This guide introduces the steps to take in purpose of connecting Milesight LoRaWAN Gateways to AWS IoT Core for LoRaWAN via Basic Station. There’s a minimal version restriction to firmware version for UG6x to achieve such connection, click here to search for latest firmware and upgrade if your gateway version does not satisfy the requirements of AWS IoT Core for LoRaWAN connection.

If you don’t have an AWS account, refer to the instructions in the guide here. The relevant sections are Sign up for an AWS account and Create a user and grant permissions.

The high-level steps to get started with AWS IoT Core for LoRaWAN are as follows:

  1. Set up Roles and Policies in IAM
  2. Add a Gateway

You can follow this vide tutorial to complete the connection. 

Besides, these steps are detailed below. For additional help, refer to the AWS LoRaWAN developer guide.


  • An AWS account
  • Internet access
  • Milesight LoRaWAN Gateways
    • Regional parameter must accord to the deployed region on AWS. For example, if the gateway is deployed in a US region, the gateway must support LoRaWAN region US915.
    • Gateway EUI or ID.


Add an IAM Role for CUPS server

Add an IAM role that will allow the Configuration and Update Server (CUPS) to handle the wireless gateway credentials. This procedure needs to be done only once, but must be performed before a LoRaWAN gateway tries to connect with AWS IoT Core for LoRaWAN.

1. Go to the Policies page on the IAM console, choose Create policy. If you already have this policy please skip this step.

Choose the JSON tab to open the policy editor. Replace the existing template with this trust policy document:

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "IoTWirelessGatewayCertManager",
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

Click Next, name the policy as AWSIoTWirelessGatewayCertManager. Note that do not use a different name. This is for consistency with future releases; for Description, enter a description of your choice (optional).

Choose Create policy. You will see a confirmation message showing the policy has been created.

2. Go to the Roles page on the IAM console, choose Create role.

  • Choose AWS account and This account, click Next.
  • In the search box, enter and select policy AWSIoTWirelessGatewayCertManager, click Next.

  • Name the role as IoTWirelessGatewayCertManagerRole. Note that you must not use a different name. This is for consistency with future releases.

  • Choose Create role. You will see a confirmation message showing the role has been created.

3. In the Roles page, choose IoTWirelessGatewayCertManagerRole to edit the role.

  • In the Summary, choose the Trust relationships tab, and then choose Edit trust policy.

  • In the Policy Document, change the Principal property to represent the IoT Wireless service:
"Principal": { 
  "Service": "" 

After you change the Principal property, the complete policy document should look like this:

  • {
      "Version": "2012-10-17",
      "Statement": [
        "Effect": "Allow",
        "Principal": {
          "Service": ""
        "Action": "sts:AssumeRole",
        "Condition": {}

  • Choose Update policy to save your changes and exit.

At this point, you’ve created the IoTWirelessGatewayCertManagerRole and you won’t need to do this again.

NOTE – The examples in this document are intended only for dev environments. All devices in your fleet must have credentials with privileges that authorize only intended actions on specific resources. The specific permission policies can vary for your use case. Identify the permission policies that best meet your business and security requirements. For more information, refer to Example policies and Security Best practices.


Add the Gateway to AWS IoT

To register the Gateway with AWS IoT Core for LoRaWAN, follow these steps:

1. Go to the AWS IoT Core for LoRaWAN console, choose Get started to add a gateway or select LPWAN devices> Gateways in the navigation panel on the left, click Add gateway.

  • In the Add gateway section, fill in the GatewayEUI and Frequency band (RF Region) fields.  The gateway EUI can be found on the gateway page and users can also use Gateway ID.
  • Enter a descriptive name in the Name – optional field. We recommend that you use the GatewayEUI as the name.

  • Choose Add gateway.
  • On the Configure your Gateway page, select Create certificate.

  • Once the Certificate created and associated with your gateway message is shown, select Download certificates to download the cert (xxxxx.cert.pem) and private key (xxxxxx.private.key), which is essential for Basics Station connection with CUPS. Since Milesight gateways only accept crt file format, please change the cert suffix from "pem" to "crt".

Note: You can also download the cert file under Secure > Certificate page without any change.

  • In the section Provisioning credentials, choose Download server trust certificates to download the CUPS ( and LNS ( server trust certificates.

  • Copy the CUPS and LNS endpoints and save them for use while configuring the gateway.

  • Select the role IoTWirelessGatewayCertManagerRole.
  • Choose Submit to add the gateway.

Configure the Gateway

To register the Gateway with AWS IoT Core for LoRaWAN, follow these steps:

1. Ensure the gateway has accessed the Internet. The gateway supports to check connection via ping tool.

2. Under Multi-Destinations, disable Milesight/Embedded NS and add a Basic Station type packet forwarder.

  • Fill in CUPS URI, browse and import the file, the .crt certificate and the .key file.
  • Fill in LNS URI, browse and import the file.

  • Enable this packet forwarder and choose Save to store files in gateway, choose Save&Apply to start Basics Station connection. If there’s another Apply button shows on upper right, choose it to ensure other configuration is applied according to needs.

  • Switch to AWS IoT > Manage > LPWAN devices > Gateways, refresh the page to load Last uplink received time.