Using Beam to connect to AWS IoT Core

Soracom Beam makes it easy to send data from a device to AWS IoT Core . In this guide, we will setup a simple application with Beam to forward a MQTT message from our device to AWS IoT, and configure AWS IoT and AWS SNS to send us an email notification when it receives the MQTT message.

Prerequisites

This guide assumes that you are familiar with the basics of AWS, as well as how to configure your IoT device to publish MQTT messages. In addition, you will need the following:

Goal

Once we have completed this guide, our application should look something like this:

[Device] -> [Soracom Beam] -> [AWS IoT Core] -> [AWS SNS] -> [Email Notification]

We will be using MQTT to publish messages from our device. As AWS IoT Core requires MQTTS, we will need to provide some form of encryption when publishing messages. Rather than configuring MQTTS directly on our device, we can add encryption in the cloud using Beam, which will help simplify our development process.


Configure AWS IoT Core

Let's start by setting up AWS IoT Core. We need to create a "Thing" (our device), configure its security by creating a certificate, and add a security policy to the certificate.

1. Create a Thing

2. Configure Security

AWS IoT Core requires some form of authentication in order to prevent unwanted devices from accessing IoT Core. For convenience, we will use a standard X.509 certificate, which will be signed by AWS IoT's Root CA.

3. Create a Policy

While our certificate will authenticate our device, AWS IoT Core uses policies to define what actions the device can perform. We will create a new policy and attach it to our certificate. This way, when our device connects to AWS IoT Core using our certificate for authentication, IoT Core will automatically know which actions should be allowed or blocked.

4. Find the Forwarding Destination

At this point, we have successfully created a device on AWS IoT Core, with a certificate for authenticating the device, and a policy which defines what actions the device can perform on AWS IoT Core. Next, we will set up Soracom Beam to forward MQTT messages to AWS IoT. However, we need to know the forwarding destination, so let's make a note of it first.


Configure AWS SNS

For this tutorial, we want AWS to send us an email when our device publishes a message. To do this, we will use AWS SNS (Simple Notification Service). We need to create a notification topic and subscribe to it, then update our AWS IoT Thing to send a push notification using our SNS topic.

5. Create a SNS Topic

6. Subscribe to the SNS Topic

This is where we configure our application to send us an email.

  • From the AWS Simple Notification Service dashboard, click Subscriptions, then click Create subscription.

    Create a new subscription

  • Let's configure our subscription with the following settings:

    Create a new subscription

    • Topic ARN - the ARN of the topic we just created
    • Protocol - Email
    • Endpoint - our email address

    Click Create subscription.

    Once the subscription has been created, AWS will send a confirmation email to our email address. Follow the instructions to confirm that you want to receive email messages from this topic.

Now we've finished creating our SNS topic and subscribing it. Next, we just need to update our IoT Thing to send messages to the SNS topic.

7. Add a Push Notification

Earlier, we created an AWS IoT Thing, configured its security, and created a policy which defines what our device can do when it's connected to AWS IoT Core. Now let's add a rule that tells AWS IoT Core to send a push notification whenever our device publishes a message.

Great! We have now finished configuring AWS to:

The last step is to configure Soracom Beam so that our device can connect to AWS IoT Core.


Configure Soracom Beam

Now that you've made it this far, breathe easy -- configuring Beam is the easiest part! All we need to do is point beam to our AWS IoT Thing endpoint, and provide the X.509 certificate we created earlier.

We'll need the following files handy:

8. Create an Air SIM group

To use Soracom Beam, we need to create a group. Beam settings will apply to all Air devices within the group.

If your device already belongs to a group, you can configure Beam for that group. Open the Group settings page from the User Console by clicking the Menu icon, selecting Groups, and then clicking the name of the group. Then just skip ahead to the next step.

Your Air SIM will automatically be added to this group. You should see your group in the Group column for the Air SIM.

9. Add a Beam Configuration

Let's open the group in order to set up Beam. You can either click the name of the group from the SIM Management page, or from the Groups page.

The certificate will automatically be selected for the Beam configuration.

