Creating the CloudWatch Logs IAM role (AWS CLI, API) - Amazon Cognito

Creating the CloudWatch Logs IAM role (AWS CLI, API)

If you're using the Amazon Cognito CLI or API, then you need to create a CloudWatch IAM role. The following procedure describes how to enable Amazon Cognito to record information in CloudWatch Logs about your user pool import job.


You don't need to use this procedure if you are using the Amazon Cognito console, because the console creates the role for you.

To create the CloudWatch Logs IAM Role for user pool import (AWS CLI, API)

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane of the IAM console, choose Roles.

  3. For a new role, choose Create role.

  4. For Select type of trusted entity, choose AWS service.

  5. In Common use cases, choose EC2.

  6. Choose Next: Permissions.

  7. In Attach permissions policy, choose Create policy to open a new browser tab and create a new policy from scratch.

  8. On the Create policy page, choose the JSON tab.

  9. In the JSON tab, copy and paste the following text as your role access policy, replacing any existing text:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/cognito/*" ] } ] }
  10. Choose Review policy. Add a name and optional description and choose Create policy.

    After you create the policy, close that browser tab and return to your original tab.

  11. In Attach Policy, choose Next: Tags.

  12. (Optional) In Tags, add metadata to the role by entering tags as key–value pairs.

  13. Choose Next: Review.

  14. In Review, enter a Role Name.

  15. (Optional) Enter a Role Description.

  16. Choose Create role.

  17. In the navigation pane of the IAM console, choose Roles.

  18. In Roles, choose the role you created.

  19. In Summary, choose the Trust relationships tab.

  20. In the Trust relationships tab, choose Edit trust relationship.

  21. Copy and paste the following trust relationship text into the Policy Document text box, replacing any existing text:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }
  22. Choose Update Trust Policy. You are now finished creating the role.

  23. Note the role ARN. You need this later when you're creating an import job.