CloudWatch cross-account observability - Amazon CloudWatch

CloudWatch cross-account observability

With Amazon CloudWatch cross-account observability, you can monitor and troubleshoot applications that span multiple accounts within a Region. Seamlessly search, visualize, and analyze your metrics, logs, and traces in any of the linked accounts without account boundaries.

Set up one or more AWS accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account. The shared observability data can include the following types of telemetry:

  • Metrics in Amazon CloudWatch

  • Log groups in Amazon CloudWatch Logs

  • Traces in AWS X-Ray

To create links between monitoring accounts and source accounts, you can use the CloudWatch console. Alternatively, use the Observability Access Manager commands in the AWS CLI and API. For more information, see Observability Access Manager API Reference.

A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to share observability data. Each sink is managed by the monitoring account where it is located. An observability link is a resource that represents the link established between a source account and a monitoring account. Links are managed by the source account.

For a video demonstration of setting up CloudWatch cross-account observability, see the following video.

The next topic explains how to set up CloudWatch cross-account observability in both monitoring accounts and source accounts. For information about the legacy cross-account cross-Region CloudWatch dashboard, see Cross-account cross-Region CloudWatch console.

Use Organizations for source accounts

There are two options for linking source accounts to your monitoring account. You can use one or both options.

  • Use AWS Organizations to link accounts in an organization or organizational unit to the monitoring account.

  • Connect individual AWS accounts to the monitoring account.

We recommend that you use Organizations so that new AWS accounts created later in the organization are automatically onboarded to cross-account observability as source accounts.

Details about linking monitoring accounts and source accounts

  • Each monitoring account can be linked to as many as 100,000 source accounts.

  • Each source account can share data with as many as five monitoring accounts.

  • You can set up a single account as both a monitoring account and a source account. If you do, this account sends only the observability data from itself to the its linked monitoring account. It does not relay the data from its source accounts.

  • A monitoring account specifies which telemetry types can be shared with it. A source account specifies which telemetry types it wants to share.

    • If there are more telemetry types selected in the monitoring account than in the source account, the accounts are linked. Only the data types that are selected in both accounts are shared.

    • If there are more telemetry types selected in the source account than in the monitoring account, the link creation fails and nothing is shared.

  • To remove a link between accounts, do so from the source account.

  • To delete the sink in a monitoring account, you must first remove all links to the monitoring account.

Pricing

Cross-account observability in CloudWatch comes with no extra cost for logs and metrics, and the first trace copy is free. For more information about pricing, see Amazon CloudWatch Pricing.