This Guidance uses only serverless and managed services to reduce your security maintenance tasks. For example, it uses AWS Identity and Access Management (IAM) policies to manage permissions and authorization for AWS IoT Core devices, and it authenticates message queuing telemetry transport (MQTT) messages to AWS IoT Core. An AWS IoT message broker encrypts all communications in transit. AWS IoT Core also lets you manage device security and certificates and publish alerts if a device exhibits certain behaviors. You should follow best practices when setting access requirements using IAM, including least-privilege access, password and key rotation, service control policies, and automated alerting. You should also implement appropriate OAuth or similar authentication for the dashboard services, such as by using Amazon Cognito.

This Guidance uses network isolation of managed services and offers firewall options to control network access. Each specific AWS service encrypts its data, and AWS encrypts all data in transit between services. An AWS Certificate Manager (ACM) certificate encrypts all traffic in transit into AWS, and Application Load Balancer uses TLS 1.2 for communication. This Guidance also protects data in data lakes using SSE-S3 encryption and uses dashboards and data APIs instead of providing direct data access to users.

This Guidance uses services chosen for low latency, high availability, resilience, removal of undifferentiated heavy lifting, and efficiency. For data ingestion, it uses Amazon Kinesis, which can easily scale to hundreds of thousands of devices and millions of messages per month. For processing compute, it uses Lambda, which scales alongside serverless ingestion and data services. Amazon ECS provides steady state, high availability, and quick responsiveness. This Guidance scales its use of serverless and managed services and components up and down as needed. It can handle 100,000 messages per minute from devices and over one billion messages stored in DynamoDB.

You can configure this Guidance to meet your needs. For example, you can set up Lambda functions and AWS IoT rules, as well as CloudWatch alerts, alarm thresholds, configurations, and logs. You can also experiment to pick the right data store for your needs, and AWS CodePipeline lets you make changes to the Amazon ECS and Lambda parts of the architecture. 

This Guidance uses a serverless infrastructure to avoid overprovisioning resources, and it uses managed services to relieve your management burden, helping you save on operational costs. Serverless architectures provide a pay-as-you-go pricing model and scale based on demand. You can also optimize costs by service. For example, you cache dashboard responses in Amazon CloudFront or move data in Amazon S3 and DynamoDB based on access patterns. Kinesis Data Streams and DynamoDB let you choose between on-demand and automatically scaling modes, and you can implement throttling using AWS WAF. This Guidance does not anticipate any inter-Region data transfer charges. For OpenSearch Service you can purchase the optimal instance type for your needs and manage storage to reduce costs. You can also use Compute Savings Plans to optimize compute costs.

You can select from existing IoT device partners that fit your technical and financial needs within the AWS Marketplace, or if you manufacture your own IoT hardware, you can directly control the connectivity costs using AWS IoT. AWS IoT Core lets you filter important equipment data and use the MQTT protocol to efficiently transfer data to AWS, minimizing repetitive data. This Guidance also recommends that you use AWS Budgets and Amazon Data Lifecycle Manager policies to reduce unnecessary costs and Cloud Intelligence Dashboards for comprehensive cost management.