CloudWatch Logs - AWS IoT Core

CloudWatch Logs

The CloudWatch Logs (cloudwatchLogs) action sends data to Amazon CloudWatch Logs. You can specify the log group to which the action sends data.


This rule action has the following requirements:

  • An IAM role that AWS IoT can assume to perform the logs:CreateLogStream, logs:DescribeLogStreams, and logs:PutLogEvents operations. For more information, see Granting an AWS IoT rule the access it requires.

    In the AWS IoT console, you can choose or create a role to allow AWS IoT to perform this rule action.

  • If you use a customer-managed AWS KMS key (KMS key) to encrypt log data in CloudWatch Logs, the service must have permission to use the KMS key on the caller's behalf. For more information, see Encrypt log data in CloudWatch Logs using AWS KMS in the Amazon CloudWatch Logs User Guide.


When you create an AWS IoT rule with this action, you must specify the following information:


The CloudWatch log group to which the action sends data.

Supports substitution templates: API and AWS CLI only


The IAM role that allows access to the CloudWatch log group. For more information, see Requirements.

Supports substitution templates: No


The following JSON example defines a CloudWatch Logs action in an AWS IoT rule.

{ "topicRulePayload": { "sql": "SELECT * FROM 'some/topic'", "ruleDisabled": false, "awsIotSqlVersion": "2016-03-23", "actions": [ { "cloudwatchLogs": { "logGroupName": "IotLogs", "roleArn": "arn:aws:iam::123456789012:role/aws_iot_cw" } } ] } }

See also