Welcome again to getting started with the top trending article on AWS IoT Remote Access & All About IoT Management Platform. My name is Greg brain and I’m an IoT specialist Solutions Architect with AWS.
In this article, we’ll cover secure tunneling, a feature of AWS IoT device management. When devices are deployed behind firewalls at remote sites, you often need a way to gain access to those devices for troubleshooting configuration updates and other operational tasks.
AWS Advanced and Premier Consulting Partners
Secure tunneling helps customers establish bi-directional communication to IoT remote devices over a secure connection that is managed by AWS IoT. Secure tunneling does not require updates to your existing inbound firewall rules, so you can maintain your existing security level.
In this article, I’ll present a demonstration of one particular use case of secure tunneling, namely an SSH connection to a Raspberry Pi.
The prerequisites shown here are for this particular demo, not the secure tunneling feature more generally. First, you need a Linux based device to use as your IoT thing, a Raspberry Pi or Linux PC is sufficient for the demo. Next, the device must have an SSH daemon running. If you wanted to, for example, use secure tunneling to access FTP, you would of course need an FTP server running.
AWS S3 Security Best Practices
Likewise, for any other service, your firewall must allow the device to have outbound traffic on Port 443, you need to have created a corresponding IoT thing in AWS IoT registry and save the keys in the certificates.
To use secure tunneling, your device needs to have AWS IoT secure tunneling local proxy. For this demo, I’ll be using AWS IoT device client. It’s an IoT reference implementation that includes support for secure tunneling. It has the AWS IoT secure tunneling local proxy baked in AWS IoT device client just makes it easy to get started with several AWS IoT device management and AWS IoT device Defender features, but it’s not required for using the secure tunneling feature in general. Nonetheless, to follow the demo, you’ll need to have downloaded the AWS IoT device client source code from GitHub, built it for your device, and configured it with the appropriate thing name certificates and private key.
We’ve provided a link to the GitHub repository in the video description. Finally, you need to have downloaded the AWS IoT secure tunneling local proxy source code from GitHub, and built it for your machine. We’ve also provided a link to that repository in the video description. Before we get started with the demo, let’s review how secure tunneling works. On the left, you’ll see a remote device or thing, which is considered the destination for the tunnel. In the middle, you have the AWS cloud with AWS IoT Core and AWS IoT device management. And on the right you have the operator who wants to execute a remote SSH session into the IoT thing.
The operator machine is considered the source of the tunnel. The local proxy command-line utility has been compiled and installed on the source the operator machine. Additionally, in the case of our demo, the AWS IoT device client has been compiled and installed on the destination. The device client includes local proxy and the AWS IoT device SDK for C++. Device client connects to IoT Core and subscribes to the reserved topic for the secure tunneling notifications. This notification is an optional feature that provides a convenient way of getting the access token to the destination’s local proxy. If you have an out-of-band way of delivering that token to your device, then your device doesn’t need to connect to IoT Core nor use this notification just to create a secure tunnel. First, the operator issues and open tunnel command to AWS IoT device management. This publishes a notification message through AWS IoT Core. The notification is received on the reserved topic that the thing is subscribed to. This notification message includes the destination access token.
See developer documentation at – https://amzn.to/33agg8t
See the AWS IoT Device Client GitHub repository at – https://bit.ly/33dNeF5
See the Secure Tunneling local proxy GitHub repository at – https://bit.ly/33fH7QE
All About AWS IoT Remote Access
The AWS IoT device client uses the destination access token to initialize its embedded local proxy. This will initialize the local proxy in destination mode and connect the destination side of the tunnel. The operator downloads the source access token that is issued by the AWS console when the tunnel was opened.
Next, the operator uses that source access token to initialize the local proxy in source mode, and the source side of the tunnel is connected. With both sides of the tunnel connected, the operator can open the SSH session via the local proxy. Now I’ll show you how this works on the console. Okay, I’ll run the device client on my Raspberry Pi. OK, the device client is up and running, and is subscribing to the reserve topic for tunnel notifications. After you’ve logged into the management console, navigate to IoT Core. Then, device management and tunnels. Next, create a tunnel. Give it a description. Enter the service to be used, in this case SSH. Notice the add new service button, you can in fact use multiple services on the one tunnel. Select your thing, in my case Raspberry Pi four. Finally, enter a timeout. This is the duration the tunnel will be maintained before it is automatically disconnected. We’ll use 30 minutes, we’ll skip the resource tags and create the tunnel download the access token for source.
This will be used by the local proxy on your operator machine shortly. Returning to the device client output, we can observe that it received an MQ TT tunnel notification in the destination connection part of the tunnel was established. If we click through to the new tunnel on the AWS console, we can see that it’s open and that the destination is connected. Open a pair of terminal sessions on your machine, one for local proxy and one for your SSH client. Notice the local proxy command line options the AWS region in which the secure tunnel is located. The port on which the local proxy will listen for incoming connections. And finally, the source access token.
Get started with AWS IoT Remote Access & IoT device management?
We can refresh the AWS console and see that the secure tunnel has formed a connection on the source side now that local proxy is running. Next on my right-hand terminal session, we’ll initialize the SSH session, we need to connect to the local proxy on port 5555. The port on which it’s listening. The username is a user on your IoT device, in this case, my Raspberry Pi and its default user pi. Now that I’ve established my SSH session, I can securely troubleshoot, configure updates or perform a number of other operational tasks. I’m also free to disconnect and reconnect multiple times within the one open tunneled session. When you’re done, you can exit your SSH session by returning to the AWS console to close or delete your tunnel.
So again, in this Getting Started demo, we walked through how to open a tunnel in the AWS Management Console. Initiate the tunnel using the local proxy and access token. Connect both the destination in the source sides of the secure tunnel and then initiate the SSH session using the local proxy. To learn more, visit the AWS IoT device management webpage and also explore the secure tunneling developer documentation for a deeper dive on concepts and more advanced capabilities.