Amazon Cognito
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Creating the CloudWatch Logs IAM Role

If you're using the Amazon Cognito CLI or API, then you need to create a CloudWatch IAM role. The following procedure describes how to enable Amazon Cognito to record information in CloudWatch Logs about your user pool import job.


You don't need to use this procedure if you are using the Amazon Cognito console, because the console creates the role for you.

To create the CloudWatch Logs IAM Role for user pool import

  1. Sign in to the AWS Management Console and open the IAM console at

  2. Choose Roles.

  3. Choose Create New Role.

  4. Type a role name and choose Next Step.

  5. In Select Role Type, choose Amazon EC2. You can choose any role type; you’ll change this setting in a later step. This is because you can't create an IAM role from scratch; you can only use an existing IAM role as a template and overwrite it to make the role you need.

  6. In Attach Policy, choose Next Step.

  7. In Review, choose Create Role.

  8. In Roles, choose the role you just created.

  9. In Summary, choose Permissions.

  10. On the Permissions tab, choose Inline Policies, and then choose click here.

  11. In Set Permissions, choose custom policy, and then choose select.

  12. In Review Policy, type a policy name (no spaces) and copy/paste the following text as your role access policy, replacing any existing text:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/cognito/*" ] } ] }
  13. Choose Apply Policy.

  14. In Summary, choose the Trust Relationships tab.

  15. Choose Edit Trust Relationship.

  16. Copy/paste the following trust relationship text into the Policy Document text box, replacing any existing text:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }
  17. Choose Update Trust Policy. You are now finished creating the role.

  18. Note the role ARN. You need this later when you're creating an import job.