Getting started AWS IoT Greengrass & OTA Updates

  • AWS IoT Greengrass API.
sudo adduser --system ggc_usersudo addgroup --system ggc_group
sudo apt-get install rpi-updatesudo rpi-update b81a11258fc911170b40a0b09bbd63c84bc5ad59
sudo reboot
cd /etc/sysctl.d
fs.protected_hardlinks = 1fs.protected_symlinks = 1
sudo reboot
sudo sysctl -a 2> /dev/null | grep fs.protected
cd /boot/
sudo reboot
cd /home/pi/Downloadswget https://github.com/aws-samples/aws-greengrass- samples/raw/master/greengrassdependency-checker-GGCv1.8.0.zipunzip greengrass-dependency-checker-GGCv1.8.0.zipcd greengrass-dependency-checker-GGCv1.8.0sudo modprobe configssudo ./check_ggc_dependencies | more
sudo tar –xvzf filename.tar.gz
cd /greengrass/certs/sudo wget –O root.ca.pemhttps://www.amazontrust.com/repository/AmazonRootCA1.pem
cat root.ca.pem
cd /greengrass/ggc/core/sudo ./greengrassd start
ps aux | grep PID-number
  1. Ensure that the AWS IoT Greengrass core is correctly provisioned with valid config.json file entries and the necessary certificates.
  2. If the AWS IoT Greengrass core software is being managed by an init system, ensure that managedRespawn = true in the config.json file and the scripts ggc_pre_update.sh and ggc_post_update.sh are present in the ./greengrass/usr/scripts directory.
  3. Start the ggc-ota agent by running ./greengrass/ota/ota_agent/ggc-ota.
  4. Create an OTA self-update job in the cloud with the CreateSoftwareUpdateJob API (aws Greengrass create-software-update-job), making sure the — software-to-update parameter is set to the core.
  5. The OTA Agent will perform an update of AWS IoT Greengrass core software.
aws greengrass create-software-update-job \--update-targets-architecture x86_64 \--update-targetsarn:aws:iot:us-east-   1:123456789012:thing/myDevice \--update-targets-operating-system ubuntu \--software-to-update core \--s3-url-signer-role arn:aws:iam::123456789012:role/IotS3UrlPresigningRole \--update-agent-log-level WARN \--amzn-client-token myClientToken1
{{"Version": "2012-10-17","Statement": [{"Sid": "AllowsIotToAccessGreengrassOTAUpdateArtifacts","Effect": "Allow","Action": ["s3:GetObject"],"Resource": ["arn:aws:s3:::us-east-1-greengrass-updates/*","arn:aws:s3:::us-west-2-greengrass-updates/*","arn:aws:s3:::ap-northeast-1-greengrass-updates/*","arn:aws:s3:::ap-southeast-2-greengrass-updates/*","arn:aws:s3:::eu-central-1-greengrass-updates/*","arn:aws:s3:::eu-west-1-greengrass-updates/*"]}]}
{"IotJobId": "Greengrass-OTA-c3bd7f36-ee80-4d42-8321-a1da0e5b1303","IotJobArn": "arn:aws:iot:us-east-1:123456789012:job/Greengrass-OTA-c3bd7f36-ee80-4d42-8321-a1da0e5b1303"}

AWS IoT Greengrass Core Update with Managed Respawn:-

As the OTA Agent prepares to do an AWS IoT Greengrass core update, if the managedRespawn a flag is set to true, then the OTA Agent will look in the ./greengrass/usr/scripts directory for the ggc_pre_update.sh script and run it.

<greengrass_root>|-- certs|-- config|   |-- config.json|-- ggc|-- usr/scripts|   |-- ggc_pre_update.sh|   |-- ggc_post_update.sh|   |-- ota_pre_update.sh|   |-- ota_post_update.sh|-- ota
  • The user-defined scripts in ./greengrass/usr/scripts should be owned by root and executable by root only.
  • Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.
  • CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.
  1. Access all your data from a single platform.
  2. The easiest way to collect custom and granular metrics for AWS resources.
  3. Visibility across your applications, infrastructure, and services.
  4. Improve the total cost of ownership.
  5. Optimize applications and operational resources.

