AWS IoT Core API

Managed IoT platform that connects billions of devices to AWS and to each other using MQTT, HTTPS, and WebSockets. Provides device registry (Thing management), device shadows (digital twins), rules engine for routing messages to 20+ AWS services, fleet provisioning, and over-the-air update support via IoT Jobs.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Other iot mqtt mqtt5 device-shadow rules-engine aws thing-registry greengrass fleet-provisioning jobs
⚙ Agent Friendliness
54
/ 100
Can an agent use this?
🔒 Security
93
/ 100
Is it safe for agents?
⚡ Reliability
83
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
82
Error Messages
70
Auth Simplicity
60
Rate Limits
75

🔒 Security

TLS Enforcement
100
Auth Strength
95
Scope Granularity
90
Dep. Hygiene
88
Secret Handling
90

X.509 mutual TLS is the gold standard for device identity. IoT policies support fine-grained topic-level access control. Certificate rotation via IoT Jobs is well-supported. Private CA integration available for bring-your-own-PKI scenarios. FIPS 140-2 compliant endpoints available in GovCloud.

⚡ Reliability

Uptime/SLA
85
Version Stability
88
Breaking Changes
85
Error Recovery
75
AF Security Reliability

Best When

You are already in the AWS ecosystem and need reliable, scalable MQTT-based device connectivity with built-in fleet management, rules-based routing, and deep integration with Lambda, DynamoDB, Kinesis, and S3.

Avoid When

You need vendor-agnostic MQTT infrastructure, are building a small proof-of-concept, or your devices cannot support TLS mutual authentication required by IoT Core.

Use Cases

  • Connecting embedded devices and microcontrollers to AWS for telemetry ingestion and command delivery
  • Implementing device shadows to maintain last-known device state and sync offline devices when they reconnect
  • Routing sensor data to DynamoDB, S3, Lambda, or Kinesis via rules engine without custom middleware
  • Fleet provisioning and certificate rotation for large device deployments using IoT Fleet Provisioning APIs
  • Building remote firmware update pipelines using IoT Jobs with rollout configurations and rollback policies

Not For

  • Purely HTTP REST integrations where MQTT semantics are unnecessary overhead
  • Teams without AWS expertise — the IAM/policy/certificate model has a steep learning curve
  • Lightweight hobby projects where simpler MQTT brokers (HiveMQ, Mosquitto) suffice without AWS lock-in

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: x509_certificate aws_sigv4 custom_authorizer cognito_identity
OAuth: No Scopes: No

Devices authenticate with X.509 client certificates signed by AWS IoT CA or a private CA. IoT policies (distinct from IAM policies) control what MQTT topics and operations a certificate can access. REST control-plane APIs use AWS SigV4. Custom authorizers allow JWT or token-based auth for MQTT connections without certificates — useful for mobile clients.

Pricing

Model: pay-as-you-go
Free tier: Yes
Requires CC: Yes

Cost can scale unexpectedly — each MQTT publish/subscribe counts as messages, rules engine triggers add cost per rule matched, and device shadow operations are metered separately from messaging. A device that publishes 1 message with 3 matching rules generates at least 4 billable events.

Agent Metadata

Pagination
cursor
Idempotent
Partial
Retry Guidance
Documented

Known Gotchas

  • IoT policies are completely separate from IAM policies — IAM controls who can call control-plane APIs, IoT policies control what MQTT operations a certificate can perform; forgetting to attach an IoT policy to a certificate causes silent connection drops
  • Device shadows use optimistic locking with a `version` field; if two agents update the shadow concurrently, the one with the lower version gets a 409 ConflictException that must be handled with a read-modify-write retry loop
  • MQTT topic wildcards (# and +) in IoT policies must be carefully scoped — overly permissive wildcards allow devices to subscribe to other devices' topics, a common misconfiguration causing data leakage
  • Rules engine SQL runs against the message payload at publish time; if a device publishes a message that doesn't match the WHERE clause, the rule silently does nothing — debugging requires enabling CloudWatch Logs on the rule
  • Fleet Provisioning provisioning claims are one-time-use certificates that must be exchanged for permanent certificates; if the exchange fails mid-process the device may be stuck with an unusable claim certificate
  • The `aws iot-data` endpoint (HTTPS data plane) and the `aws iot` endpoint (control plane) are completely different base URLs — agents that conflate them will get 404s on valid operations
  • Thing Groups and Billing Groups are separate concepts; dynamic Thing Groups based on registry queries can have propagation delays up to 60 seconds before newly registered things appear in groups

Alternatives

azure-iot-api arduino-iot-api particle-api mqtt-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for AWS IoT Core API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5178
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered