Lesson 

1  of  9
Monitoring overview

Monitoring is an important part of maintaining the reliability, availability, and performance of

the AWS IoT environment. By using auditing and monitoring mechanisms, you can continuously
collect and report activity from across your IoT environment. Data collected from each part of
your AWS IoT solution creates a real-time dashboard of environmental data, in addition to
notifications of failures, unexpected traffic spikes, or anomalous behaviors occurring on the
network. 

Before you begin monitoring AWS IoT, create a monitoring plan that includes answers to the
following questions:

Data and resources

 Which items do you need to monitor to answer your business questions?

 Which resources will you monitor?
 How often will you monitor these resources?

Tools and responsibilities

 Which monitoring tools will you use?

 Who will perform the monitoring tasks?
 Who should be notified when something goes wrong?

Best Practice auditing

 Which team will monitor for vulnerability disclosures and threat intelligence sources?
 Who will proactively assess the impact of potential security events?

Creating a baseline
To establish a baseline for normal AWS IoT performance in your environment, you must
measure performance at various times and under different load conditions. As you monitor AWS
IoT, it stores the historical monitoring data so that you can compare it with current performance
data. This helps to identify normal performance patterns and performance anomalies so that you
can devise methods to address future issues as they occur.

For example, if you're using Amazon EC2, you can monitor CPU utilization, disk I/O, and
network utilization for your instances. When performance falls outside your established baseline,
you might need to reconfigure or optimize the instance to reduce CPU utilization, improve disk
I/O, or reduce network traffic.
To establish an AWS IoT baseline you should, at a minimum, monitor the following metrics:
Message Broker Metrics Description
The number of publish requests successfully
processed by the message broker. The Protocol
PublishIn.Success
dimension contains the protocol used to send the
PUBLISH message.
The number of publish requests successfully made
by the message broker. The Protocol dimension
PublishOut.Success 
contains the protocol used to send the PUBLISH
message.
The number of ping messages received by the
message broker. The Protocol dimension contains
Ping.Success the protocol used to send the ping message.
The number of successful connections to the
Connect.Success message broker. The Protocol dimension contains
the protocol used to send the CONNECT message.
Device Shadow Metrics Description
The number of GetThingShadow requests processed
GetThingShadow.Accepted successfully. The Protocol dimension contains the
protocol used to make the request.
The number of UpdateThingShadow requests
UpdateThingShadow.Accepted processed successfully. The Protocol dimension
contains the protocol used to make the request.
The number of DeleteThingShadow requests
DeleteThingShadow.Accepted processed successfully. The Protocol dimension
contains the protocol used to make the request.
AWS IoT Metrics Description
RulesExecuted The number of AWS IoT rules executed.
Descriptions of metrics and dimensions for AWS IoT
For additional information on metrics for IoT, choose AWS IoT Metrics.
AWS IOT METRICS

https://docs.aws.amazon.com/iot/latest/developerguide/metrics_dimensions.html

AWS IoT monitoring tools

AWS provides tools that you can use to monitor your AWS IoT environment. You can configure
some of these tools to do the monitoring for you. Some of the tools require manual intervention.
Based on the AWS Well-Architected Framework, we recommend that you automate monitoring
tasks as much as possible using the AWS monitoring tools. 

Next, you will explore the AWS monitoring tools and how they help monitor your IoT
environment.
Lesson 2  of  9
Amazon Cloudwatch
The operational health of an IoT environment extends beyond the cloud applications and moves
outward to measure, monitor, troubleshoot, and remediate devices that are remotely deployed.
Some of these devices may be installed into locations that are difficult, if not impossible, to
troubleshoot locally. Using Amazon monitoring tools, such as Amazon CloudWatch and AWS
CloudTrail, you can inspect, analyze, and act on metrics sent from all of your remote devices. 
Amazon CloudWatch is used to monitor IoT metrics, collect logs, generate alerts, and trigger
responses.

What does it do?

Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time.
You can use CloudWatch to collect and track metrics, which are variables you can measure for your
resources and applications.
What does it display ?

Once logging is enabled, the CloudWatch home page displays metrics about every AWS service
you use. 
You can additionally create custom dashboards to display metrics about your custom
applications, and display custom collections of metrics that you choose.

What are alarms?

