Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Step 2: (Only if using an organization) Create an IAM role - Amazon CloudWatch Logs

Step 2: (Only if using an organization) Create an IAM role

In the previous section, if you created the destination by using an access policy that grants permissions to the organization that account 111111111111 is in, instead of granting permissions directly to account 111111111111, then follow the steps in this section. Otherwise, you can skip to Step 4: Create a subscription filter.

The steps in this section create an IAM role, which CloudWatch can assume and validate whether the sender account has permission to create a subscription filter against the recipient destination.

Perform the steps in this section in the sender account. The role must exist in the sender account, and you specify the ARN of this role in the subscription filter. In this example, the sender account is 111111111111.

To create the IAM role necessary for cross-account log subscriptions using AWS Organizations
  1. Create the following trust policy in a file /TrustPolicyForCWLSubscriptionFilter.json. Use a text editor to create this policy file; do not use the IAM console.

    { "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.amazonaws.com" }, "Action": "sts:AssumeRole" } }
  2. Create the IAM role that uses this policy. Take note of the Arn value that is returned by the command, you will need it later in this procedure. In this example, we use CWLtoSubscriptionFilterRole for the name of the role we're creating.

    aws iam create-role \ --role-name CWLtoSubscriptionFilterRole \ --assume-role-policy-document file://~/TrustPolicyForCWLSubscriptionFilter.json
  3. Create a permissions policy to define the actions that CloudWatch Logs can perform on your account.

    1. First, use a text editor to create the following permissions policy in a file named ~/PermissionsForCWLSubscriptionFilter.json.

      { "Statement": [ { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:region:111111111111:log-group:LogGroupOnWhichSubscriptionFilterIsCreated:*" } ] }
    2. Enter the following command to associate the permissions policy you just created with the role that you created in step 2.

      aws iam put-role-policy --role-name CWLtoSubscriptionFilterRole --policy-name Permissions-Policy-For-CWL-Subscription-filter --policy-document file://~/PermissionsForCWLSubscriptionFilter.json

When you have finished, you can proceed to Step 4: Create a subscription filter.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.