Basics of Design CC Blog Research & Design Hub

Build IoT Secure Apps with AWS Services

AWS IoT EduKit Overview

AWS IoT EduKit helps students and experienced professionals to build IoT applications by simplifying hardware selection and supporting a wide range of software frameworks.

  • What is the AWS IoT EduKit learning program?

  • How does the cloud connect to Blinky?

  • How does the AWS IoT Core platform exchange?

  • How does the “Core2” device work?

  • How does the Smart-Thermostat work?

  • Core2 ESP32 IoT Development Kit

  • Microchip ATECC608B

  • Trust&GO

  • InvenSense MPU6886 6-axis IMU

  • SPM1423 digital microphone

  • Programmable SK6812 RGB LED

  • 500mAh lithium-ion batterySilicon

  • CP2104 USB-to-UART bridge chip

When thinking about developing Internet of Things (IoT) applications, security is the main concern—especially for systems that will be used for commercial, industrial, medical, and other safety-critical applications. Another important aspect to consider is the simplification of the embedded firmware development process and integration with cloud services. Streamlining the process of writing, compiling, and testing embedded firmware can help developers focus mainly on creating solutions. It is also of great importance to facilitate large-scale deployments because some IoT solutions require the use of a large number of nodes. To address some of these concerns, Amazon Web Services (AWS) has created the AWS IoT EduKit learning program, as an easy and cost-effective way to learn how to build secure IoT applications using AWS services.

The AWS IoT EduKit learning program proposes the use of a reference hardware kit that comes packed with many onboard features at a reasonable cost. It includes a range of software frameworks, libraries, and sample code in the form of learning tutorials. The reference hardware is the Core2 ESP32 IoT Development Kit, developed and manufactured by M5Stack and adopted by AWS for this program.

In this article, I present an overview of AWS IoT EduKit’s first three introductory tutorials, outlining its proposed workflow and discussing the reference hardware specifications, build tools, libraries, and cloud services. Most of the information presented here is a distillation of the material already published on AWS IoT EduKit’s website. I don’t go into specific details of hands-on procedures as shown in the learning materials. This article aims to give you a general understanding of the proposed workflow, hardware and software, tools, and services presented, so you can see if it would be something you want to try.


Figure 1 shows M5Stack’s Core2 ESP32 IoT Development Kit for AWS IoT EduKit (from now on, “Core2 device” for short). It is based on the Espressif Systems ESP32-D0WDQ6-V3 microcontroller, featuring dual Xtensa 32-bit LX6 cores that run at 240MHz. It also includes 2.4GHz Wi-Fi, Bluetooth v4.2 BR/EDR, and BLE support.

Figure 1
M5Stack’s Core2 ESP32 IoT Development Kit

The Core2 device comes with onboard 8MB PSRAM and 16MB flash. It is equipped with a 2.0” capacitive touch screen and a built-in vibration motor for feedback alerts. It also has a real-time clock (RTC) module and an X-Powers Limited AXP192 power management chip that adds monitoring and power control capabilities. The Core2 also comes equipped with a Microchip ATECC608B Trust&GO pre-provisioned secure element integrated circuit, which streamlines the process of enabling network authentication [1].

The included TF card reader supports microSD cards up to 16GB. An onboard speaker connected to an I2S digital audio interface power amplifier chip provides audio output. It also has physical power and reset buttons along with three programmable touch buttons on the front of the screen. The Core2 device also has an InvenSense MPU6886 six-axis inertial measurement unit (IMU) with included temperature sensor, a Knowles Acoustics SPM1423 digital microphone, 10 programmable SK6812 RGB LEDs for creating animated light effects, a 500mAh lithium-ion battery and a Silicon Labs CP2104 USB-to-UART bridge chip for USB-device connections.

It is also Alexa capable, and besides its multiple onboard peripherals, there are several separately available expansion modules for additional connectivity—including LoRaWAN, NB-IoT, LTE, and other modules for sensors and actuators. For development, it supports FreeRTOS, Arduino, and MicroPython application frameworks.


