Managing Remote IoT Devices with AWS Secure Tunneling

Are you struggling to manage IoT devices deployed behind remote firewalls? AWS IoT Device Management brings you a solution - Secure Tunneling. In this article, we'll dive into the world of secure tunneling, exploring its benefits and guiding you through setting up a secure SSH connection to a Raspberry Pi, all to make your remote IoT device management a breeze.

What Is Secure Tunneling?

Secure Tunnelling is a powerful feature of AWS IoT Device Management that helps you establish bi-directional communication with remote devices deployed behind firewalls. It allows you to troubleshoot, perform configuration updates, manage remote iot devices and handle various operational tasks without compromising security. The best part? You won't need to modify your existing inbound firewall rules.

Prerequisites for the Demo

For this specific demonstration, we have some prerequisites:

- Linux-based Device: You'll need a Linux-based IoT thing, like a Raspberry Pi or a Linux PC.

- SSH Daemon: Ensure your device has an SSH daemon running.

- Outbound Traffic on Port 443: Your firewall must permit outbound traffic on port 443.

- AWS IoT Thing: Create an AWS IoT Thing in the AWS IoT Registry and save the necessary keys and certificates.

- AWS IoT Device Client: Download the AWS IoT Device Client source code from GitHub, build it, and configure it with the appropriate thing name, certificates, and private key.

- AWS IoT Secure Tunneling Local Proxy: Download the AWS IoT Secure Tunneling Local Proxy source code from GitHub and build it for your machine.

How Does Secure Tunneling Work?

Before we jump into the demo, let's understand the fundamentals of how secure tunnelling operates:

1.Source and Destination: On the left, you have your remote IoT device (the destination). In the middle, the AWS cloud with AWS IoT Core and AWS IoT Device Management. On the right, there's the operator's machine (the source).

2.Local Proxy: The local proxy command-line utility is installed on the operator's machine, and for this demo, we also use the AWS IoT Device Client.

3.Connecting to AWS IoT Core: The AWS IoT Device Client connects to AWS IoT Core and subscribes to a reserved topic for secure tunneling notifications. This notification provides the access token required for the local proxy.

4.Creating a Secure Tunnel: To create a secure tunnel, the operator issues an open tunnel command to AWS IoT Device Management. This triggers a notification message through AWS IoT Core, including the destination access token.

5.Using Access Tokens: The operator downloads the source access token issued by the AWS console when the tunnel was opened. This access token is used to initialize the local proxy in source mode, connecting the source side of the tunnel.

6.SSH Session: With both sides of the tunnel connected, the operator can open an SSH session via the local proxy, securely managing the remote IoT device.

Now, let's see this in action in the console.

Demo: Setting Up Secure Tunneling

1. Start the AWS IoT Device Client on your Raspberry Pi.

2. Navigate to AWS IoT Core > Device Management > Tunnels in the management console.

3. Create a tunnel, specifying the service (SSH in this case), your IoT thing (e.g., Raspberry Pi), and a timeout.

4. Download the source access token.

5. On your operator machine, open terminal sessions for the local proxy and your SSH client. Ensure the local proxy command includes the AWS region, listening port, and the source access token.

6. Watch as the secure tunnel forms connections on both sides.

7. Initialize your SSH session, connecting to the local proxy.

Now, you can securely troubleshoot, configure updates, and perform operational tasks on your remote IoT device.

Wrapping Up

In this getting started demo, we've covered how to set up and use AWS Secure Tunneling for remote IoT device management.