v3.23.1

Getting Started Devices Gateways Integrations Reference
Get The Things Stack

Integrations

    Overview
  • Adding Applications
  • Adding Integrations
  • Cloud Integrations
    • akenza
    • AllThingsTalk Maker
    • AnyViz
    • AWS IoT
      • Architecture
      • Deployment Guide
      • Managing Things
      • Messages
      • Metrics
      • Update
      • Uninstall
      • Troubleshooting AWS IoT Integration
    • Azure IoT Central
    • Azure IoT Hub
    • Blockbax
    • Cayenne
    • Cloud Studio
    • Daizy
    • Datacake
    • deZem
    • Homey
    • InfluxDB Cloud 2.0
    • IoT in a Box
    • Kaa
    • Losant IoT Platform
    • MClimate
    • my IoT open Tech
    • Qubitro
    • TagoIO
    • Telemetry2U
    • Tellsens
    • thethings.iO
    • Thinger.io
    • ThingsBoard
    • ThingSpeak
    • TTN Mapper
    • Ubidots
    • UIB
    • Widgelix
    • Withthegrid
  • MQTT Server
  • Pub/Sub
  • LoRa Cloud
  • Node-RED
  • IFTTT
  • Payload Formatters
  • Storage Integration
  • Webhooks

Architecture

The AWS IoT Core integration is a serverless deployment that scales automatically as your deployment grows.

Default integration architecture

The key resources deployed in your AWS account are:

  • Cross-account role for The Things Stack to connect to your AWS IoT Core MQTT endpoint
  • AWS Lambda functions to create the thing type and configure the integration as pub/sub in The Things Stack
  • AWS Lambda functions for claiming and creating devices, and for handling uplink and downlink messages
  • Secret with key encryption key (KEK) to leverage LoRaWAN end-to-end encryption
  • IoT Core rules to trigger the Lambda functions based on topics and attributes

This is a serverless deployment: there are no compute resources being deployed. AWS only charges for usage, which is driven by traffic. The only continuous charges are by IoT Core connectivity from The Things Stack to your AWS account. All permissions are the minimum permissions for the integration to function.

End-to-End Encryption

This integration supports true LoRaWAN end-to-end encryption: the application payload is encrypted on the end device with the LoRaWAN AppSKey, and decrypted in your AWS Account. The underlying network infrastructure passes your application payload in the encrypted form - it cannot see your data.

When end-to-end encryption is enabled, this integration configures Join Server with your key encryption key (KEK) that is generated in your AWS Account and stored as a secret in Secrets Manager. Join Server encrypts the AppSKey with the KEK before passing it to the network layer. The network layer sends the encrypted AppSKey to your AWS Account, where it gets decrypted.

Note:
This feature only works with OTAA devices registered in the in-cluster Join Server or The Things Join Server.

When using this feature, your AWS application needs to process the LoRaWAN application payload in binary form, as the network layer’s payload encoding and decoding functions cannot work with the encrypted data.

Note:
When End-to-End Encryption option on AWS is enabled, the Skip Payload Crypto option will be enabled on the application level in The Things Stack. In this case, scheduling downlink messages from The Things Stack is restricted, and can only be achieved from AWS. Downlink scheduling through the Console and CLI is not supported.
← AWS IoT Deployment Guide →

On this page

  • End-to-End Encryption

The Things Stack

Getting Started

Devices

Gateways

Integrations

Reference

Contributing

GitHub

Forum

About Us

The Things Network

The Things Industries

About this page

Last changed by Johan Stokking on 23 Feb 2022.
Update AWS IoT Core to new console (#784)

Edit on Github