On the AWS IoT EduKit workshop webpage, there are tutorials and examples available to get you easily started. The material is divided into five parts in order of complexity: 1) Getting Started, 2) Cloud Connected Blinky, 3) Smart Thermostat, 4) Smart Spaces, and 5) Intro to Alexa for IoT [2]. In this article I will loosely cover the first three tutorials and examples, mostly to give a general overview of them, so you can have a fair understanding of the workflow. Then, you can decide if this is something you would like to try hands-on.

The AWS IoT Core platform uses the Message Queueing Telemetry Transport (MQTT) protocol to exchange data between devices and the cloud. MQTT is used today in a wide variety of applications, ranging from automotive, manufacturing, and telecommunications to oil and gas. It works well for interconnecting remote devices with small code footprints (such as microcontrollers) and low network bandwidth. MQTT is designed around the publish/subscribe messaging model, where message types are defined as “topics” to which some devices can publish to send data, and others subscribe to receive data. Messages exchanged between publishers and subscribers can be text, numbers, binary data, JSON strings, and so on. JSON data-interchange format is recommended in the AWS IoT EduKit learning tutorials for interacting with AWS IoT Core services. If you are new to MQTT, check Circuit Cellar’s Article Materials & Resources webpage for a suggested introductory tutorial on the subject.

AWS IoT EduKit’s “Getting Started” tutorial guides you through setting the development environment and running an example that uses the “Espressif RainMaker” platform. This platform is powered by AWS and provides a quick demonstration of a smart-home application without the need of an AWS account. There are instructions to set up the development environment for Linux, macOS, and Windows operating systems. I followed the procedure on a Windows 10 machine, but the steps for the other operating systems are similar. It is explained in detail on the AWS IoT EduKit website. Here’s a summary of it:

On Windows, it is advised to first install “Git for Windows” to be able to clone the workshop’s GitHub repository.
You must also install the Silicon Labs CP210x USB to the UART bridge chip driver unless you have it installed already.
Visual Studio Code (VS Code) is the recommended integrated development environment (IDE) to view, edit, compile code, and flash the hardware device. So, you need to have this installed as well.
Install PlatformIO, a Visual Studio Code extension that provides a professional environment for developing embedded software.
Install PlatformIO, a Visual Studio Code extension that provides a professional environment for developing embedded software.
Clone the workshop’s GitHub code repository, which contains all projects and files for the AWS IoT EduKit tutorials. This is done from the PlatformIO interface.
Download and install the “ESP RainMaker” phone app, which provides Wi-Fi network configuration, user creation, user-device association, and device control. It is available for iOS and Android phones, and it is only required for the first tutorial.
Connect the Core2 device to the PC via USB, and identify the device communication port. In Windows, it will be listed by the Device Manager as a “COMx’ port, where “x” is a number that varies from one computer to another.

Open the “Getting Started” project from the PlatformIO menu, build and upload the RainMaker Agent firmware to the Core2 device. The code is compiled by the GCC compiler to produce ELF and binary files that are then uploaded to the device’s onboard flash. After uploading the firmware, run the “target monitor” command on the PlatformIO’s command-line interface (CLI). A QR code will be printed to the CLI, open the RainMaker mobile app, and scan the code. After connecting via Wi-Fi successfully, the device will authenticate itself and the mobile device will show on the screen a few virtual devices that can be monitored and controlled. Figure 2 shows the RainMaker mobile app graphical user interface (GUI), and Figure 3 Shows the Core2 device displaying the virtual devices.

Figure 2 RainMaker mobile app connected to the Core2 device
Figure 2
RainMaker mobile app connected to the Core2 device
Figure 3 Core2 device showing the virtual devices
Figure 3
Core2 device showing the virtual devices

The “Getting Started” example helps you get the toolchain installed and running, and gives you a first glance at how the Core2 device works. It also helps explain the workflow for building, flashing the firmware to the device, and monitoring its output on the CLI terminal. But it doesn’t really show anything about how the integration with AWS IoT Core services works.

