Monitoring server usage - AWS Transfer Family

Monitoring server usage

You can monitor activity in your server using Amazon CloudWatch and AWS CloudTrail. For further analysis, you can also record server activity as readable, near real-time metrics.

Enable AWS CloudTrail logging

You can monitor AWS Transfer Family API calls using AWS CloudTrail. By monitoring API calls, you can get useful security and operational information. For more information about how to work with CloudTrail and AWS Transfer Family, see Logging and monitoring in AWS Transfer Family.

Log activity with CloudWatch

To set access, you create a resource-based AWS Identity and Access Management (IAM) policy and an IAM role that provides that access information.

To enable Amazon CloudWatch logging, you start by creating a IAM policy that enables an CloudWatch logging. You then create an IAM role and attach the policy to it. You can do this when you are creating a server or by editing an existing server. For more information about CloudWatch, see What Is Amazon CloudWatch? and What is Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.

To create an IAM policy

  • Use the following example policy to create your own IAM policy that allows CloudWatch logging. For information about how to create a policy for AWS Transfer Family, see Create an IAM role and policy.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "*" } ] }

You then create a role and attach the CloudWatch Logs policy that you created.

To create an IAM role and attach a policy

  1. In the navigation pane, choose Roles, and then choose Create role.

    On the Create role page, make sure that AWS service is chosen.

  2. Choose Transfer from the service list, and then choose Next: Permissions. This establishes a trust relationship between AWS Transfer Family and AWS.

  3. In the Attach permissions policies section, locate and choose the CloudWatch Logs policy that you just created, and choose Next: Tags.

  4. (Optional) Enter a key and value for a tag, and choose Next: Review.

  5. On the Review page, enter a name and description for your new role, and then choose Create role.

  6. To view the logs, choose the Server ID to open the server configuration page, and choose View logs. You are redirected to the CloudWatch console where you can see your log streams.

On the CloudWatch page for your server, you can see records of user authentication (success and failure), data uploads (PUT operations), and data downloads (GET operations).

AWS Transfer Family CloudWatch metrics

The AWS Transfer Family namespace includes the following metrics.

The following table describes the AWS Transfer Family metrics that you can use to get information about your server. Specify the server ID dimension for each metric to view the data for a server. Note that these metrics are measured in 5-minute intervals.

Metric Description


The total number of bytes transferred into the server.

units: Bytes


The total number of bytes transferred out of the server.

Unit: Bytes

AWS Transfer Family dimensions

AWS Transfer Family metrics use the AWS Transfer Family namespace and provide metrics for the following dimensions:

  • server-id—the unique ID of the server.