You can create alarms that watch metrics and send notifications or automatically make changes
to the resources you are monitoring when a threshold is breached. 

For example, you can monitor the CPU usage and disk reads and writes of your Amazon EC2
instances and then use this data to determine whether you should launch additional instances to
handle increased load. You can also use this data to stop under utilized instances to save money.

Amazon CloudWatch terminology

Take a moment to read through the terminology used to configure and monitor services
and applications through CloudWatch. To explore a term's definition and purpose, select
the term . 

Namespace
–

A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated
from each other, so that metrics from different applications are not mistakenly aggregated into
the same statistics.

There is no default namespace. You must specify a namespace for each data point you publish to
CloudWatch. You can specify a namespace name when you create a metric.

Metric
–

Metrics are the fundamental concept in CloudWatch. A metric represents a time-

ordered set of data points that are published to CloudWatch.

Think of a metric as a variable to monitor, and the data points as representing the values
of that variable over time. For example, the CPU usage of a particular EC2 instance is
one metric provided by Amazon EC2. The data points themselves can come from any
application or business activity from which you collect data.
Dimension
–

A dimension is a name value pair that is part of the identity of a metric. You can assign
up to 10 dimensions to a metric. 

Every metric has specific characteristics that describes it, and you can think of
dimensions as categories for those characteristics. Dimensions help you design a
structure for your statistics plan. Because dimensions are part of the unique identifier for
a metric, whenever you add a unique name/value pair to one of your metrics, you are
creating a new variation of that metric.
Statistics
–

Statistics are metric data aggregations over specified periods of time. CloudWatch
provides statistics based on the metric data points provided by your custom data or
provided by other AWS services to CloudWatch.
Access
–

You can access CloudWatch using any of the following methods:

 Amazon CloudWatch console
– https://console.aws.amazon.com/cloudwatch/
 AWS CLI –  AWS Command Line Interface User Guide
 CloudWatch API –  Amazon CloudWatch API Reference
 AWS SDKs - SDK 

Amazon CloudWatch and IoT

CloudWatch helps you monitor and maintain an IoT environment with any number of
devices. Flip the cards to learn how, and how often CloudWatch processes data.

How does CloudWatch process data?

CloudWatch collects and processes raw data from AWS IoT into readable,
near-real-time metrics. 

How long are the statistic recorded?

These statistics are recorded for a period of two weeks. This provides
historical information and gives a better perspective on how your web
application or service is performing.

How often is AWS IoT data sent?

AWS IoT Core sends metrics and dimensions to CloudWatch every minute. 
The metrics reported by AWS IoT provide information that you can analyze in different
ways, depending on your monitoring goals and objectives. 

Creating CloudWatch alarms to monitor AWS IoT Core

A CloudWatch  alarm watches one single metric over a set time period you specified. The
alarm then performs one or more actions based on the value of the metric relative to the
threshold over a number of time periods. The action is a notification sent to an Amazon
Simple Notification Service (Amazon SNS) topic or Auto Scaling policy. Alarms trigger
actions for sustained state changes only. 

CloudWatch alarms do not trigger actions simply because they are in a particular state;
the state must have changed and been maintained for a specified number of periods.
Data monitoring and collection
CloudWatch collects data as logs, metrics, and events and visualizes it using automated
dashboards so that you can get a unified view of your AWS resources. You can correlate
your metrics and logs to better understand the health and performance of your resources.
You can also create alarms based on metric value thresholds you specify, or that can
watch for anomalous metric behavior based on machine learning algorithms. 
You can use your metrics, logs, and traces to better understand how to improve
application performance and as a governance tool to monitor and audit activity in your
environment. AWS IoT uses AWS CloudTrail as an event tracking and monitoring tool.
Let's look at what CloudTrail is and how it helps us track our IoT environment.
Lesson 3  of  9
AWS CloudTrail

What is AWS CloudTrail

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and
operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS
service are recorded as events in CloudTrail. Events include actions taken in the AWS
Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs.
CloudTrail is enabled in AWS IoT by default when you create the account.

