2. Solution Architecture Overview
The following diagram represents the primary AWS Services that will be leveraged for the first commercial release of the Brain Berry application. This document describes how these services are integrated in order to deliver on the specific solution concerns of the BrainBerry application, as well as the general architecture best-practice concerns of a commercial IoT platform.
Component Review
AWS IoT
| ID |
Component |
Purpose / Description |
| 1 |
Amazon FreeRTOS |
FreeRTOS is a real-time operating system (RTOS) for microcontrollers and small microprocessors. Distributed freely under the MIT open source license, FreeRTOS includes libraries for connectivity, security, and over-the-air (OTA) updates. |
| 2 |
Mobile App(s) |
The mobile application provides direct UI interaction with the patient. |
| 3 |
AWS IoT Device Management |
AWS IoT Device Management is a cloud-based device management service that makes it easy for customers to securely manage IoT devices throughout their lifecycle. Customers can use AWS IoT Device Management to onboard device information and configuration, organize their device inventory, monitor their fleet of devices, and remotely manage devices deployed across many locations. This remote management includes over-the-air (OTA) updates to device software. |
| 4 |
IoT Certificate |
Headgear-specific cryptographic keys used for secure identification of a particular headset. IoT Certificates are unique to each device so that there can be no confusion as to which data was sent by a particular device. |
| 5 |
Over the Air Updates |
The documents and processes by which kernel updates are pushed to headgear microcontrollers. |
| 6 |
IoT Policy |
The cloud-managed document defining permissions of a particular headgear based on the headgear's IoT Certificate. |
| 7 |
AWS IoT Events |
A cloud-based platform to detect and manage anomalies data/events from IoT devices, .e.g. headgear. For example, probe voltage readings that fall outside are a defined threshold. |
| 8 |
AWS IoT Core |
AWS IoT Core provides secure, bi-directional communication for Internet-connected devices (such as sensors, actuators, embedded devices, wireless devices, and smart appliances) to connect to the AWS Cloud over MQTT or HTTPS |
| 9 |
IoT Topic |
Topics identify AWS IoT messages using a hierarchical structure, e.g. sensor/neural/{deviceid}/eegreading. Client applications/services can publish or subscribe to messages on IoT Topics assuming the proper permissions. |
| 10 |
IoT Device Shadow |
The AWS IoT Device Shadow service adds shadows to AWS IoT thing objects. Shadows can make a device’s state available to apps and other services whether the device is connected to AWS IoT or not. |
| 11 |
Lambda Function |
Lambda functions can either update information in an IoT Device Shadow or subscribe to changes in an IoT Device shadow. Subscribing to changes allow the Lambda Function to initiate an external, asynchronous action that might not be directly IoT-related. For example, causing an application to pause if the headgear stops transmitting data. |
| 12 |
IoT Rule |
An action that may be triggered based on certain IoT Topic considerations. These conditions might be as simple as data posted to a particular IoT Topic or more complicated rules which evaluate the message payload before deciding on a course of action. |
AWS IoT Analytics
| ID |
Component |
Purpose / Description |
| 13 |
IoT Analytics Channel |
A channel collects data from an MQTT topic and archives the raw, unprocessed messages before publishing the data to a pipeline. |
| 14 |
AWS S3 |
Provides long-term storage of raw data received from all IoT devices integrated with IoT Analytics (all headgear). |
| 15 |
Pipeline / Data Store / Data Set |
A pipeline consumes messages from a channel and enables you to process the messages before storing them in a data store. You retrieve data from a data store by creating a data set. AWS IoT Analytics enables you to create a SQL data set or a container data set. These data sets can then be stored, forwarded, etc. |
| 16 |
AWS S3 |
Long-term storage of processed and correlated data. This can be used for any business concerns, e.g. reporting, analytics, patient health analysis, product development/testing, etc. |
| 17 |
External AWS S3 |
A single channel can support multiple pipelines with multiple data stores. This can allow data to be filtered, pre-processed, and delivered to 3rd parties for their own use. |
| 18 |
AWS S3 |
Long-term storage of processed and correlated data. This can be used for any business concerns, e.g. reporting, analytics, patient health analysis, product development/testing, etc. This is to demonstrate that a single channel can deliver different final results to different parties based on the same incoming raw data. |
| 19 |
QuickSight |
Data can be pushed into QuickSight for real-time monitoring of platform activity. |
User and Mobile Services
| ID |
Component |
Purpose / Description |
| 20 |
Amazon Cognito |
Amazon Cognito handles user authentication and authorization for your web and mobile apps. |
| 21 |
Amazon API Gateway |
Amazon API Gateway enables you to create and deploy your own REST and WebSocket APIs at any scale. You can create robust, secure, and scalable APIs that access Amazon Web Services or other web services, as well as data that’s stored in the AWS Cloud. |
| 22 |
AWS Lambda |
AWS Lambda functions can process data sent to API Gateway. AWS Lambda can also be used (triggered by some event) to push information out API Gateway via a pre-established web-socket. |
| 23 |
Amazon DynamoDB |
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. You can use Amazon DynamoDB to create a database table that can store and retrieve any amount of data, and serve any level of request traffic. |
