Create logging role and policy for AWS IoT Wireless
The following shows how to create a logging role for only AWS IoT Wireless resources. If you want to also create a logging role for AWS IoT Core, see https://docs.aws.amazon.com/iot/latest/developerguide/create-logging-role.html.
Create a logging role for AWS IoT Wireless
Before you can enable logging, you must create an IAM role and a policy that gives AWS permission to monitor AWS IoT Wireless activity on your behalf.
Create IAM role for logging
To create a logging role for AWS IoT Wireless, open the Roles hub of the IAM
console
-
Under Select type of trusted entity, choose Another AWS account.
-
In Account ID, enter your AWS account ID, and then choose Next: Permissions.
-
In the search box, enter
AWSIoTWirelessLogging. -
Select the box next to the policy named AWSIoTWirelessLogging, and then choose Next: Tags.
-
Choose Next: Review.
-
In Role name, enter
IoTWirelessLogsRole, and then choose Create role.
Edit trust relationship of the IAM role
In the confirmation message displayed after you ran the previous step, choose the name of the role you created, IoTWirelessLogsRole. Next, you'll edit the role to add the following trust relationship.
-
In the Summary section of the role IoTWirelessLogsRole, choose the Trust relationships tab, and then choose Edit trust relationship.
-
In Policy Document, change the
Principalproperty to look like this example."Principal": { "Service": "iotwireless.amazonaws.com" },After you change the
Principalproperty, the complete policy document should look like this example.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iotwireless.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] } -
To save your changes and exit, choose Update Trust Policy.
Logging policy for AWS IoT Wireless
The following policy document provides the role policy and trust policy that allows AWS IoT Wireless to submit log entries to CloudWatch on your behalf.
Note
This AWS managed policy document was automatically created for you when you created the logging role, IoTWirelessLogsRole.
Role policy
The following shows the role policy document.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/iotwireless*" } ] }
Trust policy to log only AWS IoT Wireless activity
The following shows the trust policy for logging only AWS IoT Wireless activity.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "iotwireless.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
If you created the IAM role to also log AWS IoT Core activity, then the policy documents allow you to log both activities. For information about creating a logging role for AWS IoT Core, see https://docs.aws.amazon.com/iot/latest/developerguide/create-logging-role.html.
Next steps
You've learned how to create a logging role to log your AWS IoT Wireless
resources. By default, logs have a log level of ERROR, so if you
want to see only error information, go to View CloudWatch AWS IoT Wireless log entries to monitor your wireless resources by viewing the log
entries.
If you want more information in the log entries, you can configure the default
log level for your resources or for different event types, such as setting the
log level to INFO. For information about configuring logging for
your resources, see Configure logging for
AWS IoT Wireless resources.
