CloudWatch Cross-account Observability Using the Account Switching Feature
2024年02月28日
Set up a sharing account
You must enable sharing in each account that will make data available to the monitoring account.
This will grant the read-only permissions that you choose in step 5 to all users that view a cross account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
To enable your account to share CloudWatch data with other accounts:
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Settings. For Share your CloudWatch data, choose Configure.
2. For Sharing, choose Specific accounts and enter the IDs of the accounts that you want to share data with.Any accounts that you specify here can view your account's CloudWatch data. Specify the IDs only of accounts that you know and trust.
3. For Permissions, specify how to share your data with one of the following options. Here I chose:
4. Choose Launch CloudFormation template. In the confirmation screen, type
Result:
Set up a monitoring account
Enable each monitoring account if you want to view cross-account CloudWatch data.
When you complete the following procedure, CloudWatch creates a service-linked role that CloudWatch uses in the monitoring account to access data shared from your other accounts. This service-linked role is called AWSServiceRoleForCloudWatchCrossAccount. For more information, see Using service-linked roles for CloudWatch.
To enable your account to view cross-account CloudWatch data:
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Settings, and then, in the Cross-account cross-region section, choose Configure.
2. Under the View cross-account cross-region section, choose Enable, and then select the Show selector in the console checkbox to enable an account selector to appear in the CloudWatch console when you're graphing a metric or creating an alarm.
Under View cross-account cross-region, I chose the following option:
Result:
After you complete this setup, you can create cross-account dashboards. For more information, see Cross-account cross-Region dashboards.
Cross-account cross-Region CloudWatch console
Enabling cross-account functionality in CloudWatch
To set up cross-account functionality in your CloudWatch console, use the CloudWatch console to set up your sharing accounts and monitoring accounts.Set up a sharing account
You must enable sharing in each account that will make data available to the monitoring account.
This will grant the read-only permissions that you choose in step 5 to all users that view a cross account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
To enable your account to share CloudWatch data with other accounts:
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Settings. For Share your CloudWatch data, choose Configure.
2. For Sharing, choose Specific accounts and enter the IDs of the accounts that you want to share data with.Any accounts that you specify here can view your account's CloudWatch data. Specify the IDs only of accounts that you know and trust.
3. For Permissions, specify how to share your data with one of the following options. Here I chose:
- full read-only access to everything in your account. This option enables the accounts that you use for sharing to create cross-account dashboards that include widgets that contain CloudWatch data from your account. It also enables those accounts to look deeper into your account and view your account's data in the consoles of other AWS services.
4. Choose Launch CloudFormation template. In the confirmation screen, type
Confirm
, and choose Launch template. Select the I acknowledge... check box, and choose Create stack.Result:
Set up a monitoring account
Enable each monitoring account if you want to view cross-account CloudWatch data.
When you complete the following procedure, CloudWatch creates a service-linked role that CloudWatch uses in the monitoring account to access data shared from your other accounts. This service-linked role is called AWSServiceRoleForCloudWatchCrossAccount. For more information, see Using service-linked roles for CloudWatch.
To enable your account to view cross-account CloudWatch data:
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Settings, and then, in the Cross-account cross-region section, choose Configure.
2. Under the View cross-account cross-region section, choose Enable, and then select the Show selector in the console checkbox to enable an account selector to appear in the CloudWatch console when you're graphing a metric or creating an alarm.
Under View cross-account cross-region, I chose the following option:
- Custom account selector. This option prompts you to enter a list of account IDs. When you next use the console, CloudWatch displays a dropdown list of these accounts for you to select from when you are viewing cross-account data.You can also enter a label for each of these accounts to help you identify them when choosing accounts to view.The account selector settings that a user makes here are retained only for that user, not for all other users in the monitoring account.
Result:
After you complete this setup, you can create cross-account dashboards. For more information, see Cross-account cross-Region dashboards.
References
Cross-account cross-Region CloudWatch console