Getting started AWS IoT Greengrass & OTA Updates

16 min readFeb 20, 2020

AWS provides many services among them one popular service is AWS IoT Greengrass.

AWS IoT Greengrass is software that extends cloud capabilities to local devices. This enables devices to collect and analyze data closer to the source of information, react autonomously to local events, and communicate securely with each other on local networks. AWS IoT Greengrass developers can use AWS Lambda functions and prebuilt connectors to create serverless applications that are deployed to devices for local execution.

In AWS IoT Greengrass, devices securely communicate on a local network and exchange messages with each other without having to connect to the cloud. AWS IoT Greengrass provides a local pub/sub.

Message manager that can intelligently buffer messages if connectivity is lost so that inbound and outbound messages to the cloud are

AWS IoT Greengrass consists of Software distributions.

Software distributions.

• AWS IoT Greengrass core software.

• AWS IoT Greengrass core SDK.

• Cloud service.

  • AWS IoT Greengrass API.

AWS IoT Greengrass Core Software:-

The AWS Greengrass Core Software plays an important role while communicating with the AWS IoT such as the deployment of Lambda Function, MQTT messaging over the local network between devices, connectors, and lambda functions, Secure, over-the-air software updates of user-defined Lambda functions, etc.

To install Greengrass on your core device, download the package for your architecture and distribution

For us, we will consider “ARMv7l” because we are going to use Raspberry pi.

AWS IoT Device SDKs:-

The AWS IoT Device SDKs helps devices connect to AWS IoT or AWS IoT Greengrass services. Devices must know which AWS IoT Greengrass group they belong to and the IP address of the AWS IoT Greengrass core that they should connect to.

For now, these two concepts are important to deploy aws Greengrass onto the edge device:-

Let’s Begin:-

Environment Setup for Greengrass:-

First, the raspberry pi should have the Linux latest version to work with the Greengrass, just download and configure the Raspberry Pi with Raspbian with its latest version.

Just run the following command:-

sudo adduser --system ggc_usersudo addgroup --system ggc_group

If done with the Raspbian Jessie then run the following command to update the Linux Kernel-Version:-

sudo apt-get install rpi-updatesudo rpi-update b81a11258fc911170b40a0b09bbd63c84bc5ad59

Then Restart the Raspberry Pi by using Following Command:-

sudo reboot

To improve security on the Pi device, enable hard link and soft link protection on the operating system at startup.

cd /etc/sysctl.d

This just type “ls” then you will see 98-rpi.conf in open it using “sudo nano 98-rpi.conf “ in that add the two lines

fs.protected_hardlinks = 1fs.protected_symlinks = 1

You will see the 98-rpi.conf file like below:-

Reboot the Pi:-

sudo reboot

Just to check whether the “fs.protected_hardlinks = 1 and fs.protected_symlinks = 1” is done or not it can be checked by the following command:-

sudo sysctl -a 2> /dev/null | grep fs.protected

Edit your command line boot file to enable and mount memory cgroups. This allows AWS IoT Greengrass to set the memory limit for Lambda functions. Without this, the Greengrass daemon is unable to run.

cd /boot/

Then open “cmdline.txt” and add the following line to the end of the file, you can open the “cmdline.txt” by using “sudo nano cmdline.txt”

The page will look like below:


sudo reboot

To make sure that you have all required dependencies, download and run the Greengrass dependency checker

cd /home/pi/Downloadswget samples/raw/master/greengrassdependency-checker-GGCv1.8.0.zipunzip greengrass-dependency-checker-GGCv1.8.0.zipcd greengrass-dependency-checker-GGCv1.8.0sudo modprobe configssudo ./check_ggc_dependencies | more

if you are unable to do this you can download the file just by clicking on the respective URL:-”.

NOTE:- The check_ggc_dependencies script might produce warnings about the missing optional Node v6.10 and Java 8 prerequisites. You can ignore these warnings.

Now your Raspberry pi configuration is finished.

Creation of Greengrass Group/Core

To create the Greengrass group or thing we need to configure it on aws IoT console so for that we need to open aws management console. In aws management console select IoT core.

In that select Greengrass.

In the Greengrass select create a group, after that then select use easy creation.

After clicking onto the use of easy creation we need to give the name to our group here we will give the name (100–001), where “100” is serial number and “001” is product number.

As we are dealing with the devices and here we have chosen raspberry pi as an ISR so we need to make a registration in a Greengrass core also that we have chosen “100–001_core”.

Choose next.

Choose next.

Select create group and core this will create tar file which Is having certificates, keys, etc.

Now you will get the page like below:-

Till now we have completed the downloads and the making of the group onto the aws IoT console.

Now we have 4 files with us in the download folder:

· Aws python SDK.

· Aws dependencies checker.

· A zip file of securities and key which we have downloaded while making a group.

· Aws IoT greengrass core software.

Unzip and untar the file by using “unzip” and untar by

sudo tar –xvzf filename.tar.gz

Now change directory to “Greengrass” and in that “certs” and run the following command:-

cd /greengrass/certs/sudo wget –O

Apart from that, we need to move the certificate and config file to the Greengrass from the downloaded security folder.

Run the following command to confirm that the file is not empty:


Now start the aws IoT Greengrass on your core device, by running the following command:-

cd /greengrass/ggc/core/sudo ./greengrassd start

After running the above command you will see the daemon started successfully with some PID note that PID and run the following command :

ps aux | grep PID-number

This PID number is to be replaced by your PID number, and the image will look like below:-

Now we will see how to make communication between the devices and the aws IoT.

As we have downloaded the python SDK in that we have the “SDK” folder and in the example, we have “” by using this we will see how to communicate with the devices and the aws IoT.

First, we have “aws_greengrass_core_sdk” which we have downloaded.

In that, we have two directories SDK and “examples”.

SDK contains the zip file just unzip it and you will see the folder like below:-

From SDK take Greengrass SDK and from example take and make a zip of that file which we are going to upload onto the lambda function.

Let’s create the lambda for our lamda_testing group.

Click on Create Function.

Next, create lambda function name “lambda_testing” in this I have chosen the existing role:-

Congratulations You have created the Lambda.

Now in action select publish a new version and in that for Version description, enter the First version, and then choose Publish.

Now upload the zip file, go to configuration->code entry type in that upload a zip file. Now upload a zip file, change the handler name as given below:-

Create an alias for the Lambda function version:


Greengrass groups can reference a Lambda function by alias (recommended) or by version.

Using an alias makes it easier to manage code updates because you don’t have to change your subscription table or group definition when the function code is updated. Instead, you just point the alias to the new function version.

Create the name and then select the version as per the image given below and then create:-

Now go to the group and in that select lambda.

Now go to the group and in that select lambda.

Then use existing lambda which we have made earlier.

Select the lambda lambda_testing which we have made earlier.

Select Alias GG_Helloworld and then click Finish.

After the addition of lambda, we need to configure the lambda which we can do it by clicking on”…”.

Enter the details which we have mentioned below:-

Now go to the subscription to communicate with the core using Lambda, so first Click on add your first Subscription.

After that, we need to select the source and target select and as shown below:-

Make a Topic as “hello/world”.

Now after doing this we need to deploy it so go to “Deployment” the click on Action:-

Select Automatic Detection Which is boxed in purple Box.

Now just deploy it and then it will show “Completed”.

After deployment go to test and subscribe to the topic “hello/world” as given below then click “subscribe to the topic”, you will get the message at your end.

************************************************************** __________________________Use of OTA___________________________


Over-the-Air programming (OTA):-

refers to various methods of distributing new software, configuration settings, and even updating encryption keys to devices like cellphones, set-top boxes or secure voice communication equipment (encrypted 2-way radios).

One important feature of OTA is that one central location can send an update to all the users:-

Reduces risk:-

With FOTA giving the IoT device distributor or manufacturer the ability to continually configure devices, post distribution, they also gain the ability to remain compliant with evolving industry standards. This expands product lifetime and offers greater flexibility to manage the devices on the edge.

Improves cost-effectiveness:-

With FOTA, devices can be kept up to date remotely to reduce customer care costs and lower resource expenditure by the manufacturer. With the ability to resolve issues remotely, techs don’t have to waste valuable time traveling on-site to fix bugs or other problems.

Keep Up With Fast-Changing Security Protocols:-

New threats are always popping up, tomorrow or years from now, so it’s a good thing to be able to be prepared to react. OTA updates act immediately to keep your deployment robust and make sure transmissions are safe and protected ahead of the curve.

Release Now, Update Later:-

You’ll be able to buy time in the programming process during distribution, deliver tested, ready-to-release services now, and provide the rest after the bugs have been smoothed out.

Market Trends:-

Devices need to keep up with industrial, market trends.

Technical and Process description:-

Greengrass Core Software Update:-

To perform an AWS IoT Greengrass core software update follows these steps:

  1. Ensure that the AWS IoT Greengrass core is correctly provisioned with valid config.json file entries and the necessary certificates.
  2. If the AWS IoT Greengrass core software is being managed by an init system, ensure that managedRespawn = true in the config.json file and the scripts and are present in the ./greengrass/usr/scripts directory.
  3. Start the ggc-ota agent by running ./greengrass/ota/ota_agent/ggc-ota.
  4. Create an OTA self-update job in the cloud with the CreateSoftwareUpdateJob API (aws Greengrass create-software-update-job), making sure the — software-to-update parameter is set to the core.
  5. The OTA Agent will perform an update of AWS IoT Greengrass core software.

CreateSoftwareUpdateJob API:-

1. The CreateSoftwareUpdateJob API creates a software update for a core or several cores.

2. This API can be used to update the OTA Agent as well as the Greengrass core software.

The following example shows how to create a Greengrass core software update job using the CLI:-

aws greengrass create-software-update-job \--update-targets-architecture x86_64 \--update-targetsarn:aws:iot:us-east-   1:123456789012:thing/myDevice \--update-targets-operating-system ubuntu \--software-to-update core \--s3-url-signer-role arn:aws:iam::123456789012:role/IotS3UrlPresigningRole \--update-agent-log-level WARN \--amzn-client-token myClientToken1

The create-software-update-job command has the following parameters:

— update-targets-architecture

The architecture of the core device. Must be one of armv7l, x86_64 or aarch64.

— update-targets

A list of the targets to which the OTA update should be applied. The list can contain the ARNS of things which are cores and the ARNs of thing groups whose members are cores. See IoT thing groups for more information on how to place cores in an IoT thing group.

— update-targets-operating-system

The operating system of the core device. Must be one of Ubuntu, amazon_linux or raspbian.

— software-to-update

Specifies whether the core’s software or the OTA Agent software should be updated. Must be one of core or ota_agent.

— s3-url-signer-role

The IAM role is used to presign the S3 URL which links to the Greengrass software update. You must provide a role that has the appropriate policy attached. Here is an example policy document with the minimum required permissions:

{{"Version": "2012-10-17","Statement": [{"Sid": "AllowsIotToAccessGreengrassOTAUpdateArtifacts","Effect": "Allow","Action": ["s3:GetObject"],"Resource": ["arn:aws:s3:::us-east-1-greengrass-updates/*","arn:aws:s3:::us-west-2-greengrass-updates/*","arn:aws:s3:::ap-northeast-1-greengrass-updates/*","arn:aws:s3:::ap-southeast-2-greengrass-updates/*","arn:aws:s3:::eu-central-1-greengrass-updates/*","arn:aws:s3:::eu-west-1-greengrass-updates/*"]}]}

— amzn-client-token

[Optional] A client token used to make idempotent requests. Provide a unique token to prevent duplicate updates from being created due to internal retries.

— update-agent-log-level

[Optional] The logging level for log statements generated by the OTA Agent. Must be one of NONE, TRACE, DEBUG, VERBOSE, INFO, WARN, ERROR, or FATAL. The default is ERROR.

The create-software-update-job command returns a JSON object containing the job id and job ARN:

{"IotJobId": "Greengrass-OTA-c3bd7f36-ee80-4d42-8321-a1da0e5b1303","IotJobArn": "arn:aws:iot:us-east-1:123456789012:job/Greengrass-OTA-c3bd7f36-ee80-4d42-8321-a1da0e5b1303"}

AWS IoT Greengrass Core Update with Managed Respawn:-

As the OTA Agent prepares to do an AWS IoT Greengrass core update, if the managedRespawn a flag is set to true, then the OTA Agent will look in the ./greengrass/usr/scripts directory for the script and run it.

After the OTA Agent completes the update, it will attempt to run the script from the ./greengrass/usr/scripts directory.

<greengrass_root>|-- certs|-- config|   |-- config.json|-- ggc|-- usr/scripts|   |--|   |--|   |--|   |--|-- ota


  • The user-defined scripts in ./greengrass/usr/scripts should be owned by root and executable by root only.

*******************************************************************_______________________________Cloud watch_________________________ *******************************************************************

  • Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.
  • CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.

Benefits of CloudWatch:-

  1. Access all your data from a single platform.
  2. The easiest way to collect custom and granular metrics for AWS resources.
  3. Visibility across your applications, infrastructure, and services.
  4. Improve the total cost of ownership.
  5. Optimize applications and operational resources.

6. Derive actionable insights from logs.

Technical and Process description monitoring CloudWatch

Create a Logging Role:-

Use the IAM console to create a logging role.

  1. From the navigation pane, choose Roles, and then choose to Create a new role.
  2. Choose AWS Service Role and for a service role type, choose AWS IoT.
  3. Choose the AWSIoTLogging role, and then choose Next Step.
  4. Type a name and description for the role, and then choose to Create role.

Configure AWS IoT Logging:-

  1. You enable logging using the set-v2-logging-options CLI command or the SetV2LoggingOptions API.
  2. Command for doing the same:-
aws iot set-v2-logging-options --role-arn arn:aws:iam::<your-aws-accountnum>:role/<IoTLoggingRole> --default-log-level <INFO>

Viewing Logs

To view your logs:-

  1. Browse to In the navigation pane, choose Logs.
  2. In the Filter text box, type AWSIotLogsV2, and press Enter.
  3. Double-click the AWSIotLogsV2 log group.
  4. Choose Search Log Group. A complete list of the AWS IoT logs generated for your account is displayed.

AWS IoT Device Defender

AWS IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices. AWS IoT Device Defender continuously audits your IoT configurations to make sure that they aren’t deviating from security best practices. A configuration is a set of technical controls you set to help keep information secure when devices are communicating with each other and the cloud.

Need of AWS IoT Device Defender:-

  • Audit device configurations for security vulnerabilities.
  • Continuously monitor device behavior to identify anomalies.
  • Receive alerts and take action.

How does AWS IoT Device Defender work

  • AWS IoT Core provides the security building blocks for you to securely connect devices to the cloud and other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption.

Technical & process Description

  • Choose to Create your first security profile:

  1. Name your security profile.
  2. Configure metrics that you want to be alerted about.
  3. Choose Next. In production environments, we recommend customers automate remediation steps by sending AWS IoT Device Defender alarms to an Amazon Simple Notification Service (Amazon SNS) topic.
  4. For Attach to, choose All devices or specified devices.
  5. Choose Next.
  6. Then choose Continue

On the Violations page, review if devices are not complying with the behaviors already set in the security profile.

  1. In the navigation pane, choose to Defend, Audit, Results, and then choose to Create your first audit.
  2. Once you select Create your first audit, you can select multiple audit checks as you need.

Next, create your audit report and start running it. This process could take a few minutes. You can see the details for your audit on the Results page.

Certificate Management /rotation (MQTT/ device/ role)

  1. Sign in to the AWS Management Console and open the AWS IoT console.
  2. In the left navigation pane, choose Security to expand the choices, and then choose Certificates. Choose to Create.
  3. Choose One-click certificate creation — Create a certificate. Alternatively, to generate a certificate with a certificate signing request (CSR), choose to Create with CSR.
  4. Use the links to the public key, private key, and certificate to download each to a secure location.
  5. Choose Activate.

Attaching certificate with the thing:-

  1. After creating things carry out the following steps to attach the certificate with the thing.
  2. On the Add, a certificate for your thing page, choose to Create a certificate.
  3. A certificate for this thing, choose Download. Then follow your web browser’s onscreen directions to save the file ending in certificate.pem.crt.txt to your local development computer.

a. Note:- Although the dialog box shows a file ending in, the file that you download ends in certificate.pem.crt.txt.

4. Repeat the previous step in this section for a public key, A private key, and A root CA for AWS IoT. Save the files ending in public.pem.key, private.pem.key, and .pem, respectively, to your development computer.

5. When you choose the Download link next to A root CA for AWS IoT, the Server Authentication section of the AWS IoT Developer Guide is displayed. From there, to get the root CA for AWS IoT, click the Amazon Root CA 1 link in that section, which downloads the RSA 2048 bit key for the Amazon Trust Services endpoint.

6. Choose Activate.

Creating Policies:-

To create an AWS IoT policy:

  1. Sign in to the AWS Management Console and open the AWS IoT console.
  2. In the left navigation pane, choose Secure, and then Policies. On you don’t have a policy yet page, choose to Create a policy.
  3. On the Create a policy page, in the Name field, type a name for the policy
  4. In the Action field, type iot: Connect. In the Resource ARN field, type *. Select the Allow checkbox. This allows all clients to connect to AWS IoT. Select all the fields required for the same in the same action fields.

Attaching Policy with the thing:-

  1. Choose to Attach policy.

Add a policy for your thing, select the policy of your choice & register the device.

AWS CloudTrail:

  1. AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account.
  2. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
  3. CloudTrail is enabled on your AWS account when you create it.
  4. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history.

Steps for the same are as follows:-

  1. Sign in to the AWS Management Console and open the CloudTrail console.
  2. In the navigation pane, choose Event history. A filtered list of events appears in the content pane with the latest event first. Scroll down to see more events.




DevOps/Cloud | 2x AWS Certified | 1x Terraform Certified | 1x CKAD Certified | Gitlab