Send Device Data to AWS IoT Core
Forward device payloads to AWS IoT Core using the platform's data forwarding service with credential injection
This guide walks through connecting your IoT devices to AWS IoT Core using the platform's data forwarding service. Devices send plain HTTP — the platform handles TLS, authentication, and delivery to your AWS endpoint.
Architecture
[Device] → [Platform Forwarder] → [AWS IoT Core] → [IoT Rule] → [DynamoDB / S3 / Lambda]The forwarder sits between your devices and AWS. It terminates the device connection, injects AWS credentials, converts the protocol to MQTTS, and delivers the payload to your IoT Core endpoint. Devices never need AWS certificates or TLS libraries.
Prerequisites
Platform side:
- A connected device (complete the Quick Start first)
- A device group with the forwarding service enabled
AWS side:
- An AWS account with IoT Core access
- An IoT Core thing, certificate, and policy
- The IoT Core endpoint URL (found in AWS Console → IoT Core → Settings)
Step 1: Create an AWS IoT Core thing
- Open the AWS IoT Console
- Go to Manage → Things → Create things
- Choose Create single thing, name it
soracom-device-01 - Under Device certificate, choose Auto-generate a new certificate
- Create and attach a policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iot:Connect", "iot:Publish"],
"Resource": "arn:aws:iot:us-east-1:123456789:topic/devices/*"
}
]
}- Download the certificate, private key, and root CA
- Note your IoT Core endpoint:
a1b2c3d4e5f6g7-ats.iot.us-east-1.amazonaws.com
Security: Use a dedicated certificate with minimal publish permissions. Do not reuse certificates across production and development environments.
Step 2: Store AWS credentials on the platform
- In the platform Console, go to Security → Credentials Store
- Click Add Credential
- Select type: AWS IoT Certificate
- Enter the values:
| Field | Value |
|---|---|
| Credential name | aws-iot-prod |
| Certificate | Contents of certificate.pem.crt |
| Private key | Contents of private.pem.key |
| CA certificate | Contents of AmazonRootCA1.pem |
- Click Save
Step 3: Configure the forwarding service
- Go to Groups → select your device group (or create one)
- Open Forwarding Service settings
- Click Add destination with these settings:
| Setting | Value |
|---|---|
| Protocol | MQTTS |
| Hostname | a1b2c3d4e5f6g7-ats.iot.us-east-1.amazonaws.com |
| Port | 8883 |
| Topic | devices/#{imsi} |
| Credential | aws-iot-prod |
- Save the configuration
- Assign your SIM to this group if it isn't already
The #{imsi} token is replaced with the device's SIM identifier, so each device publishes to its own MQTT topic.
Step 4: Test the integration
From your connected device, send a test payload:
curl -X POST http://beam.soracom.io \
-H "Content-Type: application/json" \
-d '{"temperature": 23.5, "humidity": 60, "test": true}'Verify in AWS IoT Core:
- Open AWS IoT Console → Test → MQTT test client
- Subscribe to topic
devices/# - You should see your payload arrive within a few seconds:
{
"temperature": 23.5,
"humidity": 60,
"test": true
}Step 5: Production hardening
Once the basic integration works, consider these improvements:
- Error handling — Configure a dead-letter queue in the group settings for failed deliveries
- Monitoring — Set up an event rule to alert on forwarding errors (email, webhook, or Slack)
- Private networking — Add a Virtual Private Gateway to keep all traffic off the public internet
- IoT Rules — Create AWS IoT Rules to route data to DynamoDB, S3, Lambda, or Kinesis based on payload content
How it works
When a device sends data through the forwarder:
- Device sends plain HTTP POST to
beam.soracom.io(no TLS needed from the device) - Platform terminates the HTTP connection and extracts the payload
- Forwarding service establishes an MQTTS connection to AWS IoT Core using the stored certificate
- Payload is published to the configured topic with the device's SIM ID interpolated
- AWS IoT Core receives the message and applies any configured IoT Rules
The platform maintains a connection pool to AWS, so individual device requests don't incur TLS handshake overhead. Credentials never touch the device.
Troubleshooting
Messages not arriving in AWS
Symptom: curl succeeds (HTTP 200) but no messages appear in the MQTT test client.
Check: Verify the IoT Core endpoint URL is correct. Confirm the certificate is active in AWS (not revoked or expired). Check that the IoT policy allows iot:Publish on the correct topic pattern.
HTTP 403 from the forwarder
Symptom: Device receives a 403 response when posting to the forwarder endpoint. Check: Verify the credential name in the group configuration matches the credential stored in the Credentials Store. Ensure the certificate's private key matches the certificate.
Intermittent delivery failures
Symptom: Most messages arrive but some are dropped. Check: Review the forwarding service logs in the Console. Check if AWS IoT Core is throttling (default is 500 publishes/second per account). Consider enabling the retry queue.
Cost considerations
| Component | Cost |
|---|---|
| Platform forwarding | ~$0.001 per request |
| AWS IoT Core messaging | $1.00 per million messages |
| Estimated monthly (100 devices, 1 msg/min) | ~$8.50/month |
Related
- Platform Forwarder Reference — Full configuration options and protocol support
- AWS IoT Core docs — Official AWS documentation
- Data Routing Concepts — How data flows from devices to cloud
- Cloud Delivery Service — Alternative: direct cloud adapters without custom endpoints