The “Cloud Connected Blinky” tutorial walks you through a highly interesting development example that shows how to interface the Core2 device to the AWS IoT Core platform cloud, to send and receive MQTT messages. So, for this second example, apart from having the M5Stack Core2 ESP32 IoT Development Kit and the development environment already set up (which is done with the previous “Getting Started” example), you must have an AWS account—preferably not running production workloads, for security reasons. The next steps outline the procedure to run this example. Remember that this is just a fast and general outline; you can access detailed instructions at the AWS IoT EduKit website [2].

Open VS Code, and then open the PlatformIO CLI. Download and install the AWS Command Line Interface (CLI) tool, that lets you manage and control AWS services from your PC’s command line.

Retrieve your AWS Identity and Access Management (IAM) user access credentials. IAM is a web service that lets you securely control access to AWS resources. For this, and for the following examples, it is recommended to create an “administrative user” instead of using your Amazon root user. How to do this is explained in detail on the AWS IoT EduKit website.

Configure the AWS CLI from PlatformIO’s CLI, and set up the following parameters: AWS Access Key ID; AWS Secret Access Key (these two are from your IAM user access credentials); default region name; default output format (see Figure 4).

Figure 4 AWS CLI parameter configuration
Figure 4
AWS CLI parameter configuration

Open the “Blinky Hello World” project. From PlatformIO’s menu in VS Code, navigate to the “Core2-for-AWS-IoT-EduKit/Blinky-Hello-World” folder in the cloned GitHub repo, and open the project. Retrieve the Device Certificate and register your AWS IoT device. To be able to connect to AWS IoT Core using secure TLS connections over MQTT, a “thing” must be registered first, attaching to it a device certificate (public key) with its security policy. This is to prevent unauthorized devices and operations within your AWS account. The Core2 device’s secure element helps automatically perform the registration process without exposing private keys. The “Blinky Hello World” project includes an automation script that retrieves the pre-provisioned device certificate from the Core2 device’s secure element. It then places the device certificate and additional device metadata into a manifest file and signs it with an X.509 certificate generated locally and used to authenticate client and device connections to AWS IoT Core. The script uses the “Microchip TrustPlatform” tools to read the manifest file and does a security verification of the contents by checking the signature using the X.509 certificate [3]. (Microchip is the secure element chip manufacturer.) Then, it performs a just-in-time registration of the “Microchip Certificate Authority,” registers the device to AWS IoT Core with the device certificate, attaches a security policy to it, and adds the AWS IoT MQTT broker endpoint address to the device firmware configuration [4].

Configure the Core2 firmware for Wi-Fi connection, using “Kconfig” (the same configuration system used by the Linux kernel). In the Kconfig menu, you must set your Wi-Fi SSID and password, so the Core2 device can connect to the Internet via Wi-Fi. Note that the ESP32-D0WD microcontroller on the Core2 device only supports 2.4GHz networks.

Build, upload, and monitor the “Blinky Hello World” firmware from PlatformIO’s CLI.

Subscribe to the Core2 device from the AWS IoT MQTT client. The MQTT Test client window on the AWS IoT Core console allows you to subscribe to topics published by the Core2 device. As shown in Figure 5, in the “Subscribe to a topic” tab, under “Topic Filter,” enter the wild card “#” to subscribe to all MQTT topics. Topics published by the device begin with the <<CLIENT_ID>>/ prefix, where CLIENT_ID is the Core2 device’s serial number (see the number hidden in Figure 5). This prefix helps to further filter topics published by specific devices, so subscribers can subscribe to topics from those specific ones. In the lower section below the “Message” warning in Figure 5, you can see the “Hello from AWS IoT EduKit” message received from the Core2 device.

Blinking the LED. As shown in Figure 6, in the “Publish to a topic” tab, under “Topic name” write <<CLIENT_ID>>/blink, along with the shown JSON string under “Message payload. ”Press the “Publish” button, and the sidebar LEDs in the Core2 device will start to blink. Publish the same message again, and the blinking will stop. Figure 7 shows the Core2 running this example.

Figure 5 Subscribing to topics on the AWS IoT console
Figure 5
Subscribing to topics on the AWS IoT console
Figure 6 Publishing to a topic on the AWS IoT console
Figure 6
Publishing to a topic on the AWS IoT console
Figure 7 Core2 device running the “Blinky Hello World” example
Figure 7
Core2 device running the “Blinky Hello World” example

The “AWS IoT Device SDK for Embedded C” libraries are used to write the firmware for these examples. It allows embedded applications to securely connect to the AWS IoT platform via authenticated TLS connections. It also simplifies access to the AWS IoT MQTT broker for message publishing and subscribing [5]. It was specifically designed with resource-constrained devices in mind—typically, microcontrollers running a real-time operating system (RTOS), such as the FreeRTOS used in the AWS IoT EduKit examples. It is worth noting that SDK versions greater than or equal to v2.2.0 collect usage metrics, but can be disabled by modifying a flag in the application’s ‘aws_iot_config.h’ file. The SDK makes it particularly easy to work with the included secure element in the Core2 device for easy security authentication.

SDK files are located in the “Core2-for-AWS-IoT-EduKit/Blink-Hello-World/components/esp-aws-iot/” folder. Board Support Package files for the Core2 device are located in the “Core2-for-AWS-IoT-EduKit/Blink-Hello-World/components/core2foraws/” folder. They contain drivers for controlling the screen, power management chip, secure element, speaker, microphone, six-axis inertial measurement unit (IMU), touch driver, LED bar, and others. The “Light and Versatile Graphics Library” (LVGL) is used for displaying graphics. All available application programming interfaces (APIs) are documented in the Core2 for AWS IoT EduKit API reference web page.


The next example in the AWS IoT EduKit learning program is “Smart Thermostat.” It showcases additional AWS IoT Core platform features, such as: “device shadows,” the “AWS IoT Core rules engine,” and “IoT Events” for running serverless applications. Let’s get into this example now to explain the features that provide needed functionality for more sophisticated applications.

As the “Smart Thermostat” name implies, in this example the Core2 device is used as an HVAC controller or thermostat for a fictional HVAC system. The system’s main goal is to control the ambient temperature for maximum comfort for the occupants and energy efficiency. The Core2 device uses the onboard microphone to detect when the room is occupied by capturing ambient noise level, and its temperature sensor for capturing ambient temperature. Sensor values are then published to the AWS IoT platform via MQTT. When the room temperature is within bounds, the system sends a command to the Core2 device to put it in standby mode. When the room temperature is outside bounds, the system sends a command to the Core2 device to start heating or cooling the room until the temperature is within desired bounds again. Figure 8 shows the system’s end-to-end workflow.

Figure 8 “Smart Thermostat” end-to-end workflow
Figure 8
“Smart Thermostat” end-to-end workflow

This project is located in the “Core2-for-AWS-IoT-EduKit/Smart-Thermostat” folder. After opening it via the PlatformIO menu in VS Code, the ‘sdkconfig’ file from the previous “Blinky Hello World” example can be copied to the project’s root folder, to avoid setting the Wi-Fi credentials and AWS endpoint again. Otherwise, they can be set by running Kconfig, as in the previous example. Once it is all set, compile the firmware, upload it to the Core2 device, and monitor its output in the CLI terminal. The procedure is very much the same as in the previous example.

