Amazon CloudWatch logging for AWS Transfer Family - AWS Transfer Family

Amazon CloudWatch logging for AWS Transfer Family

Amazon CloudWatch monitors your AWS Transfer Family resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.

The CloudWatch home page automatically displays metrics about Transfer Family and every other AWS service you use. You can additionally create custom dashboards to display metrics about your custom applications, and display custom collections of metrics that you choose.

You can create alarms that watch metrics and send notifications or automatically make changes to the resources you are monitoring when a threshold is breached. For example, you can monitor the files being transferred into a Transfer Family server and use that data to determine whether you need to deploy additional servers to handle increased load. You can also use this data to stop or delete under-used instances to save money.

Types of CloudWatch logging for Transfer Family

Transfer Family provides two ways to log events to CloudWatch:

  • JSON structured logging

  • Logging via a logging role

For Transfer Family servers, you can choose the logging mechanism that you prefer. For connectors and workflows, only logging roles are supported.

JSON structured logging

For logging server events, we recommend using JSON structured logging. This provides a more comprehensive logging format that enables CloudWatch log querying. For this type of logging, the IAM policy for the user that creates the server (or edits the server's logging configuration) must contain the following permissions:

  • logs:CreateLogDelivery

  • logs:DeleteLogDelivery

  • logs:DescribeLogGroups

  • logs:DescribeResourcePolicies

  • logs:GetLogDelivery

  • logs:ListLogDeliveries

  • logs:PutResourcePolicy

  • logs:UpdateLogDelivery

The following is an example policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:region-id:AWS account:log-group:/aws/transfer/*" } ] }

For details on setting up JSON structured logging, see Creating, updating, and viewing logging for servers.

Logging role

To log events for a managed workflow that is attached to a server, as well as for connectors, you need to specify a logging role. To set access, you create a resource-based IAM policy and an IAM role that provides that access information. The following is an example policy for an AWS account that can log server events.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*" } ] }

For details on configuring a logging role to log workflow events see Managing logging for workflows.

Creating Amazon CloudWatch alarms

The following example shows how to create Amazon CloudWatch alarms using the AWS Transfer Family metric, FilesIn.

new cloudwatch.Metric({ namespace: "AWS/Transfer", metricName: "FilesIn", dimensionsMap: { ServerId: "s-00000000000000000" }, statistic: "Average", period: cdk.Duration.minutes(1), }).createAlarm(this, "AWS/Transfer FilesIn", { threshold: 1000, evaluationPeriods: 10, datapointsToAlarm: 5, comparisonOperator: cloudwatch.ComparisonOperator.GREATER_THAN_OR_EQUAL_TO_THRESHOLD, });
AWS CloudFormation
Type: AWS::CloudWatch::Alarm Properties: Namespace: AWS/Transfer MetricName: FilesIn Dimensions: - Name: ServerId Value: s-00000000000000000 Statistic: Average Period: 60 Threshold: 1000 EvaluationPeriods: 10 DatapointsToAlarm: 5 ComparisonOperator: GreaterThanOrEqualToThreshold

Logging Amazon S3 API calls to S3 access logs

If you are using Amazon S3 access logs to identify S3 requests made on behalf of your file transfer users, RoleSessionName is used to display which IAM role was assumed to service the file transfers. It also displays additional information such as the user name, session id, and server-id used for the transfers. The format is [AWS:Role Unique Identifier]/username.sessionid@server-id and is contained in the Requester field. For example, the following are the contents for a sample Requester field from an S3 access log for a file that was copied to the S3 bucket.


In the Requester field above, it shows the IAM Role called IamRoleName. For more information about IAM role unique identifiers, see Unique identifiers in the AWS Identity and Access Management User Guide.

Using AWS User Notifications with AWS Transfer Family

To get notified about AWS Transfer Family events, you can use AWS User Notifications to set up various delivery channels. When an event matches a rule that you specify, you receive a notification.

You can receive notifications for events through multiple channels, including email, AWS Chatbot chat notifications, or AWS Console Mobile Application push notifications. You can also see notifications in the Console Notifications Center. User Notifications supports aggregation, which can reduce the number of notifications that you receive during specific events.

For more information, see the Customize file delivery notifications using AWS Transfer Family managed workflows blog post, and What is AWS User Notifications? in the AWS User Notifications User Guide.