CloudWatch Logs - AWS IoT Core

CloudWatch Logs

The CloudWatch Logs (cloudwatchLogs) action sends data to Amazon CloudWatch Logs. You can specify the log group to which the action sends data.


This rule action has the following requirements:

  • An IAM role that AWS IoT can assume to perform the logs:CreateLogStream, logs:DescribeLogStreams, and logs:PutLogEvents operations. For more information, see Granting AWS IoT the required access.

    In the AWS IoT console, you can choose or create a role to allow AWS IoT to perform this rule action.

  • If you use a customer-managed AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt log data in CloudWatch Logs, the service must have permission to use the CMK on the caller's behalf. For more information, see Encrypt log data in CloudWatch Logs using AWS KMS in the Amazon CloudWatch Logs User Guide.


When you create an AWS IoT rule with this action, you must specify the following information:


The CloudWatch log group to which the action sends data.

Supports substitution templates: API and AWS CLI only


The IAM role that allows access to the CloudWatch log group. For more information, see Requirements.

Supports substitution templates: No


The following JSON example defines a CloudWatch Logs action in an AWS IoT rule.

{ "topicRulePayload": { "sql": "SELECT * FROM 'some/topic'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "cloudwatchLogs": { "logGroupName": "IotLogs", "roleArn": "arn:aws:iam::123456789012:role/aws_iot_cw" } } ] } }

See also