CloudWatch Logs - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

CloudWatch Logs

The CloudWatch Logs (cloudwatchLogs) action sends data to Amazon CloudWatch Logs. You can specify the log group to which the action sends data.


This rule action has the following requirements:

  • An IAM role that Amazon IoT can assume to perform the logs:CreateLogStream, logs:DescribeLogStreams, and logs:PutLogEvents operations. For more information, see Granting Amazon IoT the required access.

    In the Amazon IoT console, you can choose or create a role to allow Amazon IoT to perform this rule action.

  • If you use a customer-managed Amazon KMS key (KMS key) to encrypt log data in CloudWatch Logs, the service must have permission to use the KMS key on the caller's behalf. For more information, see Encrypt log data in CloudWatch Logs using Amazon KMS in the Amazon CloudWatch Logs User Guide.


When you create an Amazon IoT rule with this action, you must specify the following information:


The CloudWatch log group to which the action sends data.

Supports substitution templates: API and Amazon CLI only


The IAM role that allows access to the CloudWatch log group. For more information, see Requirements.

Supports substitution templates: No


The following JSON example defines a CloudWatch Logs action in an Amazon IoT rule.

{ "topicRulePayload": { "sql": "SELECT * FROM 'some/topic'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "cloudwatchLogs": { "logGroupName": "IotLogs", "roleArn": "arn:aws:iam::123456789012:role/aws_iot_cw" } } ] } }

See also