Create a Thing in AWS IoT Core console or via CLI, then create and activate an X.509 certificate; attach a policy that allows iot:Connect, iot:Publish, and iot:Subscribe on the target topic ARNs
Download the device certificate, private key, and the Amazon Root CA bundle; store them securely on the device (never expose the private key in transit or logs)
Retrieve the device-specific data endpoint with: aws iot describe-endpoint --endpoint-type iot:Data-ATS; the returned hostname has the form <prefix>-ats.iot.<region>.amazonaws.com
Configure the MQTT client to connect to port 8883 with TLS 1.2+, supplying the CA bundle, device certificate, and private key; set ClientId to match the Thing name and send the SNI extension (required)
Publish a test message to a topic such as devices/<thing-name>/telemetry and verify receipt in the AWS IoT MQTT test client in the console
Attach the certificate to the Thing and verify the policy grants access; use CloudWatch Logs with IoT Core logging enabled to diagnose any AUTH or CONNECT errors
Known gotchas
AWS IoT Core requires the SNI extension in the TLS ClientHello; clients that omit SNI will receive a connection reset and no useful error message
A certificate must be both activated and attached to the Thing; creating a certificate alone is not enough — missing the attachment step causes silent auth failures
Port 443 is also available for MQTT via ALPN (x-amzn-mqtt-ca), but plain port 8883 mTLS does not require ALPN and is simpler for constrained devices
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp