AWS Transfer for SFTP
User Guide

Monitoring Usage

You can monitor activity in your SFTP server using CloudWatch and CloudTrail and record SFTP server activity as readable, near real-time metrics

Enabling CloudTrail Logging

You can monitor AWS SFTP API calls using CloudTrail. Monitoring API calls provides useful security and operational information. See Logging AWS Transfer for SFTP API Calls with AWS CloudTrail.

Logging Activity with CloudWatch

This section covers how you can enable CloudWatch logging your SFTP server and view the logs in CloudWatch.

To enable CloudWatch logging you will need to provide an IAM role when you create an SFTP server (see Create an SFTP Server), or edit an existing server (see Server Configuration). For more information about CloudWatch, see What Is Amazon CloudWatch? and What is Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.

Here is a recommended role and associated trust policy that is required for the service to record user activity in your Amazon CloudWatch logs.

To enable CloudWatch logging for your SFTP server:

  1. You create a policy that allows CloudWatch logging (shown below).

  2. You create an IAM role and attach the policy to it. The SFTP server assumes this role and uses it to call AWS services on your behalf.

  3. You establish a trust relationship between AWS SFTP and AWS.


AWS Transfer for SFTP is not listed in the services so choose Storage Gateway as a work-around to create a role. Edit the trust relationship to replace storagegateway with transfer as the Service Principal

For instructions on how to create a policy, a role, and a trust relationship see IAM Policies and a Roles Requirements. Use the contents below to create your policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "*" } ] }

The policy also requires a Trust relationship:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

To view the logs, choose View logs in the Server configuration page.

This will direct you to the CloudWatch page for your server where you can see records of user authentication (success and failure), data uploads (PUTs) and data downloads (GETs).