I built a couple of test IoT hardware devices for home automation which I want to control with an Android app I also wrote. The app will be used by several people.
My plan is to use Amazon IoT Core to let the apps send MQTT commands to the IoT devices.
Since my hardware devices are not very powerful (ESP8266 architecture) I'm going to authenticate via the Signature Version 4 (SigV4) scheme. This auth scheme is useful when the hardware device is not powerful enough to authenticate via the standard privatekey/certificate method; it requires a pair of key/secret IAM credentials to be hardcoded into the device firmware (instead of the certificate and private key).
I then created a test "thing" in the IoT Core console and I can successfully send commands from the apps to the devices (and receive data from the devices and show them on the apps).
My question is, do I need to create as many "things" as the IoT devices? Since each device will have its own IAM credentials, can I just use one shared "thing" for all the IoT devices?
I can't find any best practice online, not even on the official documentation.
The short answer is, don't go there. A thing is a logical entity in AWS. The reason to use many things is that you can:
While you can do what you are saying, using IAM for things is not what AWS had in mind. IAM is supposed to be used by humans. You could use strong names and passwords, but you find it difficult to manage, and you hit the 5000 policies limit pretty quickly. You can give all your device the same username and password, but then how would you revoke a single one when needed.
I'm not a hardware expert but if you really can't use certificates then you don't really need things but do have a look at AWS STS that will let you create temp credentials for your device. You'll have to manage the login process somehow (not using AWS) and then generate an access key and secret key for each device.