Device provisioning - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Device provisioning

Amazon provides several different ways to provision a device and install unique client certificates on it. This section describes each way and how to select the best one for your IoT solution. These options are described in detail in the whitepaper titled Device Manufacturing and Provisioning with X.509 Certificates in Amazon IoT Core.

Select the option that fits your situation best
  • You can install certificates on IoT devices before they are delivered

    If you can securely install unique client certificates on your IoT devices before they are delivered for use by the end user, you want to use just-in-time provisioning (JITP) or just-in-time registration (JITR).

    Using JITP and JITR, the certificate authority (CA) used to sign the device certificate is registered with Amazon IoT and is recognized by Amazon IoT when the device first connects. The device is provisioned in Amazon IoT on its first connection using the details of its provisioning template.

    For more information on single thing, JITP, JITR, and bulk provisioning of devices that have unique certificates, see Provisioning devices that have device certificates.

  • End users or installers can use an app to install certificates on their IoT devices

    If you cannot securely install unique client certificates on your IoT device before they are delivered to the end user, but the end user or an installer can use an app to register the devices and install the unique device certificates, you want to use the provisioning by trusted user process.

    Using a trusted user, such as an end user or an installer with a known account, can simplify the device manufacturing process. Instead of a unique client certificate, devices have a temporary certificate that enables the device to connect to Amazon IoT for only 5 minutes. During that 5-minute window, the trusted user obtains a unique client certificate with a longer life and installs it on the device. The limited life of the claim certificate minimizes the risk of a compromised certificate.

    For more information, see Provisioning by trusted user.

  • End users CANNOT use an app to install certificates on their IoT devices

    If neither of the previous options will work in your IoT solution, the provisioning by claim process is an option. With this process, your IoT devices have a claim certificate that is shared by other devices in the fleet. The first time a device connects with a claim certificate, Amazon IoT registers the device using its provisioning template and issues the device its unique client certificate for subsequent access to Amazon IoT.

    This option enables automatic provisioning of a device when it connects to Amazon IoT, but could present a larger risk in the event of a compromised claim certificate. If a claim certificate becomes compromised, you can deactivate the certificate. Deactivating the claim certificate prevents all devices with that claim certificate from being registered in the future. However; deactivating the claim certificate does not block devices that have already been provisioned.

    For more information, see Provisioning by claim.

Provisioning devices in Amazon IoT

When you provision a device with Amazon IoT, you must create resources so your devices and Amazon IoT can communicate securely. Other resources can be created to help you manage your device fleet. The following resources can be created during the provisioning process:

  • An IoT thing.

    IoT things are entries in the Amazon IoT device registry. Each thing has a unique name and set of attributes, and is associated with a physical device. Things can be defined using a thing type or grouped into thing groups. For more information, see Managing devices with Amazon IoT.

    Although not required, creating a thing makes it possible to manage your device fleet more effectively by searching for devices by thing type, thing group, and thing attributes. For more information, see Fleet indexing.


    For Fleet Hub to index your Thing's connectivity status data, provision your Thing and configure it so the Thing name matches the client ID used on the Connect request.

  • An X.509 certificate.

    Devices use X.509 certificates to perform mutual authentication with Amazon IoT. You can register an existing certificate or have Amazon IoT generate and register a new certificate for you. You associate a certificate with a device by attaching it to the thing that represents the device. You must also copy the certificate and associated private key onto the device. Devices present the certificate when connecting to Amazon IoT. For more information, see Authentication.

  • An IoT policy.

    IoT policies define the operations that a device can perform in Amazon IoT. IoT policies are attached to device certificates. When a device presents the certificate to Amazon IoT, it is granted the permissions specified in the policy. For more information, see Authorization. Each device needs a certificate to communicate with Amazon IoT.

Amazon IoT supports automated fleet provisioning using provisioning templates. Provisioning templates describe the resources Amazon IoT requires to provision your device. Templates contain variables that enable you to use one template to provision multiple devices. When you provision a device, you specify values for the variables specific to the device using a dictionary or map. To provision another device, specify new values in the dictionary.

You can use automated provisioning whether or not your devices have unique certificates (and their associated private key).

Fleet provisioning APIs

There are several categories of APIs used in fleet provisioning: