This system leverages the following AWS services to achieve a robust and scalable design:

  • AWS Lambda
  • API Gateway
  • AWS Parameter Store
  • AWS Cognito
  • AWS IoT Suite

Architecture Diagram

The following diagram shows the basic data flow and system design:

graph TD; cog(AWS Cognito) --> |login| api api(API Gateway) --> |store customer tesla token| param[AWS Parameter Store] B[AWS Lambda function] --> | query batt SOC| api1[Tesla API] B[AWS Lambda function] --> | wake heat unlock charger| api1[Tesla API] B --> |fetch access Token| param B --> |car state parked/charging/driving batt SOC| C[AWS IOT PubSub] D(EV Display Device) --> |MQTT| C

AWS Services used:

AWS components

Choices and Technologies

Development Boards

During the proof of concept (POC), Arduino ESP32 boards were used for prototyping. The ESP32 is a great candidate for production-ready devices, offering:

  • Secure Over-The-Air (OTA) Updates: Encrypted firmware delivery with fail-safe mechanisms.
  • Robust Security Features: Flash encryption, secure boot, and hardware-based key storage ensure firmware and sensitive data protection.

Communication Protocol

The system employs MQTT as the message bus and Device Shadows for data exchange. This design provides:

  • Seamless Data Retrieval: Even if a device is offline when updates occur, the Device State and Desired Device State allow for easy synchronization with IoT devices.

AWS IoT Certificate Generation

To set up secure communication, a local certificate signing authority (CA) was created and maintained using Terraform. While not the final implementation, this intermediate solution establishes secure communication as a foundation.

Key Points

  • Certificates are generated locally using Terraform, ensuring secure and automated deployment.
  • The process ensures compliance with AWS IoT requirements while offering flexibility for further improvements.

Terraform Code Overview

The Terraform script handles:

  1. CA Creation
    A local CA is defined with RSA encryption and a validity period.

  2. Certificate Requests
    TLS certificate requests are generated for IoT devices.

  3. Device Certificates
    Locally signed certificates are issued for IoT devices.

  4. AWS IoT Integration
    Devices, certificates, and policies are associated to enable secure communication.

Here’s an excerpt of the Terraform code used for the setup:

resource "tls_private_key" "ca" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "ca" {
  private_key_pem = tls_private_key.ca.private_key_pem
  subject {
    common_name  = "evdisplay"
    organization = "evdisplay engineering"
  }
  validity_period_hours = 168
  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
    "cert_signing",
  ]
  is_ca_certificate = true
}

resource "tls_private_key" "verification" {
  algorithm = "RSA"
}

resource "tls_cert_request" "verification" {
  private_key_pem = tls_private_key.verification.private_key_pem
  subject {
    common_name = data.aws_iot_registration_code.example.registration_code
  }
}

resource "tls_locally_signed_cert" "verification" {
  cert_request_pem      = tls_cert_request.verification.cert_request_pem
  ca_private_key_pem    = tls_private_key.ca.private_key_pem
  ca_cert_pem           = tls_self_signed_cert.ca.cert_pem
  validity_period_hours = 12
  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

Challenges and Solutions

The AWS documentation is not explicit about combining all certificate artifacts for a working setup with self-generated certificates. To address this, significant time was spent:

  • Testing certificates with openssl.
  • Comparing results with those generated using the AWS Web GUI’s “Easy Button.”
  • Validating the setup with Mosquitto MQTT broker and openssl cli.

Although not mentioned explicitly, nor mentioned in any of the guides it is key to concat the self-signed cert and ca-cert and supply this as the client cert, while remaining to use the AWS CA certificate as the CA-cert file:

# output working thing cert
resource"local_file" "thing001-combined" {
  content  = "${tls_locally_signed_cert.thing001-cert.cert_pem}${tls_self_signed_cert.ca.cert_pem}"
  filename = "${path.module}/certs/thing-combined.crt"
}

Key Capabilities and Achievements

CapabilityDescription
Cloud ArchitectureDesigned a scalable system integrating multiple AWS services for IoT use.
Security ImplementationBuilt secure communication using locally generated certificates via Terraform.
ESP32 IntegrationUtilized ESP32 boards for secure, production-ready prototypes with OTA updates.
Data SynchronizationLeveraged MQTT and Device Shadows for seamless device communication.
Problem-SolvingAddressed gaps in AWS documentation to enable self-generated certificate use.

This project demonstrates expertise in IoT architecture, AWS services, and secure communication protocols, along with hands-on problem-solving and system design capabilities.