protocols. For more information about the protocols that devices can use, see Device communication protocols.
The message broker
Amazon IoT manages device communication through a message broker. Devices and clients publish messages to the message broker and also subscribe to messages that the message broker publishes. Messages are identified by an application-defined topic. When the message broker receives a message published by a device or client, it republishes that message to the devices and clients that have subscribed to the message's topic. The message broker also forwards messages to the Amazon IoT rules engine, which can act on the content of the message.
Amazon IoT message security
Device connections to Amazon IoT use X.509 client certificates and Amazon signature V4 for authentication. Device communications are
secured by TLS version 1.3 and Amazon IoT requires devices to send the Server Name Indication
(SNI) extension
Amazon IoT device data and service endpoints
Important
You can cache or store the endpoints in your device. This means you won't need
to query the DescribeEndpoint
API every time when a new device is
connected. The endpoints won't change after Amazon IoT Core creates them for your
account.
Each account has several device endpoints that are unique to the account and support specific IoT functions. The Amazon IoT device data endpoints support a publish/subscribe protocol that is designed for the communication needs of IoT devices; however, other clients, such as apps and services, can also use this interface if their application requires the specialized features that these endpoints provide. The Amazon IoT device service endpoints support device-centric access to security and management services.
To learn your account's device data endpoint, you can find it in the Settings
To learn your account's device endpoint for a specific purpose, including the
device data endpoint, use the describe-endpoint CLI command shown
here, or the DescribeEndpoint
REST API, and provide the
parameter value from
the following table.endpointType
aws iot describe-endpoint --endpoint-type
endpointType
This command returns an iot-endpoint
in the following
format:
.account-specific-prefix
.iot.aws-region
.amazonaws.com
Every customer has an iot:Data-ATS
and an iot:Data
endpoint. Each endpoint uses an X.509 certificate to authenticate the client. We
strongly recommend that customers use the newer iot:Data-ATS
endpoint
type to avoid issues related to the widespread distrust of Symantec certificate
authorities. We provide the iot:Data
endpoint for devices to retrieve
data from old endpoints that use VeriSign certificates for backward compatibility.
For more information, see Server
Authentication.
Endpoint purpose |
|
Description |
---|---|---|
Amazon IoT Core - data plane operations |
|
Used to send and receive data to and from the message broker, Device Shadow, and Rules Engine components of Amazon IoT.
|
Amazon IoT Core - data plane operations (legacy) |
|
iot:Data returns a VeriSign signed data endpoint
provided for backward compatibility. MQTT 5 is not supported on
Symantec (iot:Data ) endpoints. |
Amazon IoT Core credential access |
|
Used to exchange a device's built-in X.509 certificate for temporary credentials to connect directly with other Amazon services. For more information about connecting to other Amazon services, see Authorizing Direct Calls to Amazon Services. |
Amazon IoT Device Management - jobs data operations |
|
Used to enable devices to interact with the Amazon IoT Jobs service using the Jobs Device HTTPS APIs. |
Amazon IoT Device Advisor operations |
|
A test endpoint type used for testing devices with Device Advisor. For more information, see Device Advisor. |
Amazon IoT Core data beta (preview) |
|
An endpoint type reserved for beta releases. For information about its current use, see Domain configurations. |
You can also use your own fully-qualified domain name (FQDN), such as
example.com
, and the associated server certificate to
connect devices to Amazon IoT by using Domain configurations.
Amazon IoT Device SDKs
The Amazon IoT Device SDKs help you connect your IoT devices to Amazon IoT Core and they support MQTT and MQTT over WSS protocols.
The Amazon IoT Device SDKs differ from the Amazon SDKs in that the Amazon IoT Device SDKs support the specialized communications needs of IoT devices, but don't support all of the services supported by the Amazon SDKs. The Amazon IoT Device SDKs are compatible with the Amazon SDKs that support all of the Amazon services; however, they use different authentication methods and connect to different endpoints, which could make using the Amazon SDKs impractical on an IoT device.
Mobile devices
The Amazon Mobile SDKs support both MQTT device communications, some of the Amazon IoT service APIs, and the APIs of other Amazon services. If you're developing on a supported mobile device, review its SDK to see if it's the best option for developing your IoT solution.