Monitoring Usage - AWS Transfer for SFTP

Monitoring Usage

You can monitor activity in your SFTP server using Amazon CloudWatch and AWS CloudTrail. For further analysis, you can also record SFTP server activity as readable, near real-time metrics.

Enabling AWS CloudTrail Logging

You can monitor AWS SFTP API calls using AWS CloudTrail. By monitoring API calls, you can get useful security and operational information. For more information on how to work with CloudTrail and AWS SFTP, see Logging and Monitoring in AWS Transfer for SFTP.

Logging Activity with CloudWatch

To set access, you create a resource-based IAM policy and an IAM role that provides that access information.

To enable Amazon CloudWatch logging, you start by creating a IAM policy that enables an CloudWatch logging. You then create an IAM role and attach the policy to it. You can do this when you are creating an SFTP server or by editing an existing SFTP server. For more information about CloudWatch, see What Is Amazon CloudWatch? and What is Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.

To create an IAM policy

  • Use the following example policy to create your own IAM policy that allows CloudWatch logging. For information about how to create a policy for AWS SFTP, see Create IAM Policies and Roles for SFTP.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "*" } ] }

You then create a role and attach the CloudWatch Logs policy you created.

To create an IAM role and attach a policy

  1. In the navigation pane, choose Roles, and then choose Create role.

    On the Create role page, make sure that AWS service is chosen.

  2. Choose Transfer from the service list, and then choose Next: Permissions. This establishes a trust relationship between AWS Transfer for SFTP and AWS.

  3. In the Attach permissions policies section, locate and choose the CloudWatch Logs policy that you just created and choose Next: Tags.

  4. (Optional) Enter a key and value for a tag, and choose Next: Review.

  5. On the Review page, enter a name and description for your new role, and then choose Create role.

  6. To view the logs, choose the Server ID to open the Server configuration page and choose View logs. You are redirected to the CloudWatch console where you can see your log streams.

On the CloudWatch page for your server, you can see records of user authentication (success and failure), data uploads (PUT operations), and data downloads (GET operations).

AWS SFTP CloudWatch Metrics

The AWS/Transfer namespace includes the following metrics.

The following table describes the AWS SFTP metrics that you can use to get information about your SFTP server. Specify the server id dimension for each metric to view the data for a server. Note that these metrics are measured in 5-minute intervals.

Metric Description


The total number of bytes transferred into the SFTP server.

units: Bytes


The total number of bytes transferred out of the SFTP server.

Unit: Bytes

AWS SFTP Dimensions

AWS SFTP metrics use the AWS/Transfer namespace and provide metrics for the following dimensions:

  • server-id—the unique ID of the SFTP server.