A notable difference in this example is that it uses an AWS IoT Core feature called “device shadows.” The name sounds mysterious, but a device shadow is just a JSON document that the AWS IoT Core platform stores in the cloud. It contains the current state information of a real device. The document is published on a special MQTT topic and contains “key:value” pairs that store the latest state of the real device being shadowed, so other systems can access it to obtain real-time updates of its status. These other systems can also push other key:value pairs to the device shadow—for instance, commands to be executed by the Core2 device. The AWS IoT Core platform will keep the Core2 device automatically in sync with its device shadow. The Core2 device’s aggregate state JSON document content looks like this:

{“state”: {
 “reported”: {“temperature”: 68,”noise”: 10},
 “desired”: {“hvacStatus”: “COOLING”}

The “reported” key stores data published by the Core2 device to the AWS IoT Core platform—for example, values of “temperature” and “noise.” The “desired” key stores data published by other systems, such as the “hvacstatus” state, which the Core2 device will receive as a command, via automatic synchronization.


“Topic rules” are an AWS IoT Core feature that lets you define some kind of change-behavior for messages arriving in defined topics. They can, for instance, perform transformation on payload data, and route these transformed data to other destinations via device shadows. In the “Smart Thermostat” example, a topic rule is created to receive messages published by the Core2 device and get from them the sampled sound level value. The rule then uses this value to calculate room occupancy. To accomplish this, it uses an SQL query with conditional logic to build a modified payload:

SELECT CASE state.reported.sound > 10
WHEN true THEN true ELSE false END
AS state.desired.roomOccupancy
FROM ‘$aws/things/<<CLIENT_ID>>/shadow/update/accepted’
WHERE state.reported.sound <> Null

It then uses a “republish” IoT Core action to send this payload to the device shadow. The AWS IoT EduKit tutorial explains in fair detail how it works and how to implement it on the AWS IoT Core management console.

The next step is to use the “IoT Events” service to generate HVAC states (heating/cooling/standby) in the cloud infrastructure, which will be sent to the Core2 device as commands for execution. IoT Events has two resource types—inputs and detector models. Inputs let you route incoming messages to detector models. Detector models are basically finite state machines (FSM) that process messages from one or various inputs and compute a new model state. To set up the IoT Event, from the IoT Events management console you must create an “input” with a JSON-defined “schema” like this:

 “current”: {
  “state”: {
   “reported”: {“sound”: 10, “temperature”: 35,
    “roomOccupancy”: false, “hvacStatus”: “HEATING”}},
  “version”: 13},
 “timestamp”: 1606282489

Next, from the AWS IoT Core management console, a new rule must be created that receives the full device shadow JSON document every time it is updated, and forwards it to the newly created IoT Events input. This input will parse only the required fields from the JSON document and discard the others.

The final step is to build a serverless application that receives input from the aforementioned rule, computes the right state for the HVAC system, and sends it back to the remote Core2 device for execution. Figure 9 shows the detector model for this serverless application, which as I said before, is just an FSM. It has three possible states (heating, cooling, and standby), with standby being the default when the system starts. When new input messages arrive, the conditional logic in the FSM determines if the model should transition to a new state. If the state changes, the model will publish a new message back to AWS IoT Core to update the remote Core2’s device shadow. The detector model architecture and behavior is defined also by a JSON file.

Figure 9 Detector model for the “Smart Thermostat” serverless application
Figure 9
Detector model for the “Smart Thermostat” serverless application

Listing 1 shows a shortened version of this example’s detector model, which gives an idea of what the syntax defining the FSM looks like. From the AWS IoT Events management console, you create the detector model basically by importing a JSON file like this and saving it. The process is very easy, and the AWS IoT EduKit tutorial also explains pretty well how to do it. What is not very intuitive is the creation of models with JSON syntax. To be able to understand how that works, you will have to spend some time reading the AWS IoT Events Developer Guide (see Circuit Cellar’s Article Materials & Resources webpage).

