AWS::Oam::Sink - AWS CloudFormation


Creates or updates a sink in the current account, so that it can be used as a monitoring account in CloudWatch cross-account observability. A sink is a resource that represents an attachment point in a monitoring account, which source accounts can link to to be able to send observability data.

After you create a sink, you must create a sink policy that allows source accounts to attach to it. For more information, see PutSinkPolicy.

An account can have one sink.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::Oam::Sink", "Properties" : { "Name" : String, "Policy" : Json, "Tags" : {Key: Value, ...} } }


Type: AWS::Oam::Sink Properties: Name: String Policy: Json Tags: Key: Value



A name for the sink.

Required: Yes

Type: String

Update requires: Replacement


The IAM policy that grants permissions to source accounts to link to this sink. The policy can grant permission in the following ways:

  • Include organization IDs or organization paths to permit all accounts in an organization

  • Include account IDs to permit the specified accounts

Required: No

Type: Json

Update requires: No interruption


An array of key-value pairs to apply to the sink.

For more information, see Tag.

Required: No

Type: Map of String

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the link. For example, arn:aws:oam:us-west-1:111111111111:link:abcd1234-a123-456a-a12b-a123b456c789.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The ARN of the sink. For example, arn:aws:oam:us-west-1:111111111111:sink:abcd1234-a123-456a-a12b-a123b456c789


This example creates a sink that allows all accounts in a specified organization to create links to share metric and log data.

"Name": "SampleSink", "Policy": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": "*", "Resource": "*", "Action": [ "oam:CreateLink", "oam:UpdateLink" ], "Condition": { "StringEquals": {"aws:PrincipalOrgID":"o-xxxxxxxxxxx"}, "ForAllValues:StringEquals": { "oam:ResourceTypes": [ "AWS::CloudWatch::Metric", "AWS::Logs::LogGroup" ] } } }] }
Name: "SampleSink" Policy: Version: '2012-10-17' Statement: - Effect: Allow Principal: "*" Resource: "*" Action: - "oam:CreateLink" - "oam:UpdateLink" Condition: StringEquals: aws:PrincipalOrgID: o-xxxxxxxxxxx ForAllValues:StringEquals: oam:ResourceTypes: - "AWS::CloudWatch::Metric" - "AWS::Logs::LogGroup"

This example creates a sink that allows the account with the ID 111111111111 to create a link to share metrics, logs, and traces.

"Name": "SampleSink", "Policy": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Resource": "*", "Action": "oam:*", "Principal": { "AWS": [ "1111111111111" ] }, "Condition": { "ForAllValues:StringEquals": { "oam:ResourceTypes": [ "AWS::CloudWatch::Metric", "AWS::Logs::LogGroup", "AWS::XRay::Trace" ] } } }] }
Name: "SampleSink" Policy: Version: '2012-10-17' Statement: - Effect: Allow Resource: "*" Action: "oam:*" Principal: AWS: - '1111111111111' Condition: ForAllValues:StringEquals: oam:ResourceTypes: - "AWS::CloudWatch::Metric" - "AWS::Logs::LogGroup" - "AWS::XRay::Trace"