Enabling CloudTrail logging Logging S3 API calls to S3 access logs Logging activity with CloudWatch Using CloudWatch metrics

Monitoring server usage

You can monitor activity in your server using Amazon CloudWatch and AWS CloudTrail. For further analysis, you can also record server activity as readable, near real-time metrics.

Topics

Enable AWS CloudTrail logging
Logging Amazon S3 API calls to S3 access logs
Log activity with CloudWatch
Using CloudWatch metrics for Transfer Family

Enable AWS CloudTrail logging

You can monitor AWS Transfer Family API calls using AWS CloudTrail. By monitoring API calls, you can get useful security and operational information. For more information about how to work with CloudTrail and AWS Transfer Family, see Logging and monitoring in AWS Transfer Family.

If you have Amazon S3 object level logging enabled, RoleSessionName is contained in the Requester field as [AWS:Role Unique Identifier]/username.sessionid@server-id. For more information about AWS Identity and Access Management (IAM) role unique identifiers, see Unique identifiers in the AWS Identity and Access Management User Guide.

Important

The maximum length of the RoleSessionName is 64 characters. If the RoleSessionName is longer, the server-id will be truncated.

Logging Amazon S3 API calls to S3 access logs

If you are using Amazon S3 access logs to identify S3 requests made on behalf of your file transfer users, RoleSessionName is used to display which IAM role was assumed to service the file transfers. It also displays additional information such as the user name, session id, and server-id used for the transfers. The format is [AWS:Role Unique Identifier]/username.sessionid@server-id and is contained in the Requester field. For example, the following are the contents for a sample Requester field from an S3 access log for a file that was copied to the S3 bucket.

arn:aws:sts::AWS-Account-ID:assumed-role/IamRoleName/username.sessionid@server-id

In the Requester field above, it shows the IAM Role called IamRoleName. For more information about IAM role unique identifiers, see Unique identifiers in the AWS Identity and Access Management User Guide.

Log activity with CloudWatch

To set access, you create a resource-based IAM policy and an IAM role that provides that access information.

To enable Amazon CloudWatch logging, you start by creating an IAM policy that enables CloudWatch logging. You then create an IAM role and attach the policy to it. You can do this when you are creating a server or by editing an existing server. For more information about CloudWatch, see What Is Amazon CloudWatch? and What is Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.

To create an IAM policy

Use the following example policy to create your own IAM policy that allows CloudWatch logging. For information about how to create a policy for AWS Transfer Family, see Create an IAM role and policy.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
        }
    ]
}

You then create a role and attach the CloudWatch Logs policy that you created.

To create an IAM role and attach a policy

In the navigation pane, choose Roles, and then choose Create role.

On the Create role page, make sure that AWS service is chosen.
Choose Transfer from the service list, and then choose Next: Permissions. This establishes a trust relationship between AWS Transfer Family and the IAM role.
In the Attach permissions policies section, locate and choose the CloudWatch Logs policy that you just created, and choose Next: Tags.
(Optional) Enter a key and value for a tag, and choose Next: Review.
On the Review page, enter a name and description for your new role, and then choose Create role.
To view the logs, choose the Server ID to open the server configuration page, and choose View logs. You are redirected to the CloudWatch console where you can see your log streams.

On the CloudWatch page for your server, you can see records of user authentication (success and failure), data uploads (PUT operations), and data downloads (GET operations).

Using CloudWatch metrics for Transfer Family

You can get information about your server using CloudWatch metrics. A metric represents a time-ordered set of data points that are published to CloudWatch. When using metrics, you must specify the Transfer Family namespace, metric name, and dimension. For more information about metrics, see Metrics in the Amazon CloudWatch User Guide.

The following table describes the CloudWatch metrics for Transfer Family. These metrics are measured in 5-minute intervals.

Namespace Metric Description

Namespace	Metric	Description
`AWS/Transfer`	`BytesIn`	The total number of bytes transferred into the server. Units: Bytes
`BytesOut`	The total number of bytes transferred out of the server. Unit: Bytes

AWS/Transfer

BytesIn

The total number of bytes transferred into the server.

Units: Bytes

BytesOut

The total number of bytes transferred out of the server.

Unit: Bytes

Transfer Family dimensions

A dimension is a name/value pair that is part of the identity of a metric. For more information about dimensions, see Dimensions in the Amazon CloudWatch User Guide.

The following table describes the CloudWatch dimension for Transfer Family.

Dimension	Description
`ServerId`	The unique ID of the server.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing access controls

Security