The Internet of Things on AWS – Official Blog

Using Dynamic Thing Groups to Continuously Update Software on Devices

When managing Internet of Things (IoT) devices, it can be challenging to maintain or improve device functionality through upgrades to device software and configuration. The complexity is due to a number of factors: the number of devices, multiple versions of the devices, different software versions based on device attributes and state, inability to discover and keep inventory of all devices, auditing, and reliability requirements. Consider typical use cases like upgrading the software on all devices to match the same version or patching all devices with a potential software vulnerability.

In this blog post, we look at existing solutions and limitations and then show how AWS IoT Device Management, specifically dynamic thing groups and continuous jobs, can be used to automate software updates on devices that meet certain criteria.

Existing solution and limitations

When a security vulnerability is discovered in a software version of devices, to mitigate the vulnerability, all of the connected devices should be upgraded to a newer software version. Device manufacturers need to be able to see how many devices are being upgraded and how many are pending an upgrade.

A common solution is to use a scheduler job that periodically scans a device repository to identify which devices need upgrades. After those devices are identified, a job can be set up to update the devices. The limitations with this approach are additional costs associated with running these search queries, building logic to filter out devices that were processed in a previous run, and delays in upgrading the devices (they are upgraded only after scheduler jobs are run).

Solution using dynamic thing groups and continuous jobs

Dynamic thing groups are a special type of thing group whose membership is defined by a fleet indexing search query. Things are added automatically to the group as they satisfy the membership condition specified by the query. Similarly, things are removed from the group when they fall out of the condition. Instead of periodically running queries, you can use dynamic thing groups to identify devices that meet certain criteria.


For example, we want to find all devices that are connected to AWS IoT services that have a particular software version and then perform software updates on these devices. First, we create a dynamic thing group. Then we attach this group as a target for continuous jobs, a feature that will perform the software patches.

Creating a dynamic thing group

Before we create a dynamic thing group, make sure AWS IoT fleet indexing is turned on.

$ aws iot update-indexing-configuration \
--thing-indexing-configuration thingIndexingMode=REGISTRY,thingConnectivityIndexingMode=STATUS

Now let’s create the dynamic thing group to find all things that are connected and are running software version 5. In this example, the software version is stored as a thing attribute.

$ aws iot create-dynamic-thing-group \
--thing-group-name onlineAndVersion5Devices \
--query-string "connectivity.connected:true AND attributes.softwareVersion:5" \
--thing-group-properties thingGroupDescription="Group for devices that are connected and on version 5"

The dynamic thing group now goes into BUILDING state as things that match the group’s query condition are added to the group. After all matching things have been added to the group, the group’s status transitions to the ACTIVE state.

$ aws iot describe-thing-group \
--thing-group-name onlineAndVersion5Devices

{
    "thingGroupName": "onlineAndVersion5Devices",
    "thingGroupArn": "arn:aws:iot:<AWS_REGION>:<AWS_ACCOUNT_ID>:thinggroup/onlineAndVersion5Devices",
    "version": 1,
    "thingGroupMetadata": {
        "creationDate": 1540772228.753
    },
    "thingGroupProperties": {
        "thingGroupDescription": "Group for devices that are connected and on version 5"
    },
    "thingGroupId": "d2a5b68b-dxe5-4z93-8c76-f64e69bsdad9",
    "queryString": "connectivity.connected:true AND attributes.softwareVersion:5",
    "queryVersion": "2017-09-30",
    "status": "ACTIVE",
    "indexName": "AWS_Things",
}

Testing the dynamic thing group

So far, no things have been added to the group.

$ aws iot list-things-in-thing-group \
--thing-group-name onlineAndVersion5Devices

{
    "things": []
}


To test this, let’s first create a thing with the softwareVersion property.

$ aws iot create-thing \
--thing-name device1 \
--attribute-payload "{\"attributes\": {\"softwareVersion\": \"5\"}}"

Next, let’s connect it to AWS IoT. Open the AWS IoT console and in the navigation pane, choose Test. If you are automatically connected with an auto-generated client ID, choose Disconnect. We need to connect using the name of the thing we just created, device1, as the client ID.


Now, we can specify the client ID and connect to AWS IoT.


device1 meets the criteria of the dynamic thing group and has been added to the group.

$ aws iot list-things-in-thing-group \
--thing-group-name onlineAndVersion5Devices

{
    "things": [
        "device1"
    ]
}

Finally, we can create a continuous job that specifies this dynamic thing group as a target to perform the software upgrade. All devices that meet the criteria of the dynamic thing group become members of the group and receive software upgrades.

Wrapping up

Using dynamic thing groups, you can simplify and automate tasks like device discovery and categorization, and then trigger actions on newly added devices to groups. You can also use dynamic thing groups with the following AWS IoT features:

  • Each time a device is added to or removed from a dynamic thing group, a notification is sent to an MQTT topic. You can then configure AWS IoT rules on these topics and take powerful actions, such as writing to Amazon DynamoDB, invoking an AWS Lambda function, or sending a notification to Amazon SNS.
  • You can define a security profile on a dynamic thing group. Devices that become of a member of the group are audited by the security profile defined on the group.
  • You can specify a log level on a dynamic thing group. This is useful if you only want to see logs for devices that meet certain criteria. For more information about fine-grained logging, see the AWS IoT Developer Guide.

Although the examples here are a start, there is much more that AWS IoT Device Management offers to onboard, organize, monitor, and remotely manage connected devices at scale.

Learn more

AWS IoT Device Management
https://aws.amazon.com/iot-device-management
AWS IoT Device Management Features
https://aws.amazon.com/iot-device-management/features/
AWS IoT Device Provisioning
http://docs.aws.amazon.com/iot/latest/developerguide/iot-provision.html