Create logging role and policy for AWS IoT Wireless - AWS IoT Wireless

Create logging role and policy for AWS IoT Wireless

The following shows how to create a logging role for only AWS IoT Wireless resources. If you want to also create a logging role for AWS IoT Core, see

Create a logging role for AWS IoT Wireless

Before you can enable logging, you must create an IAM role and a policy that gives AWS permission to monitor AWS IoT Wireless activity on your behalf.

Create IAM role for logging

To create a logging role for AWS IoT Wireless, open the Roles hub of the IAM console and choose Create role.

  1. Under Select type of trusted entity, choose Another AWS account.

  2. In Account ID, enter your AWS account ID, and then choose Next: Permissions.

  3. In the search box, enter AWSIoTWirelessLogging.

  4. Select the box next to the policy named AWSIoTWirelessLogging, and then choose Next: Tags.

  5. Choose Next: Review.

  6. In Role name, enter IoTWirelessLogsRole, and then choose Create role.

Edit trust relationship of the IAM role

In the confirmation message displayed after you ran the previous step, choose the name of the role you created, IoTWirelessLogsRole. Next, you'll edit the role to add the following trust relationship.

  1. In the Summary section of the role IoTWirelessLogsRole, choose the Trust relationships tab, and then choose Edit trust relationship.

  2. In Policy Document, change the Principal property to look like this example.

    "Principal": { "Service": "" },

    After you change the Principal property, the complete policy document should look like this example.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
  3. To save your changes and exit, choose Update Trust Policy.

Logging policy for AWS IoT Wireless

The following policy document provides the role policy and trust policy that allows AWS IoT Wireless to submit log entries to CloudWatch on your behalf.


This AWS managed policy document was automatically created for you when you created the logging role, IoTWirelessLogsRole.

Role policy

The following shows the role policy document.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/iotwireless*" } ] }
Trust policy to log only AWS IoT Wireless activity

The following shows the trust policy for logging only AWS IoT Wireless activity.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "" ] }, "Action": "sts:AssumeRole" } ] }

If you created the IAM role to also log AWS IoT Core activity, then the policy documents allow you to log both activities. For information about creating a logging role for AWS IoT Core, see

Next steps

You've learned how to create a logging role to log your AWS IoT Wireless resources. By default, logs have a log level of ERROR, so if you want to see only error information, go to View CloudWatch AWS IoT Wireless log entries to monitor your wireless resources by viewing the log entries.

If you want more information in the log entries, you can configure the default log level for your resources or for different event types, such as setting the log level to INFO. For information about configuring logging for your resources, see Configure logging for AWS IoT Wireless resources.