Amazon CloudWatch logging role policy for Amazon IoT Events - Amazon IoT Events
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

End of support notice: On May 20, 2026, Amazon will end support for Amazon IoT Events. After May 20, 2026, you will no longer be able to access the Amazon IoT Events console or Amazon IoT Events resources. For more information, see Amazon IoT Events end of support.

Amazon CloudWatch logging role policy for Amazon IoT Events

The following policy documents provide the role policy and trust policy that allow Amazon IoT Events to submit logs to CloudWatch on your behalf.

Role policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter",
                "logs:PutRetentionPolicy",
                "logs:GetLogEvents",
                "logs:DeleteLogStream"
            ],
            "Resource": [
                "arn:aws-cn:logs:*:*:*"
            ]
        }
    ]
}

Trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          
          "iotevents.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

You also need an IAM permissions policy attached to the user that allows the user to pass roles, as follows. For more information, see Granting a user permissions to pass a role to an Amazon service in the IAM User Guide.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
          "iam:GetRole",
          "iam:PassRole"
      ],
      "Resource": "arn:aws-cn:iam::<account-id>:role/Role_To_Pass"
    }
  ]
}

You can use the following command to put the resource policy for CloudWatch logs. This allows Amazon IoT Events to put log events into CloudWatch streams.


aws logs put-resource-policy --policy-name ioteventsLoggingPolicy --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"IoTEventsToCloudWatchLogs\", \"Effect\": \"Allow\", \"Principal\": { \"Service\": [ \"iotevents.amazonaws.com\" ] }, \"Action\":\"logs:PutLogEvents\", \"Resource\": \"*\" } ] }"

Use the following command to put logging options. Replace the roleArn with the logging role that you created.


aws iotevents put-logging-options --cli-input-json "{ \"loggingOptions\": {\"roleArn\": \"arn:aws-cn:iam::123456789012:role/testLoggingRole\", \"level\": \"INFO\", \"enabled\": true } }"