General Services
| ID |
Component |
Purpose / Description |
| 24 |
Security Operations Tools |
These tools will provide active monitoring of activity within your AWS account(s) and enforcement of compliance and security policies. Amazon Macie monitors data in S3 to help ensure PHI information isn't being stored in S3 buckets. Amazon GuardDuty monitors network and AWS command logs to identify dangerous or anomalies behavior. |
| 25 |
Audit and Logging |
These tools log and store information related to network traffic (VPC Flow Logs), AWS service activity (CloudTrail), and application logs (CloudWatch). The Security Operations Tools require these sources of information for their own analysis and response configuration. |
| 26 |
AWS KMS |
AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud. AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS. |
| 27 |
AWS Config |
AWS Config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time. |
| 28 |
Amazon S3 Glacier |
Provides long-term, immutable storage of any size data |
| 29 |
AWS CloudFormation |
AWS CloudFormation provides Infrastructure-As-Code services that allow us to define our AWS environment as a series of template documents. This has a positive impact on addressing concerns such as security, configuration errors, change control, system operations, and development. |
Primary Communication Links
| ID |
Protocol |
Source |
Destination |
Purpose / Description |
| A |
MQTT |
Headset |
IoT Endpoint |
This is a bi-directional connection between each neural headset and the IoT backplane. It allows the headset to stream EEG measurements and any other telemetry to the cloud for processing and storage. It also allows the headset to be notified of data and commands specific to its operation, e.g. 'Game active, begin transmitting' |
| B |
HTTPS |
Mobile App |
AWS Cognito |
Provides user authentication via custom user pools or integration with OpenID authentication services. If required, authorization is also provided via WebTokens and federated access to IAM roles, allowing users access to backend resources, e.g. private S3 buckets or DynamoDB tables |
| C |
HTTPS |
Mobile App |
API Gateway (or AppSync) |
This is a bi-directional connection that support HTTP verb access to backend resources, primarily Lambda functions, but access to other AWS services is also possible. API Gateway can also support WebSocket connections allowing mobile applications bi-directional communication with the backend (meaning the mobile app does not need to poll for data updates or respond to SNS push notifications) |
| D |
AWS API |
Lambda |
DynamoDB |
The line of communication can go in both directions. Lambda functions can access DynamoDB tables in response to certain events, e.g. an API call. DynamoDB Streams can also trigger Lambda functions based on updates to data in DynamoDB tables. For example, a user could try to login in to a mobile application on a second device, causing the user's session information to be updated in the DynamoDB table. This in turn could trigger a Lambda call to send a close connection via WebSockets to the user's existing mobile login. |
| E |
AWS API |
Lambda |
IoT Device Shadow |
This line of communication can operate in both directions. There may be certain events in which an API call needs to update the state of an IoT Device Shadow, e.g. associating an authenticated user with a particular headset. There may also be events in which Lambda functions are executed based on updates to the IoT Device Shadow of a particular headset. |
| F |
MQTT/AWS API |
IoT Core |
IoT Topic |
The primary mechanism to receive information from IoT devices (e.g. the neural headset) and make that information available to any number of subscribers. |
| G |
AWS API |
IoT Device Shadow |
Lambda Function |
IoT Device shadows represent a "desired" state of an IoT Device. This desired state can be manipulated, even if the IoT Device is currently offline, e.g. turning off your house lights while on vacation, even if the Internet is currently down at your house. You'll want to know that the lights will turn off once they re-establish a connection to the Internet. Other services, e.g. Lambda Functions, can subscribe to state changes of an IoT Device and take independent action based on custom logic. |
| H |
AWS API |
Lambda |
DynamoDB |
DynamoDB Tables will likely play an important part in managing user game and session information. As such, the integration between DynamoDB and the mobile app will rely on near real-time updates from IoT Devices that may be coordinated through their Device Shadows. |
| I / J |
AWS API |
IoT Rule |
IoT Analytics Channel |
This will be the primary mechanism by which time-series data, received from headsets, will be processed and stored. IoT Analytics allows a one-to-many approach to dealing with channels and pipelines so that the same inbound data can be processed, stored, and filtered for use by multiple external services and clients. |
| K |
AWS API |
IoT Analytics Dataset |
Lambda |
This is an example to demonstrate how time-series information can be processed and made available in near real-time. For example, signal noise can be avered every 10 seconds and then sent to a Lambda function to be delivered to the mobile application via WebSockets. The mobile app will then be able to present signal strength to the user or allow a game to pause until the data stream has caught up from the headset. |
General IoT Concerns For High Data IO / Multi-Component Solutions
IoT Architecture Best Practices
| ID |
Priority |
Best Practice |
Architecture Component |
| BP 3.1.1.1 |
Required |
Assign unique identities to each IoT device |
|
| BP 3.1.1.2 |
Highly Recommended |
Highly Recommended |
Assign least privilege access to devices |