To learn more about events, trails, and API logging in CloudTrail, select the appropriate items
below.
Events
–

When activity occurs in AWS IoT, it is recorded in CloudTrail as an event. You can easily view
recent events in the CloudTrail console by going to Event history. For an ongoing record of
activity and events in your AWS account, you can create a "trail" and watch it over a period of
time.
Trails
–

A trail is an ongoing record of events in your AWS acoucnt, including all events for AWS IoT
Core. Trails are something you configure. If you don't configure a trail, you can still view the
most recent events in the CloudTrail console in Event history. Using the information collected by
CloudTrail, you can determine the request that was made to AWS IoT, the IP address from
which the request was made, who made the request, when it was made, and other details. 
API calls
–

CloudTrail captures all API calls for AWS IoT as events, including calls from the AWS IoT
console and from code calls to the AWS IoT APIs.

Can CloudTrail log IoT control plane and data plane events?
Control Plane Logging:
Yes. CloudTrail can log your AWS IoT control plane actions. 

For example, calls to the CreateThing, ListThings, and ListTopicRules sections generate entries
in the CloudTrail log files so that you can review and monitor them.
Data Plane logging

No. CloudTrail does not log AWS IoT data plane actions (device-side). 

For monitoring data plane usage, you will need to use Amazon CloudWatch.

Information in logs entry

Every event or log entry contains information about who generated the request. The identity
information helps you determine: 
 Whether the request was made with root or IAM user credentials.
 Whether the request was made with temporary security credentials for a role or federated
user.
 Whether the request was made by another AWS service.

AWS IoT Events

AWS IoT Events enables you to monitor your equipment or device fleets for failures or
changes in operation, and to trigger actions when such events occur. AWS IoT Events
continuously watches IoT sensor data from devices, processes, applications, and other
AWS services to identify significant events so that you can take action.

You can use AWS IoT Events to build complex event-monitoring applications in the
AWS Cloud that you can access through the AWS IoT Events console or APIs.

AWS IoT Events is integrated with AWS CloudTrail. CloudTrail captures all API calls
for AWS IoT Events as events, including calls from the AWS IoT Events console and
from code calls to the AWS IoT Events APIs.
If you create a trail, you can enable continuous delivery of CloudTrail events to an
Amazon S3 bucket, including events for AWS IoT Events. If you don't configure a trail,
you can still view the most recent events in the CloudTrail console in Event history.
Using the information collected by CloudTrail, you can determine the request that was
made to AWS IoT Events, the IP address from which the request was made, who made
the request, when it was made, and additional details.

AWS IoT Events

Easily detect and respond to events from IoT sensors and applications

AWS IoT Events is a fully managed service that makes it easy to detect and respond to events from
IoT sensors and applications. Events are patterns of data identifying more complicated
circumstances than expected, such as changes in equipment when a belt is stuck or motion
detectors using movement signals to activate lights and security cameras. Before IoT Events, you
had to build costly, custom applications to collect data, apply decision logic to detect an event, and
then trigger another application to react to the event. Using IoT Events, it’s simple to detect events
across thousands of IoT sensors sending different telemetry data, such as temperature from a
freezer, humidity from respiratory equipment, and belt speed on a motor. You simply select the
relevant data sources to ingest, define the logic for each event using simple ‘if-then-else’ statements,
and select the alert or custom action to trigger when an event occurs. IoT Events continuously
monitors data from multiple IoT sensors and applications, and it integrates with other services, such
as AWS IoT Core and AWS IoT Analytics, to enable early detection and unique insights into events.
IoT Events automatically triggers alerts and actions in response to events based on the logic you
define to resolve issues quickly, reduce maintenance costs, and increase operational efficiency.

Benefits

Easily ingest operations data

With AWS IoT Events, you can easily evaluate multiple sources of telemetry data to detect the state
of processes, equipment, or products quickly and schedule maintenance and send alarms or alerts
to support teams and trigger actions, such as shutting down malfunctioning equipment before more
damage is done. For example, you could use IoT Events to quickly build a food spoilage notification
system that notifies technicians before spoilage occurs if a freezer is malfunctioning. Faster
identification of events can prevent food spoilage and waste, saving thousands of dollars in potential
lost revenue.

Trigger a range of actions

In IoT Events, you can combine multiple sources of telemetry data like belt speed, motor voltage,
amperage, and noise levels, then define conditional logic to apply to that data, to gain full insight into
your equipment and processes. This visibility helps you better understand events, such as when a
motor might be stuck. You can also select a pre-built action to trigger, such as sending a message to
the motor to shut down, before putting equipment at greater risk.
Easily build rules

You can write event logic, using simple ‘if-then-else’ statements, to identity critical events using
sensor attributes, such as temperature and pressure. These attributes can trigger automatic alerts
and pre-defined responses from IoT Events. For example, you can specify events related to a
welding robot, such as an arm becoming misaligned. When IoT Events detects the incident, it
automatically issues an alert and triggers the appropriate response.
How it works

Use cases

Manufacturing

Manufacturers manage multiple pieces of equipment with many independent sensors. The number
and scale of sensors can make it challenging to detect critical operational events, such as when
equipment variability reduces output quality. IoT Events makes it easy and cost effective to detect
events system-wide by monitoring telemetry data such as belt speed, motor voltage, amperage, and
noise levels. You can apply conditional logic to understand when a motor might be stuck or a device
is approaching failure and trigger responses to optimize efficiency and improve production quality.

Oil and gas

IoT Events can help identify issues within oil well equipment. By setting up an event detector in IoT
Events, you are able to understand the state of your equipment. Add incoming telemetry data and
conditional logic to make the right decision at the right time. The event detection service combines
telemetry sources, such as pressure, level, and temperature sensors, to gain full insight into
equipment and quickly identify issues, such as fuel leaks, which can lead to costly shutdowns. IoT
Events evaluates this incoming telemetry data, recognizes patterns, and takes pre-defined actions
when it detects events, before loss or failure occurs.

Commercial and consumer products

Commercial and consumer producers build products that are purchased and used by millions of
customers. Producers are now able to identity events across devices, quickly address issues, and
earn customer trust, while gaining greater insight on future design needs. With IoT Events, you can
define an event detector for each model of your device, add incoming telemetry data and conditional
logic to define and detect events, and define the responses to those events. Any time a new unit
comes online, IoT Events launches a new instance of the event detector for that device. IoT Events
continues to detect events across the millions of customers using that device model and responds
quickly.
Lesson 4  of  9
Manual monitoring tools

Manual Monitoring Tools

Another important part of monitoring AWS IoT involves manually monitoring those
items that the CloudWatch alarms don't cover. AWS IoT, CloudWatch, and other AWS
service console dashboards provide an at-a-glance view of the state of your AWS
environment. We recommend that you also check the log files on AWS IoT.

AWS IoT dashboard shows:

–

 CA certificates
 Certificates
 Policies
 Rules
 Things

CloudWatch homepage shows:

–

 Current alarms and status

 Graphs of alarms and resources
 Service health status

Use CloudWatch to do the following:

–

 Create customized dashboards to monitor the services you care about.

 Graph metric data to troubleshoot issues and discover trends.
 Search and browse all your AWS resource metrics.
 Create and edit alarms to be notified of problems.
Lesson 5  of  9
Device Defender

AWS IoT Device Defender is a security service that enables you to audit the configuration of
your devices, monitor connected devices to detect abnormal behavior, and mitigate security
risks. You can enforce consistent security policies across your AWS IoT device fleet and
respond quickly when devices are compromised. 

What will AWS IoT Device Defender do for you?

 Audits device fleets
 Detects abnormal device behavior
 Alerts you to security issues
 Helps investigate and mitigate security issues

AWS IoT Device Defender also lets you continuously monitor security metrics from
devices and AWS IoT Core for deviations from what you have defined as appropriate
behavior for each device. If something doesn’t look right, AWS IoT Device Defender
sends an alert so that you can take action to remediate the issue. For example, traffic
spikes in outbound traffic might indicate that a device is participating in a distributed
denial of service (DDoS) attack. 

Audit

An AWS IoT Device Defender audit looks at account device related settings and policies to

ensure that security measures are in place. You can enable standard audit checks to help detect
any deviations from security best practices or access policies; for example, multiple devices

using the same identity, or overly permissive policies that allow one device to read and update

data for many other devices. You can run audits, on-demand audits, or schedule them to be run

daily, weekly, or monthly. 

AWS IoT Device Defender audits your device-related resources (such as X.509 certificates, IoT
policies, and client IDs) against AWS IoT security best practices (for example, the principle of
least privilege or unique identity per device). AWS IoT Device Defender reports configurations
that are out of compliance with security best practices, such as multiple devices using the same
identity, or overly permissive policies that can allow one device to read and update data for many
other devices.

Detect
AWS IoT Device Defender Detect enables you to identify unusual behavior that might
indicate a compromised device by monitoring the behavior of your devices. Using a
combination of cloud-side metrics and device-side metrics, you can detect changes in
connection patterns, traffic patterns, and unauthorized or unrecognized endpoints.

AWS IoT Device Defender Detect can detect security issues frequently found in connected
devices, such as:

 Traffic from a device to a known malicious IP address or to an unauthorized

endpoint that indicates a potential malicious command and control channel.
  Anomalous traffic, such as a spike in outbound traffic, that indicates a device
is participating in a DDoS (Distributed denial of service) breach.
 Devices with remote management interfaces and ports that are remotely
accessible.
 A spike in the rate of messages sent to your account. (for example, from a
rogue device that can result in excessive per-message charges).

You create security profiles, which contain definitions of expected device behaviors, and
assign them to a group of devices or to all the devices in your fleet. AWS IoT Device
Defender Detect uses these security profiles to detect anomalies and send alerts through
Amazon CloudWatch metrics and Amazon Simple Notification Service (Amazon SNS)
notifications. 

Integration with AWS IoT Greengrass and Amazon FreeRTOS

AWS IoT Greengrass and Amazon FreeRTOS integrate with AWS IoT Device Defender to
provide security metrics from the devices for evaluation. Take a moment to read through the tabs
and review the purpose of these services and how they integrate with IoT security best practices.

AWS IOT Green Grass

AWS IoT Greengrass seamlessly extends AWS to edge devices so that they can act locally on
the data they generate. Using AWS IoT Greengrass, you can build IoT solutions that connect
different types of devices with the cloud and each other.

AWS IoT Greengrass implements several security features, including X.509 certificates, between
the AWS IoT Greengrass core and connecting devices, IAM policies and roles to securely allow
AWS IoT Greengrass applications to communicate to cloud applications, and AWS IoT
Greengrass subscriptions, which are used to determine how and if data can be routed between
downstream end devices, and AWS IoT Greengrass core. 

Devices running AWS IoT Greengrass core act as a hub that can communicate with other
devices that are running Amazon FreeRTOS or have the AWS IoT Device SDK installed.

For more information on AWS IoT Greengrass, see the AWS IoT Greengrass Primer course.
Amazon freeROTS

Amazon FreeRTOS is an open source operating system for micro-controllers with software
libraries that make it easy to securely connect your small, low-power devices to AWS cloud
services like AWS IoT Core or to more powerful edge devices running AWS IoT Greengrass. 

Amazon FreeRTOS comes with libraries to help secure device data and connections, including
support for data encryption and key management, Transport Layer Security (TLS v1.2), and code
signing features to ensure your device code is not compromised during deployment and OTA
updates.        

For more information on FreeRTOS, see the FreeRTOS  course.

Device Defender and CloudWatch

Device Defender can send alerts and share metrics with the CloudWatch Metrics and
CloudWatch Logs generated by AWS IoT Core. These service level logs provide important
insight into activity pertaining to updates to a device’s dynamic attributes like its shadow,
successful processing by the AWS IoT rules engine, and overall AWS IoT Core protocol usage.

If you determine that you need to take an action based on an alert, you can use AWS IoT Device
Management to take mitigating actions such as pushing security fixes. 
Lesson  6  of  9

Demo

Introduction
In this quick demonstration, you will see IoT sensor data as it appears in both Amazon
CloudWatch and AWS CloudTrail.

Summary
In this quick demonstration, you were introduced to CloudWatch and CloudTrail and saw how
IoT sensor data as it appeared in both monitoring resources.
Lesson 7  of  9
Best practices
 1
Deploy auditing and monitoring mechanisms to continuously collect and report activity metrics
and logs from across your IoT environment.
 2
Automate monitoring and updating whenever possible.
 3
Monitor vulnerability disclosure and threat intelligence sources and proactively assess the impact
of potential security events.
 4
Proactively assess the impact of potential security events.

IoT security golden rules

For more information about the IoT security golden rules, choose IoT Security Rules.
IOT SECURITY RULES
Lesson 8 of 9
Knowledge check
Answer the following questions to assess what you've learned.
START QUIZ