Create logging role and policy for Amazon IoT Wireless
The following shows how to create a logging role for only Amazon IoT Wireless resources. If you want to also create a logging role for Amazon IoT Core, see Create a logging role.
Create a logging role for Amazon IoT Wireless
Before you can enable logging, you must create an IAM role and a policy that gives Amazon permission to monitor Amazon IoT Wireless activity on your behalf.
Create IAM role for logging
To create a logging role for Amazon IoT Wireless, open the Roles hub of the IAM
console
-
Under Select type of trusted entity, choose Another Amazon account.
-
In Account ID, enter your Amazon account ID, and then choose Next: Permissions.
-
In the search box, enter
AWSIoTWirelessLogging. -
Select the box next to the policy named AWSIoTWirelessLogging, and then choose Next: Tags.
-
Choose Next: Review.
-
In Role name, enter
IoTWirelessLogsRole, and then choose Create role.
Edit trust relationship of the IAM role
In the confirmation message displayed after you ran the previous step, choose the name of the role you created, IoTWirelessLogsRole. Next, you'll edit the role to add the following trust relationship.
-
In the Summary section of the role IoTWirelessLogsRole, choose the Trust relationships tab, and then choose Edit trust relationship.
-
In Policy Document, change the
Principalproperty to look like this example."Principal": { "Service": "iotwireless.amazonaws.com" },After you change the
Principalproperty, the complete policy document should look like this example.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iotwireless.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] } -
To save your changes and exit, choose Update Trust Policy.
Logging policy for Amazon IoT Wireless
The following policy document provides the role policy and trust policy that allows Amazon IoT Wireless to submit log entries to CloudWatch on your behalf.
Note
This Amazon managed policy document was automatically created for you when you created the logging role, IoTWirelessLogsRole.
Role policy
The following shows the role policy document.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/iotwireless*" } ] }
Trust policy to log only Amazon IoT Wireless activity
The following shows the trust policy for logging only Amazon IoT Wireless activity.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "iotwireless.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
If you created the IAM role to also log Amazon IoT Core activity, then the policy documents allow you to log both activities. For information about creating a logging role for Amazon IoT Core, see Create a logging role.
Next steps
You've learned how to create a logging role to log your Amazon IoT Wireless
resources. By default, logs have a log level of ERROR, so if
you want to see only error information, go to View CloudWatch Amazon IoT Wireless
log entries to monitor your wireless
resources by viewing the log entries.
If you want more information in the log entries, you can configure the
default log level for your resources or for different event types, such as
setting the log level to INFO. For information about
configuring logging for your resources, see Configure logging for
Amazon IoT Wireless resources.