Introduction

For Internet of Things (IoT) solutions, it is critical you monitor the performance of connected devices, detect abnormal behavior, and respond quickly when devices are compromised. AWS IoT Device Defender provides the capability to collect metrics from your connected devices and cloud infrastructure, and detect deviations from the expected device behavior. Before, to have these metrics added into your data lake for further analysis, you needed to make changes to device firmware and publish the metrics to additional MQTT topics, which could impact your development time and costs, especially when managing it at scale. The new metric export feature of AWS IoT Device Defender provides a convenient and cost-effective way for you to export the device metrics from AWS IoT Device Defender to your data lake. With metric export capability, you can now export metrics with a simple configuration change without needing to make any changes to your device firmware. This capability applies to new workloads as well as to existing workloads.

Paytm, one of the largest payment gateways in India, manages and processes financial transactions for millions of consumers and merchants. Among its most popular IoT solutions are soundbox devices, which provide audio confirmations for merchants accepting payments from Paytm QR codes. Paytm’s QR code service lets enterprises accept contactless in-store payments through the Paytm app. Soundbox comes with an activated 4G cellular SIM card and 50-60 hours of battery backup, so that small merchants, such as street food vendors don’t need to worry about a hardline internet connection. Paytm devices report these metrics to AWS IoT Device Defender which enables Paytm to keep an eye on operational health of soundbox devices.

Exporting metrics from AWS IoT Device Defender

AWS IoT Device Defender is a key service used in connected product solutions. AWS IoT Device Defender detects anomalous behavior of devices in near real time by collecting metrics from the cloud and from the device and by comparing the reported metric values against the configured expected values. These metrics can be collected from two sources: cloud-side metrics, such as the number of authorization failures, or the number or size of messages a device sends or receives through AWS IoT Core and device-side metrics, such as the ports a device is listening on, the number of bytes or packets sent, or the device’s TCP connections. You can also define custom metrics that are unique to your fleet, such as number of devices connected to wi-fi gateways, charge levels for batteries, or number of power cycles for smart plugs. You can use the metric export feature to export the cloud-side, device-side, and custom metrics. As part of the security profile definition, you can specify the metrics to export and the destination MQTT topic. AWS IoT Device Defender batches the data points and publishes them to the MQTT topic configured in the security profile, thus optimizing the cost of export. There are two options for you to export the metrics:

Export through IoT Core Rules Engine

You can use the capabilities of AWS IoT Core Rules Engine to route the exported metric to the destination of your choice. This option allows you to leverage the Basic Ingest mechanism of AWS IoT Core to reduce the cost of exporting data. The following diagram depicts a reference architecture for this option. In this option, you configure AWS IoT Device Defender to export metric on a Basic Ingest topic and define a rule in AWS IoT Core Rules Engine to route data to the destination of your choice (for example to Amazon Simple Storage Service (Amazon S3) bucket through Amazon Kinesis Data Firehose).

Figure 1: AWS IoT Device Defender metric export using AWS IoT Core Rules Engine

Export through MQTT subscriptions

In this option, you can configure AWS IoT Device Defender to export data to a MQTT topic and consume the data by subscribing to that MQTT topic using AWS IoT Core. The following diagram depicts a reference architecture where you configure AWS IoT Device Defender to export the metric on an MQTT topic. You run an MQTT client (for example, in a container on Amazon Elastic Container Service) that subscribes to the same MQTT topic. Whenever AWS IoT Device Defender publishes the data, the MQTT client receives it and processes it.

Figure2: AWS IoT Device Defender metric export using AWS IoT Core MQTT Broker

Next, you will build a solution to export metrics from AWS IoT Device Defender as depicted in Figure 1 above.

Prerequisites

1. An AWS account with access and permission to perform actions on AWS IoT Core, AWS IoT Device Defender, Amazon Kinesis Data Firehose, and Amazon S3.
2. AWS Identity and Access management (IAM) permissions to create and assign roles in AWS IoT Core.
3. Access to AWS CloudShell and basic knowledge of Linux and AWS Command Line Interface (AWS CLI).

Walkthrough

In the steps below, you will build a pipeline to export to Amazon S3 a few cloud-side metrics and a custom AWS IoT Device Defender metric using the metric export feature. You will use the Basic Ingest mechanism to export AWS IoT Device Defender metrics to Amazon S3 via Kinesis Data Firehose.

Initial setup and config

In this step you will create a thing in IoT Core and will use an MQTT simulator to publish custom metric for this thing every 5 minutes. You will use AWS CloudShell for creating the initial setup and run the MQTT client.

1. Login to AWS console and open CloudShell
2. Clone the git repository to download scripts and code used in this build-out

$ git clone https://github.com/aws-samples/aws-iot-device-defender-metric-export.git

3. Execute ‘createThing.sh’ to create a Thing with thing id ‘dd-export-test’ in AWS IoT Core and a destination bucket in Amazon S3

$ cd aws-iot-device-defender-metric-export

$ bash ./createResources.sh dd-export-test

Create AWS IoT Device Defender custom metric

Next, you will create a custom metric to collect and evaluate the cellular network strength (RSSI) as observed by the devices.