While we're still on the Beam configuration dialog, let's go ahead and make a note of the Entry point information as well: we need to publish our MQTT message through host beam.soracom.io on port 1883.

Finally, click Save to save the configuration.

We have now finished configuring Beam to use our device credentials to forward MQTT messages from our device to AWS IoT Core, so let's try sending a test message!


Test the connection

Using a Raspberry Pi

To test our application, we need the following:

Turn on the Raspberry Pi and check that it is able to connect to 3G/LTE. Then run mosquitto_pub to publish a message:

mosquitto_pub -d -h beam.soracom.io -t beamtest -m 'Hello, world!'

Here, we're specifying:

We should see the following return:

>Received CONNACK
>Sending PUBLISH (d0, q0, r0, m1, 'beamdemo', ... (12 bytes))

CONNACK lets us know that our device has successfully connected to Beam. From there, Beam will take care of forwarding the message (with encryption!) to AWS IoT Core, and our IoT Core action and SNS subscription will take care of the rest:

AWS IoT

Using Wio 3G/LTE (Arduino)

As the Wio 3G/LTE has a built-in cellular modem, we just need to insert our Air SIM card into the SIM card slot. Then let's test with a simple Arduino program:

#include <WioLTEforArduino.h>
#include <WioLTEClient.h>
#include <PubSubClient.h>

#define APN      "soracom.io"
#define USERNAME "sora"
#define PASSWORD "sora"

WioLTE Wio;
WioLTEClient WioClient(&Wio);
PubSubClient MqttClient;

void setup() {
  delay(200);

  Wio.Init();
  Wio.PowerSupplyLTE(true);

  delay(500);

  Wio.Activate(APN, USERNAME, PASSWORD);

  MqttClient.setServer("beam.soracom.io", 1883);
  MqttClient.setClient("my-wio-device");

  MqttClient.publish("beamtest", "Hello, world!");
}

In our program, we use:

Since our program doesn't contain any output, we won't see any response in a serial console. However, we should still be able to see the AWS SNS notification come through to our email.


Troubleshooting

If messages aren't getting through, we can do some quick troubleshooting:

If things still aren't working, we can further inspect by using a MQTT client, such as MQTT.fx:

Test with the Beam Test Server
  1. Change your Beam configuration to use the Beam test server as the forwarding destination:
    • Host name - beamtest.soracom.io
    • Port number - 8883
  2. Connect to the test server using your MQTT client with the following credentials:
    • Username - beamtest
    • Password - passwd
  3. Subscribe to the beamtest topic from your MQTT client, then publish a message from your device.

If successful, you should see the message appear in your MQTT client.

Test the AWS IoT Core MQTT broker
  1. Update your AWS IoT Core certificate policy to allow iot:Subscribe and iot:Receive actions. This will allow your MQTT client to subscribe to MQTT topics and receive messages.
  2. Connect to your AWS IoT Core Thing interface using your MQTT client with SSL/TLS authentication and the certificate files created earlier.
    • Type - Self-signed certificate
    • CA - the Root CA for AWS IoT certificate file
    • Client Certificate - the ****-.certificate.pem.crt file
    • Client Key - the ****-private.pem.key file
  3. Subscribe to the beamtest topic from your MQTT client, then publish a message from your device.

If successful, you should see the message appear in your MQTT client.


Wrap-up

Since our device's X.509 certificate is stored on the Soracom cloud, we don't need to worry about saving the private keys directly on the device. This will make device configuration easier, especially if we have dozens of devices to setup, and will also reduce the risk of an attacker intercepting our credentials.

On top of that, we can add multiple devices to our Air SIM group, and they will all use the same credentials to connect to AWS IoT Core, removing the need to generate a new set of certificates for every device.

Since Beam takes care of encrypting our data, we can also send data from our device without needing to add encryption libraries or consume additional cellular data.

If we didn't use Beam, we would have to manually hardcode the AWS IoT Core Thing interface on each of our devices, store the required certificates on each device, and perform encryption directly on our device when publishing a message. If any certificate needed to be changed, or if we wanted to use a different Thing interface, we would have to reconfigure each of our devices manually.

Using Beam let's us take care of all of that directly from the User Console.