I am designing a platform where a large number of cloud-enabled embedded devices will be sending push notifications to mobile apps using Amazon SNS.
Each embedded device should create a SNS topic and publish to that topic. Users will register to a topic and receive these notifications.
My question is: how should the embedded devices handle authentication/authorization with AWS in order to create the topics and publish the notifications. Here are the options I have considered so far:
- Create a single IAM user that will be 'shared' by all embedded devices. Not a good idea: if a single device is hacked, all of them are compromised.
- Create a different IAM user for each embedded device. This could be an option but AWS limits this to 5000
- Setup an intermediate server which talks to AWS; an IAM user would be created for the server. The server then generates temporary credentials on demand for the embedded devices, and the devices use this to authenticate with AWS. I don't like this because it introduces an additional dependency / single point of failure (the intermediate server).
What other options do I have? I am sure I'm not the first one to face this problem.