Creating the CloudWatch Logs IAM role - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating the CloudWatch Logs IAM role

If you're using the Amazon Cognito CLI or API, then you need to create a CloudWatch IAM role. The following procedure describes how to create an IAM role that Amazon Cognito can use to write the results of your import job to CloudWatch Logs.


When you create an import job in the Amazon Cognito console, you can create the IAM role at the same time. When you choose to Create a new IAM role, Amazon Cognito automatically applies the appropriate trust policy and IAM policy to the role.

To create the CloudWatch Logs IAM role for user pool import (Amazon CLI, API)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at

  2. Create a new IAM role for an Amazon Web Service. For detailed instructions, see Creating a role for an Amazon Web Service in the Amazon Identity and Access Management User Guide.

    1. When you select a Use case for your Trusted entity type, choose any service. Amazon Cognito isn't currently listed in service use cases.

    2. In the Add permissions screen, choose Create policy and insert the following policy statement. Replace REGION with the Amazon Web Services Region of your user pool, for example us-east-1. Replace ACCOUNT with your Amazon Web Services account ID, for example 111122223333.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/cognito/*" ] } ] }
  3. Because you didn't choose Amazon Cognito as the trusted entity when you created the role, you now must manually edit the trust relationship of the role. Choose Roles from navigation pane of the IAM console, then choose the new role that you created.

  4. Choose the Trust relationships tab.

  5. Choose Edit trust policy.

  6. Paste the following policy statement into Edit trust policy, replacing any existing text:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }
  7. Choose Update policy.

  8. Note the role ARN. You'll provide the ARN when you create your import job.