6. Derive actionable insights from logs.

Technical and Process description monitoring CloudWatch

Create a Logging Role:-

Use the IAM console to create a logging role.

  1. From the navigation pane, choose Roles, and then choose to Create a new role.
  2. Choose AWS Service Role and for a service role type, choose AWS IoT.
  3. Choose the AWSIoTLogging role, and then choose Next Step.
  4. Type a name and description for the role, and then choose to Create role.

Configure AWS IoT Logging:-

  1. You enable logging using the set-v2-logging-options CLI command or the SetV2LoggingOptions API.
  2. Command for doing the same:-
aws iot set-v2-logging-options --role-arn arn:aws:iam::<your-aws-accountnum>:role/<IoTLoggingRole> --default-log-level <INFO>

Viewing Logs

To view your logs:-

  1. Browse to https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Logs.
  2. In the Filter text box, type AWSIotLogsV2, and press Enter.
  3. Double-click the AWSIotLogsV2 log group.
  4. Choose Search Log Group. A complete list of the AWS IoT logs generated for your account is displayed.

AWS IoT Device Defender

AWS IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices. AWS IoT Device Defender continuously audits your IoT configurations to make sure that they aren’t deviating from security best practices. A configuration is a set of technical controls you set to help keep information secure when devices are communicating with each other and the cloud.

  • Audit device configurations for security vulnerabilities.
  • Continuously monitor device behavior to identify anomalies.
  • Receive alerts and take action.

How does AWS IoT Device Defender work

  • AWS IoT Core provides the security building blocks for you to securely connect devices to the cloud and other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption.
  • Choose to Create your first security profile:
  1. Name your security profile.
  2. Configure metrics that you want to be alerted about.
  3. Choose Next. In production environments, we recommend customers automate remediation steps by sending AWS IoT Device Defender alarms to an Amazon Simple Notification Service (Amazon SNS) topic.
  4. For Attach to, choose All devices or specified devices.
  5. Choose Next.
  6. Then choose Continue
  1. In the navigation pane, choose to Defend, Audit, Results, and then choose to Create your first audit.
  2. Once you select Create your first audit, you can select multiple audit checks as you need.

Certificate Management /rotation (MQTT/ device/ role)

  1. Sign in to the AWS Management Console and open the AWS IoT console.
  2. In the left navigation pane, choose Security to expand the choices, and then choose Certificates. Choose to Create.
  3. Choose One-click certificate creation — Create a certificate. Alternatively, to generate a certificate with a certificate signing request (CSR), choose to Create with CSR.
  4. Use the links to the public key, private key, and certificate to download each to a secure location.
  5. Choose Activate.
  1. After creating things carry out the following steps to attach the certificate with the thing.
  2. On the Add, a certificate for your thing page, choose to Create a certificate.
  3. A certificate for this thing, choose Download. Then follow your web browser’s onscreen directions to save the file ending in certificate.pem.crt.txt to your local development computer.
  1. Sign in to the AWS Management Console and open the AWS IoT console.
  2. In the left navigation pane, choose Secure, and then Policies. On you don’t have a policy yet page, choose to Create a policy.
  3. On the Create a policy page, in the Name field, type a name for the policy
  4. In the Action field, type iot: Connect. In the Resource ARN field, type *. Select the Allow checkbox. This allows all clients to connect to AWS IoT. Select all the fields required for the same in the same action fields.
  1. Choose to Attach policy.

AWS CloudTrail:

  1. AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account.
  2. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
  3. CloudTrail is enabled on your AWS account when you create it.
  4. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history.

Steps for the same are as follows:-

  1. Sign in to the AWS Management Console and open the CloudTrail console.
  2. In the navigation pane, choose Event history. A filtered list of events appears in the content pane with the latest event first. Scroll down to see more events.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store