AWS IoT Core Setup¶

Connect your IoT Toolkit to AWS IoT Core for managed cloud service.

Prerequisites¶

AWS account (free tier eligible)
ESP32 with WiFi
Completed integration testing

Step 1: Create AWS Account¶

Go to aws.amazon.com
Click "Create AWS Account"
Follow registration process
Complete identity verification

Free Tier

AWS IoT Core has a free tier: 250,000 messages/month for first 12 months.

Step 2: Navigate to IoT Core¶

Log in to AWS Console
Search for "IoT Core" in services
Click on AWS IoT Core
Select your region (e.g., us-east-1)

Step 3: Create a Thing¶

3.1 Register Device¶

In IoT Core, go to Manage > Things
Click Create things
Select "Create single thing"
Click Next

3.2 Configure Thing¶

Name: iot-toolkit-001
Type: (optional) Create type "ESP32-Sensor"
Group: (optional) Create group "IoT-Toolkits"
Click Next

3.3 Generate Certificates¶

Select Auto-generate a new certificate
Click Next
Attach policies: Create new policy
Name: IoT-Toolkit-Policy

Policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

!!! warning "Security Note" This policy allows all actions. For production, restrict to specific topics and actions.

Click Create policy
Select the new policy
Click Create thing

3.4 Download Certificates¶

Download all files: - xxx-certificate.pem.crt → Save as certificate.pem - xxx-private.pem.key → Save as private.key - AmazonRootCA1.pem → Save as ca.crt

Keep Private Key Secure

The private key should never be shared or committed to public repositories.

Step 4: Choose Your Protocol¶

AWS IoT Core supports multiple protocols. Choose the one that best fits your application needs.

Option A: MQTT (Native & Recommended)¶

MQTT is the standard for IoT due to its lightweight nature and bidirectional communication.

1. Upload Certificates¶

Follow the instructions in the Certificates Management section to add your .pem and .key files to your project.

2. ESP32 MQTT Code¶

Modify the integration code to connect via port 8883 (MQTT over TLS):

#include <WiFiClientSecure.h>
#include <PubSubClient.h>
#include "certificates.h"

// WiFi credentials
const char* ssid = "YOUR_WIFI_SSID";
const char* password = "YOUR_WIFI_PASSWORD";

// AWS IoT Core endpoint
const char* mqtt_server = "xxxxxxxxxxxxxx-ats.iot.us-east-1.amazonaws.com";
const int mqtt_port = 8883;
const char* mqtt_client_id = "iot-toolkit-001";

WiFiClientSecure wifiClient;
PubSubClient client(wifiClient);

void setup() {
  Serial.begin(115200);
  wifiClient.setCACert(ca_cert);
  wifiClient.setCertificate(client_cert);
  wifiClient.setPrivateKey(private_key);

  WiFi.begin(ssid, password);
  while (WiFi.status() != WL_CONNECTED) { delay(500); Serial.print("."); }
  client.setServer(mqtt_server, mqtt_port);
}

void reconnect() {
  while (!client.connected()) {
    Serial.print("Connecting to AWS IoT...");
    if (client.connect(mqtt_client_id)) {
      Serial.println("connected");
    } else {
      Serial.print("failed, rc=");
      Serial.println(client.state());
      delay(5000);
    }
  }
}

void loop() {
  if (!client.connected()) reconnect();
  client.loop();
  // Publish sensor data every 10 seconds
  static unsigned long lastMsg = 0;
  if (millis() - lastMsg > 10000) {
    lastMsg = millis();
    client.publish("iot-toolkit/data", "{\"temperature\":25.5}");
  }
}

Reference

For a detailed step-by-step on MQTT connection, see the How2Electronics Guide.

Option B: HTTPS (Native)¶

HTTPS is useful for one-way data publishing (RESTful API). It uses the same certificates for Mutual TLS (mTLS).

Port: 443
Endpoint: https://<YOUR_ENDPOINT>/topics/<TOPIC_NAME>?qos=1
Method: POST

Instructions for HTTPS publish: 1. Ensure your IoT Policy allows iot:Publish. 2. Use WiFiClientSecure with your certificates. 3. Send a POST request with the JSON payload.

Option C: CoAP (via DTLS Server)¶

AWS IoT Core does not natively support CoAP. To use CoAP on AWS, you must host a custom server that acts as a gateway.

Solution: Use the CoAP-DTLS-Server repository.
Requirement: This server must be hosted on an AWS EC2 instance or Fargate container.
Security: DTLS (Datagram Transport Layer Security) is required to maintain the same level of security as MQTT/HTTPS.
Deploy the CoAP-DTLS server on an EC2 instance.
Open UDP port 5684 in your Security Group.
Configure the ESP32 to send CoAP messages to the EC2 public IP.

4.3 Get AWS IoT Endpoint¶

In AWS IoT Core, go to MQTT Test Client
Copy the Endpoint address
Replace xxxxxxxxxxxxxx-ats.iot.us-east-1.amazonaws.com in code

Step 5: Create Rules (Optional)¶

Route data to storage or other services:

Go to Message routing > Rules
Click Create rule
Name: SaveSensorData
SQL statement:
```
SELECT * FROM 'iot-toolkit/data'
```
Actions: Add action
DynamoDB: Store in database
S3: Store as files
Lambda: Process data
CloudWatch: Monitor metrics

Step 6: Test Connection¶

6.1 MQTT Test Client¶

In AWS IoT Core, go to Test > MQTT test client
Subscribe to topic: iot-toolkit/#
Run ESP32 code
Verify messages appear

6.2 Monitor Device¶

Go to Monitor > Things
Select your device
View connection status and metrics

Troubleshooting¶

Connection Failed (-2)¶

Cause: TLS certificate issue

Solutions: - Verify certificates are correct - Check endpoint address - Ensure private key is not corrupted

Connection Failed (-4)¶

Cause: Network timeout

Solutions: - Check WiFi connection - Verify firewall allows port 8883 - Check AWS IoT endpoint is correct

TLS Handshake Failed¶

Cause: Certificate mismatch

Solutions: - Verify CA certificate is AmazonRootCA1.pem - Check device certificate matches private key - Regenerate certificates if needed

Security Best Practices¶

Rotate Certificates: Regularly update device certificates
Least Privilege Policy: Restrict MQTT topic permissions
Enable CloudWatch Logs: Monitor connection attempts
Use Device Shadows: For device state management
Enable Audit: Regular security audits