Developer Guide

Monitoring AWS IoT

Monitoring is an important part of maintaining the reliability, availability, and performance of AWS IoT and your AWS solutions. You should collect monitoring data from all parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. Before you start monitoring AWS IoT, you should create a monitoring plan that includes answers to the following questions:

  • What are your monitoring goals?

  • Which resources will you monitor?

  • How often will you monitor these resources?

  • Which monitoring tools will you use?

  • Who will perform the monitoring tasks?

  • Who should be notified when something goes wrong?

The next step is to establish a baseline for normal AWS IoT performance in your environment, by measuring performance at various times and under different load conditions. As you monitor AWS IoT, store historical monitoring data so that you can compare it with current performance data, identify normal performance patterns and performance anomalies, and devise methods to address issues.

For example, if you're using Amazon EC2, you can monitor CPU utilization, disk I/O, and network utilization for your instances. When performance falls outside your established baseline, you might need to reconfigure or optimize the instance to reduce CPU utilization, improve disk I/O, or reduce network traffic.

To establish a baseline you should, at a minimum, monitor the following items:

  • PublishIn.Success

  • PublishOut.Success

  • Subscribe.Success

  • Ping.Success

  • Connect.Success

  • GetThingShadow.Accepted

  • UpdateThingShadow.Accepted

  • DeleteThingShadow.Accepted

  • RulesExecuted

Logging AWS IoT API Calls with AWS CloudTrail

AWS IoT is integrated with CloudTrail, a service that captures all of the AWS IoT API calls and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS IoT console or from your code to the AWS IoT APIs. Using the information collected by CloudTrail, you can determine the request that was made to AWS IoT, the source IP address from which the request was made, who made the request, when it was made, and so on.

To learn more about CloudTrail, including how to configure and enable it, see the AWS CloudTrail User Guide.

AWS IoT Information in CloudTrail

When CloudTrail logging is enabled in your AWS account, most API calls made to AWS IoT actions are tracked in CloudTrail log files where they are written with other AWS service records. CloudTrail determines when to create and write to a new file based on a time period and file size.


AWS IoT data plane actions (device side) are not logged by CloudTrail. Use CloudWatch to monitor these.

AWS IoT control plane actions are logged by CloudTrail. For example, calls to the CreateThing, ListThings, and ListTopicRules sections generate entries in the CloudTrail log files.

Every log entry contains information about who generated the request. The user identity information in the log entry helps you determine the following:

  • Whether the request was made with root or IAM user credentials.

  • Whether the request was made with temporary security credentials for a role or federated user.

  • Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity Element. AWS IoT actions are documented in the AWS IoT API Reference.

You can store your log files in your Amazon S3 bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted with Amazon S3 server-side encryption (SSE).

If you want to be notified upon log file delivery, you can configure CloudTrail to publish Amazon SNS notifications when new log files are delivered. For more information, see Configuring Amazon SNS Notifications for CloudTrail.

You can also aggregate AWS IoT log files from multiple AWS regions and multiple AWS accounts into a single Amazon S3 bucket.

For more information, see Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple Accounts.

Understanding AWS IoT Log File Entries

CloudTrail log files can contain one or more log entries. Each entry lists multiple JSON-formatted events. A log entry represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. Log entries are not an ordered stack trace of the public API calls, so they do not appear in any specific order.

The following example shows a CloudTrail log entry that demonstrates the AttachPolicy action.

{ "timestamp":"1460159496", "AdditionalEventData":"", "Annotation":"", "ApiVersion":"", "ErrorCode":"", "ErrorMessage":"", "EventID":"8bff4fed-c229-4d2d-8264-4ab28a487505", "EventName":"AttachPolicy", "EventTime":"2016-04-08T23:51:36Z", "EventType":"AwsApiCall", "ReadOnly":"", "RecipientAccountList":"", "RequestID":"d4875df2-fde4-11e5-b829-23bf9b56cbcd", "RequestParamters":{ "principal":"arn:aws:iot:us-east-1:123456789012:cert/528ce36e8047f6a75ee51ab7beddb4eb268ad41d2ea881a10b67e8e76924d894", "policyName":"ExamplePolicyForIoT" }, "Resources":"", "ResponseElements":"", "SourceIpAddress":"", "UserAgent":"aws-internal/3", "UserIdentity":{ "type":"AssumedRole", "principalId":"AKIAI44QH8DHBEXAMPLE", "arn":"arn:aws:sts::12345678912:assumed-role/iotmonitor-us-east-1-beta-InstanceRole-1C5T1YCYMHPYT/i-35d0a4b6", "accountId":"222222222222", "accessKeyId":"access-key-id", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"Fri Apr 08 23:51:10 UTC 2016" }, "sessionIssuer":{ "type":"Role", "principalId":"AKIAI44QH8DHBEXAMPLE", "arn":"arn:aws:iam::123456789012:role/executionServiceEC2Role/iotmonitor-us-east-1-beta-InstanceRole-1C5T1YCYMHPYT", "accountId":"222222222222", "userName":"iotmonitor-us-east-1-InstanceRole-1C5T1YCYMHPYT" } }, "invokedBy":{ "serviceAccountId":"111111111111" } }, "VpcEndpointId":"" }