1. Go to AWS IoT Core, navigate to the left side menu, select Security→ Detect→ Metrics and choose Create
2. On the Create custom metric panel, fill in the values as below and choose Create Custom Metric
   • Name – mobilerssi
   • Display Name – Cellular Network Strength
   • Type – number

Create AWS IoT Device Defender security profile

Next, you will create a security profile which defines what is considered an anomalous behavior. You can combine AWS IoT Device Defender metrics, custom metrics, and dimensions in order to create a suitable detection model based on your use case. In the example below, we will utilize two cloud-side metrics (message size and message received) and the custom metric for cellular network strength. To learn more about how metrics can be combined effectively, read the security use cases segment in the documentation.

1. In AWS IoT Core, navigate to the left side menu, select Security→ Detect→ Security Profiles
2. Choose Create Security Profile and select Create Rule-based anomaly Detect profile
3. In the Specify security profile properties panel, fill in the values as below and choose Next
   • Name – Monitor_RSSI
   • Target – A target group, you can select a group or multiple, in this example you will be targeting dd-metric-export-group.
4. In the Configure metric behaviors menu, do the following:
   • Under Cloud-side metrics, search and select Message Size and select Don’t send an alert (retain metric) option
   • Choose the Add Metric button and repeat the above steps for Messages Received and Cellular Network Strength metric
   • Choose Next
5. Populate the Metric export configuration panel on the Export Metrics screen as follows and choose Next:
   • Export Metrics : select Enable export of metrics
   • Topic : $aws/rules/dd_export_firehose/ddmetric/cellular
   • IAM Role: choose Create new role and follow the steps on the screen popped up
   • Select Metrics: select Message Size, Messages Received and Cellular Network Strength from the list provided
6. Leave the SNS Configuration blank on Set notification panel and choose Next
7. Choose Next, review your configuration and choose Create.

The following figure is an example of what your metric behavior configuration will look like.

Create an AWS IoT Core rule

In this section, you will define a rule in AWS IoT Core Rules Engine to forward the data received on the Basic Ingest topic $aws/rules/dd_export_firehose/ddmetric/cellular to a Kinesis Data Firehose data stream.

1. Go to AWS IoT Core, navigate to the left side menu, select Message routing→ Rules, and choose Create rule 
2. On the Rule properties panel, specify Rule Name as dd_export_firehose and choose Next
3. On Configure SQL statement page specify the following SQL statement and choose Next

SELECT * FROM 'ddmetric/#'

4. On the Attach rule actions screen, Rule action panel
   • Select Action 1 as Kinesis Firehose stream
   • Choose Create Firehose stream. This will open Create delivery stream page in a new window
     • On Choose source and destination panel
       
       • For Source select Direct Put
       • For Destination, select Amazon S3
     • On Delivery stream name panel
       • In field Delivery stream name, fill dd-metric-export-stream
     • On Destination settings panel
       • Under Destination Settings, browse and select <Account_id>.dd.metric.export S3 bucket
       • Leave everything else as default
     • Chose Create Delivery stream and wait till stream creating completes. Verify that the value of Status field changes from creating to active
     • Go back to the previous window (Attach rule actions)
       
   • Select dd-metric-export-stream from the Kinesis Firehose stream dropdown. If you do not see the newly created stream in the dropdown, refresh the entries by selecting refresh button next to the dropdown
   • Leave Separator and Batch mode unchanged
   • IAM Role: click on Create new role and follow the steps on the screen popped up
   • Select Next
   • Review the configuration and select Create

Publish a custom metric and verify the data export

Next, you will run a device simulator to test the pipeline created.

1. Go to the AWS CloudShell prompt and execute following script. This will run an MQTT client and will publish an AWS IoT Device Defender custom metric report for Mobile RSSI every 5 mins

$ bash ./publishMetric.sh

2. Let the script run for more than 15 mins (Kinesis Firehose configuration buffers the data for 15 mins).
3. Go to <Account_id>.dd.metric.export bucket in Amazon S3 and verify the exported data.

Cleaning up

In order to avoid incurring costs after completing the exploration, do the following:

1. Stop the MQTT client by pressing Ctrl+C on the terminal running sh
2. Run sh script to cleanup AWS IoT Core thing resources

$ bash ./cleanupResources.sh

3. Delete the security profile created in AWS IoT Device Defender
4. Delete the customer metric created in AWS IoT Device Defender
5. Delete the rule created in AWS IoT Core
6. Delete the Kinesis Data Firehose stream created
7. Delete the Amazon S3 bucket created

Conclusion

In this post, you learned how to use the new AWS IoT Device Defender metric export capability. You learned how to configure the export of metrics from AWS IoT Device Defender to the downstream service or to the storage of your choice and learned the configuration options to optimize the cost of export. You can further explore the fan-out capabilities of AWS IoT Core Rules Engine if you wish to send the exported metric to multiple destinations.

To learn more, visit the AWS IoT Core site or login to the console to get started. We look forward to your feedback and questions.

Author bio