When devices are deployed behind restricted firewalls at remote sites, you need a way to gain access to those devices for troubleshooting, configuration updates, and other operational tasks. This is where, secure tunneling, a feature of AWS IoT Device Management has been helping customers to do remote tasks.

To help elevate customers even further, AWS has made some significant updates to the offering. First, the price of AWS IoT Device Management secure tunneling feature has been reduced by 80% while retaining the maximum tunnel duration at 12 hours. With improved cost efficiencies, customers can now scale secure tunneling to access a fleet of devices deployed behind restricted firewalls for troubleshooting, configuration updates, training, and other operational tasks to meet the need of their growing IoT workloads on AWS.

Secondly, AWS has made it even easier to communicate to remote devices using Secure shell Protocol(SSH), Virtual Network connectivity (VNC) or Remote desktop protocol(RDP), enabling support for multiple simultaneous TCP connections. With multiple simultaneous Transmission Control protocol(TCP) connections, you can establish tunnels to access HTTP-based applications that typically make several connections. For example, you can now remotely access a web application that is running on a device to gain real-time telemetry or perform administrative tasks in a web-based Graphic User Interface(GUI).

The third improvement is the introduction of single-use token. Previously, when a secure tunnel was established, a token could have been stored and reused, making it susceptible to malicious use. With the updated security improvement, you can now revoke client access tokens (CAT) after a successful connection. When the connection drops, instead of saving CATs to a local device and establishing a token re-delivery method. You can call the RotateTunnelAccessToken API to deliver a new pair of CATs to the source and destination devices and resume connection with the original device in the predefined tunnel period. Depending on where the customer runs into connection issues, token rotation supports rotating CATs in source, destination, or both modes. Once reconnected, you can securely access and continue troubleshooting remote devices using secure tunneling feature. Additionally, the new CATs will be published to destination devices through their subscribed MQTT topic.

Finally, we added support to browser-based SSH. Previously, you could only connect to a destination device (end destination remote device) using proxy connections through the command line interface (CLI) at source device (operators device). Starting today, you can connect to these destination devices right from the embedded SSH terminal through the AWS Console without the need for a local proxy from source device (AWS IoT Secure tunneling console). This feature improves the on-boarding experience significantly by eliminating the need to compile and install a local proxy on the operators’ device. This streamlined experience allows you to easily scale your use of secure tunneling for remote tasks such as conducting routine operational maintenance.

Using AWS IoT Secure Tunneling

In this blog post we will setup the IoT Device (Destination device) and we will connect to this destination device using our browser based interface right from AWS IoT Console. You can also reference this video for a live demo.

Step 1:  Setup destination device

Please setup IoT Device (Destination device), for this walk-through you can either use AWS IoT Device Client or AWS IoT Greengrass, once you have setup “Destination device” and you can see data arriving from this device into AWS IoT Core, then let’s proceed forward and setup a secure tunnel from browser to this end device (destination device).

Step 2: Browser based tunneling

From AWS IoT Console choose


All devices


Select the thing, In the image below, a previously created test thing has been selected. You will need to select the specific thing you created.

Step 3: Create tunnel

Select “Create secure tunnel

Use “Quick setup” and select “Next

You can “edit” details if you like, for now we will use default settings and “confirm and create” tunnel.

When using browser-based secure tunneling, the client access token for source will be automatically delivered to you through the embedded SSH terminal, and the destination access token will be delivered to the reserved tunnel MQTT topic for devices connected AWS IoT. That procedure eliminates the need to download tokens, if you plan to deliver the destination token using a home-grown solution or establish the tunnel through a local CLI, you can you can download the tokens.

Once you have the tunnel created, Choose “Connect via browser CLI” authentication option. For our test we will use “Use private key

In the pop up, select your “Username” and “Private key” and select “Connect

Once authentication succeeds, you can see the following terminal window showing “destination device” terminal.

In this example I have used an AWS IoT Greengrass device we can ‘CAT’ the logs here to show we are connected to “destination device

You can carry out the tasks needed on this destination device. If the connection is dropped, you can “Send new access tokens” to both the source/destination devices to regain access. Once you are done, you can close and delete the tunnel and conclude the connection to the end device (destination device).

Step 4: Conclude and delete tunnel

Confirm “delete” and “Delete tunnel

Also to avoid any ongoing charges, delete any infrastructure you have created for this test, such as IoT things or EC2 instances.


In this blog you learned how AWS IoT Secure tunnel can create a secure tunnel to your IoT device (destination device) and carry out remote operations over SSH. The use case can be many, such as debugging or remedy device anomalies, and more. AWS IoT secure tunneling supports “private key” SSH authentication, making it easier for you to monitor device anomalies, take mitigating actions, and rectify the device state where needed. Through a combination of 80% price reduction, added support for simultaneous TCP connections, single-used token, token rotation, and browser-based tunneling, you can scale your IoT deployments more efficiently and manage them across multiple use cases.

About the Authors

Syed Rehan is a Sr. Global IoT Evangelist at Amazon Web Services (AWS) and is based out of London. He is covering global span of customers working with developers and decision makers at large enterprises to drive the adoption of AWS IoT services. Syed has in-depth knowledge of IoT and cloud and works in this role with global customers ranging from start-up to enterprises to enable them to build IoT solutions with the AWS Eco system.

Chelsea Pan is a Sr. Product Manager at Amazon Web Services and is based in Seattle. She oversees the AWS IoT Device Management services on product strategy, roadmap planning, business analysis and insights, customer engagement, and other product management areas. Chelsea led the launch of several fast-growing security products in her career.


Leave a Reply