Sharing CloudWatch Dashboards - Amazon CloudWatch

Sharing CloudWatch Dashboards

You can share your CloudWatch dashboards with people who do not have direct access to your AWS account. This enables you to share dashboards across teams, with stakeholders, and with people external to your organization. You can even display dashboards on big screens in team areas, or embed them in Wikis and other webpages.

When you share dashboards, you can designate who can view the dashboard in three ways:

  • Share a single dashboard and designate specific email addresses of the people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard.

  • Share a single dashboard publicly, so that anyone who has the link can view the dashboard.

  • Share all the CloudWatch dashboards in your account and specify a third-party single sign-on (SSO) provider for dashboard access. All users who are members of this SSO provider's list can access all the dashboards in the account. To enable this, you integrate the SSO provider with Amazon Cognito. The SSO provider must support Security Assertion Markup Language (SAML). For more information about Amazon Cognito, see What is Amazon Cognito?

Permissions required for dashboard sharing

To be able to share dashboards using any of the following methods and to see which dashboards have already been shared, you must be logged on to an IAM user or IAM role that has certain permissions.

To be able to share dashboards, your IAM user or IAM role must include the permissions included in the following policy statement:

{ "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchDashboard*", "arn:aws:iam::*:policy/*" ] }, { "Effect": "Allow", "Action": [ "cognito-idp:*", "cognito-identity:*", ], "Resource": [ "*" ] }

To be able to see which dashboards are shared, but not be able to share dashboards, your IAM user or IAM role can include a policy statement similar to the following:

{ "Effect": "Allow", "Action": [ "cognito-idp:*", "cognito-identity:*" ], "Resource": [ "*" ] }

Share a single dashboard with specific users

Use the steps in this section to share a dashboard with specific email addresses that you choose.

To share a dashboard with specific users

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Dashboards.

  3. Choose the name of your dashboard.

  4. Choose Actions, Share dashboard.

  5. Next to Share your dashboard and require a username and password, choose Start sharing.

  6. Under Add email addresses, enter the email addresses that you want to share the dashboard with.

  7. To include CloudWatch Logs Insights widgets as part of the shared dashboard, choose Enable sharing log widgets. If you don't choose this, any CloudWatch Logs widgets on the dashboard are not visible to people who access the dashboard by sharing. For more information, see Sharing dashboards with logs table widgets.

  8. When you have all the email addresses entered, read the agreement and select the confirmation box. Then choose Save and generate shareable link.

  9. On the next page, choose Copy link to clipboard. You can then paste this link into email and send it to the invited users. They automatically receive a separate email with their username and a temporary password to use to connect to the dashboard.

Share a single dashboard publicly

Use the steps in this section to share a dashboard publicly. This can be useful to put the dashboard on a big screen in a team room, or embed it in a Wiki page.

Important

Sharing a dashboard publicly makes it accessible to anyone who has the link, with no authentication. Do this only for dashboards that do not contain sensitive information.

To share a dashboard publicly

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Dashboards.

  3. Choose the name of your dashboard.

  4. Choose Actions, Share dashboard.

  5. Next to Share your dashboard publicly, choose Start sharing.

  6. Enter Confirm in the text box.

  7. To include CloudWatch Logs Insights widgets as part of the shared dashboard, choose Enable sharing log widgets. If you don't choose this, any CloudWatch Logs widgets on the dashboard are not visible to people who access the dashboard by sharing. For more information, see Sharing dashboards with logs table widgets.

  8. Read the agreement and select the confirmation box. Then choose Save and generate shareable link.

  9. On the next page, choose Copy link to clipboard. You can then share this link. Anyone you share the link with can access the dashboard, without providing credentials.

Share all CloudWatch dashboards in the account by using SSO

Use the steps in this section to share all the dashboards in your account with users by using single sign-on (SSO).

To share your CloudWatch dashboards with users who are in an SSO provider's list

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Dashboards.

  3. Choose the name of your dashboard.

  4. Choose Actions, Share dashboard.

  5. Choose Go to CloudWatch Settings.

  6. If the SSO provider that you want isn't listed in Available SSO providers, choose Manage SSO providers and follow the instructions in Set up SSO for CloudWatch dashboard Sharing.

    Then return to the CloudWatch console and refresh the browser. The SSO provider that you enabled should now appear in the list.

  7. Choose the SSO provider that you want in the Available SSO providers list.

  8. To include CloudWatch Logs Insights widgets as part of the shared dashboard, choose Enable sharing log widgets. If you don't choose this, any CloudWatch Logs widgets on the dashboard are not visible to people who access the dashboard by sharing. For more information, see Sharing dashboards with logs table widgets.

  9. Choose Save changes.

Set up SSO for CloudWatch dashboard Sharing

To set up dashboard sharing through a third-party single sign-on provider that supports SAML, follow these steps.

Important

We strongly recommend that you do not share dashboards using a non-SAML SSO provider. Doing so causes a risk of inadvertently allowing third-parties to access your account's dashboards.

To set up an SSO provider to enable dashboard sharing

  1. Integrate the SSO provider with Amazon Cognito. For more information, see Integrating Third-Party SAML Identity Providers with Amazon Cognito User Pools.

  2. Download the metadata XML file from your SSO provider.

  3. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  4. In the navigation pane, choose Settings.

  5. In the Dashboard sharing section, choose Configure.

  6. Choose Manage SSO providers.

  7. Choose the CloudWatchDashboardSharing pool.

  8. In the navigation pane, choose Identity providers.

  9. Choose SAML.

  10. Enter a name for your SSO provider in Provider name.

  11. Choose Select file, and select the metadata XML file that you downloaded in step 1.

  12. Choose Create provider.

Sharing dashboards with logs table widgets

When you share a dashboard, you choose whether to make any CloudWatch Logs Insights widgets on the dashboard visible to people who access the dashboard by the share. This choice affects both CloudWatch Logs Insights widgets that exist now and any that are added to the dashboard after you share it.

If you choose to allow the sharing of CloudWatch Logs widgets, CloudWatch grants the following additional permissions to the IAM role for dashboard sharing. By default, these permissions aply to all log groups in the account.

  • logs:FilterLogEvents

  • logs:StartQuery

  • logs:StopQuery

  • logs:GetLogRecord

For additional security, you can choose not to include CloudWatch Logs widgets in dashboard sharing, or you can modify the IAM role used for dashboard sharing to lock down sensitive log groups while allowing other log groups to be visible in the shared dashboard. To modify this IAM role, do the following after the dashboard is shared:

To modify the IAM role for a shared dashboard to lock down specified log groups

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Dashboards.

  3. Choose the name of the shared dashboard.

  4. Choose Actions, Share dashboard.

  5. Under Resources, choose IAM Role.

  6. In the IAM console, choose the displayed policy.

  7. Choose Edit policy and then add a statement with a Deny effect that lists the ARNs of the log groups to be locked down. See the following example.

    { "Effect": "Deny", "Action": "*", "Resource": [ "LogGroup1ARN", "LogGroup2ARN" ] },
  8. Choose Save Changes.