Create a Fleet Provisioning template in AWS IoT Core that defines Thing creation, certificate activation, and policy attachment; mark it with a pre-provisioning hook Lambda if device validation is required
Generate a single claim certificate and private key to embed in all devices during manufacturing; attach a restrictive policy that only allows access to the IoT Fleet Provisioning MQTT topics (CreateKeysAndCertificate or RegisterThing)
On first boot the device connects using the claim credentials and publishes to $aws/certificates/create/json; it receives a new unique certificate, private key, and certificate ID in the response
The device then publishes the certificate ownership token plus any template parameters to $aws/provisioning-templates/<templateName>/provision/json to complete registration and receive its Thing name and final policy
Persist the new certificate and private key on the device (e.g., in secure storage); on all subsequent connections use only these new credentials — the claim certificate should not be used again
Monitor the CreateCertificateFromCsr or CreateKeysAndCertificate CloudWatch metrics and set alarms on unexpected provisioning volume to detect misuse of the claim certificate
Known gotchas
Claim certificate private keys must be protected in hardware secure storage if possible; a leaked claim certificate can allow unauthorized devices to provision themselves into the fleet
The pre-provisioning hook Lambda must return allowProvisioning: true within 5 seconds or provisioning is rejected; cold-start latency on the Lambda can cause intermittent failures
Provisioning templates are immutable once devices have used them; create a new template version and migrate gradually rather than editing in place
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp