By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT Core: connection doesn't automatically close after the Certificate used to open it is disabled

0

Hello,

I implemented a functionality in a web app, that allows to 'Block' a device (thing). Basically it takes all the certificates attached to the thing (for now and probably will remain, only one) and disables them programmatically (changing status to INACTIVE) using the JavaScript sdk "@aws-sdk/client-iot".

If I disable the certificate and the device tries to establish a new connection, this fails as expected since the certificate is disabled. Now, if the connection was open before disabling the certificate, after the I disable the certificate it still is able to receive messages from topics it subscribed to. I would expect for the connection to be automatically closed by the SDK, once I disable the certificate from my web app. Also, I think I read about this being the behavior somewhere, but can't seem to find the documentation.

In case this is not implemented in the SDK, how would I go about to disconnect a previously connected device once I disable it's certificate. I'm wondering I could make it subscribe to a topic like '/disconnect' and publish to that from my web app, but my first thought would be this is something the SDK should handle.

Appreciate any help, since I haven't been able to find nothing online regarding this!

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreAWS Certificate Manager
Language
English
Nicolas Gorga
asked a year ago471 views
1 Answer
1

Hi Nicolas,

the IoT Device SDK does not get any information about the administrative tasks, for example disabling a device certificate. So it cannot disconnect the device.

To disconnect your device you can attach an IoT policy which denies connecting to AWS IoT Core. Policy documents are cached so it can take some minutes for the new policy to become effective.

If you need to immediately disconnect your device you can attach a restrictive policy first and then connect with another connection with the same client ID which your device uses. AWS IoT Core will then disconnect your device. If it tries to reconnect the new policy which denies a connection will become effective.

Cheers,
Philipp

AWS
EXPERT
Philipp S
answered a year ago
  • Greg_B EXPERT
    a year ago

    Nicholas, you can use the AWS IoT Device SDK to make that connection (from your application) with the same client ID as the device you're forcing to disconnect: https://github.com/aws/aws-iot-device-sdk-js-v2

  • Nicolas Gorga
    a year ago

    Hi Philipp and Greg!

    I will try attaching the restrictive policy and see how long it takes for the device to get disconnected. This functionality would be used for when a device is spamming messages for example messages, due to some malfunctioning. Then we would go to the Web App and block the connection for the device (preferably immediately).

    Given that my preference is to disconnect it as soon as possible after I block it, and your suggestion about connecting with the same client, I have this question:

    My Web App isn't a device, it performs operations using the following Javascript SDKs:

    • @aws-sdk/client-iot: For administrative tasks regarding AWS IoT Core, like creating things, disabling/enabling certificates, deleting things
    • @aws-sdk/client-iot-data-plane: Currently for sending commands to a predefined topic client devices are subscribed to

    What you suggest, if I understand correctly, would make my Web App a device right? I would need to have certificates and keys to enable it to connect to the broker and then in that connection use the id of the device I'm trying to block as the clientId? This will allow the Web App to connect thus disconnecting the device I'm trying to block? Then I would need to immediately disconnect the Web App, since the only purpose of its connection is to disconnect my target device? It feels kinda weird doesn't it? Plus it introduces the concept of the Web App as a Device Client, which is not.

    Hope to hear back from you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content