I want to get Amazon CloudWatch Logs of my server's activity with AWS Transfer for SFTP (SSH File Transfer Protocol). I need to create an AWS Identity and Access Management (IAM) role that allows AWS SFTP to keep those CloudWatch Logs. How can I create this IAM role using the AWS Command Line Interface (AWS CLI)?

Important: Before you begin, you must have the AWS CLI installed and configured.

Follow these steps to create an IAM role that allows AWS SFTP to keep CloudWatch Logs for your server's activity:

1.    From the command prompt of your terminal, create a text file named "transfer-trust-relationship.json" that contains the following text. This statement allows AWS SFTP to assume a role.

{

"Version": "2012-10-17",
"Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
      }
   ]
}

2.    Create another text file named "transfer-cloudwatch-logs-policy.json" that contains the following text. This statement allows the creation of CloudWatch Logs.

{
      "Version": "2012-10-17",
      "Statement": [
            {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": [
                        "logs:CreateLogStream",
                        "logs:DescribeLogStreams",
                        "logs:CreateLogGroup",
                        "logs:PutLogEvents"
                  ],
                  "Resource": "*"
            }
      ]
}

3.    Run this AWS CLI command to create an IAM role that includes the statement that allows AWS SFTP to assume the role:

aws iam create-role --role-name myAWSTransferLogRole --assume-role-policy-document file://transfer-trust-relationship.json --description "Access to my CloudWatch logs for AWS Transfer"

4.    Run this command to attach to the IAM role the policy that allows the creation of CloudWatch Logs:

aws iam put-role-policy --role-name myAWSTransferLogRole --policy-name transfer-cloudwatch-logs-policy --policy-document file://transfer-cloudwatch-logs-policy.json

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-21