Listing 1
Detector model JSON file

  “detectorModelDefinition”: {
    “states”: [
        “stateName”: “standby”,
        “onInput”: {
          “events”: [],
          “transitionEvents”: [
              “eventName”: “startHeating”,
              “condition”: “($input.thermostat.current.state.reported.temperature 
                      <= $variable.heatingThresholdUnoccupied) 
                      || ($input.thermostat.current.state.reported.roomOccupancy 
                      && $input.thermostat.current.state.reported.temperature 
                      <= $variable.heatingThresholdOccupied) “,
              “actions”: [],
              “nextState”: “heating”
              “eventName”: “startCooling”,
              “condition”: “($input.thermostat.current.state.reported.temperature 
                      >= $variable.coolingThresholdUnoccupied) 
                      || ($input.thermostat.current.state.reported.roomOccupancy 
                      && $input.thermostat.current.state.reported.temperature 
                      >= $variable.coolingThresholdOccupied) “,
              “actions”: [],
              “nextState”: “cooling”
        “onEnter”: {
        “onExit”: {
          “events”: []
        “stateName”: “cooling”,
        “onInput”: {
        “onEnter”: {
        “onExit”: {
          “events”: []
        “stateName”: “heating”,
        “onInput”: {
        “onEnter”: {
        “onExit”: {
          “events”: []
    “initialStateName”: “standby”
  “detectorModelName”: “hvacApplication”,
  “detectorModelDescription”: “cloud application to manage HVAC state”,
  “evaluationMethod”: “BATCH”

I hope this general overview of the AWS IoT EduKit’s hardware and software discussed here gives you a fair understanding of what is involved with working with their proposed development solution. The program is intended for people with different levels of development experience, from students to experienced engineers, with an emphasis on helping them easily get started.

At a cost of about $50—for the M5Stack Core2 ESP32 IoT Development Kit—the hardware device, itself, is a great entry-level development platform that carries enough sensors and peripherals to get you pretty much well-equipped to start learning how to develop secure AWS-powered IoT applications. AWS charges for their IoT Core services, but they have a 12-month free tier [6] which, according to them, would allow you to run a 50-device workload, with each device connecting 24 hours a day and exchanging 300 messages per day; making 130 device shadow operations, and triggering 150 rule executions. Pricing rates apply once your free usage time expires or your application exceeds the free tier load.

In a follow-up to this article, I will be discussing the development of a custom IoT application that uses some other sensors and devices in the Core2 module. I will also discuss in more detail the use of the AWS IoT Device SDK for Embedded C libraries for writing custom code, and the build of a custom serverless application for the IoT system. Stay tuned! 

Additional materials from the author are available at:

[1] Trust&GO Platform,
[2] AWS IoT EduKit,
[3] Using X.509 client certificates,
{There is no notation in the narrative for reference 3.}
[4] Retrieving the Device Certificate and Registering your AWS IoT thing,
[5] AWS IoT Device SDK for Embedded C,
[6] AWS IoT Core Pricing,

What is AWS IoT?
Message Queueing Telemetry Transport (MQTT)
Introduction to MQTT
AWS IoT Events developer guide
Light and Versatile Graphics Library
Core2 for AWS IoT EduKit BSP

M5Stack Core2 ESP32 IoT Development Kit for AWS IoT EduKit
Visual Studio Code
PlatformIO IDE for VSCode Installation
AWS Command Line Interface

Keep up-to-date with our FREE Weekly Newsletter!

Don't miss out on upcoming issues of Circuit Cellar.


Advertise Here

Note: We’ve made the Dec 2022 issue of Circuit Cellar available as a free sample issue. In it, you’ll find a rich variety of the kinds of articles and information that exemplify a typical issue of the current magazine.

Would you like to write for Circuit Cellar? We are always accepting articles/posts from the technical community. Get in touch with us and let's discuss your ideas.

Sponsor this Article
| + posts

Raul Alvarez Torrico has a B.E. in electronics engineering and is the founder of TecBolivia, a company offering services in physical computing and educational robotics in Bolivia. In his spare time, he likes to experiment with wireless sensor networks, robotics and artificial intelligence. He also publishes articles and video tutorials about embedded systems and programming in his native language (Spanish), at his company’s web site You may contact him at

Supporting Companies

Upcoming Events

Copyright © KCK Media Corp.
All Rights Reserved

Copyright © 2024 KCK Media Corp.

Build IoT Secure Apps with AWS Services

by Raul Alvarez Torrico time to read: 16 min