AWS::Oam::Link
Creates a link between a source account and a sink that you have created in a monitoring account.
Before you create a link, you must create a sink in the monitoring account. The sink must have a sink policy that permits the source account to link to it. You can grant permission to source accounts by granting permission to an entire organization, an organizational unit, or to individual accounts.
For more information, see CreateSink and PutSinkPolicy.
Each monitoring account can be linked to as many as 100,000 source accounts.
Each source account can be linked to as many as five monitoring accounts.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Oam::Link", "Properties" : { "LabelTemplate" :String, "LinkConfiguration" :LinkConfiguration, "ResourceTypes" :[ String, ... ], "SinkIdentifier" :String, "Tags" :{} }Key:Value, ...}
YAML
Type: AWS::Oam::Link Properties: LabelTemplate:StringLinkConfiguration:LinkConfigurationResourceTypes:- StringSinkIdentifier:StringTags:Key:Value
Properties
LabelTemplate-
Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.
You can include the following variables in your template:
-
$AccountNameis the name of the account -
$AccountEmailis a globally-unique email address, which includes the email domain, such asmariagarcia@example.com -
$AccountEmailNoDomainis an email address without the domain name, such asmariagarcia
Required: No
Type: String
Minimum:
1Maximum:
64Update requires: Replacement
-
LinkConfiguration-
Use this structure to optionally create filters that specify that only some metric namespaces or log groups are to be shared from the source account to the monitoring account.
Required: No
Type: LinkConfiguration
Update requires: No interruption
ResourceTypes-
An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are
AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor.Required: Yes
Type: Array of String
Minimum:
1Maximum:
50Update requires: No interruption
SinkIdentifier-
The ARN of the sink in the monitoring account that you want to link to. You can use ListSinks to find the ARNs of sinks.
Required: Yes
Type: String
Minimum:
1Maximum:
2048Update requires: Replacement
-
An array of key-value pairs to apply to the link.
For more information, see Tag.
Required: No
Type: Object of String
Pattern:
^(?!aws:.*).{1,128}$Minimum:
0Maximum:
256Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the link. For example,
arn:aws:oam:us-west-1:111111111111:link:abcd1234-a123-456a-a12b-a123b456c789.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The ARN of the link. For example,
arn:aws:oam:us-west-1:111111111111:link:abcd1234-a123-456a-a12b-a123b456c789 Label-
The friendly human-readable name used to identify this source account when it is viewed from the monitoring account. For example,
my-account1.
Examples
Sample CloudWatch cross-account observability link
This example creates a link from the current source account to the sink created
in the 111111111111 account. Over this link, logs and traces are shared
but metrics are not.
JSON
{ "LabelTemplate": "$AccountEmail", "ResourceTypes": [ "AWS::Logs::LogGroup", "AWS::XRay::Trace" ], "SinkIdentifier": "arn:aws:oam:eu-north-1:111111111111:sink/EXAMPLE-206d-4daf-9b42-1e17d5f145ef" }
YAML
LabelTemplate: "$AccountEmail" ResourceTypes: - "AWS::Logs::LogGroup" - "AWS::XRay::Trace" SinkIdentifier: "arn:aws:oam:eu-north-1:111111111111:sink/EXAMPLE-206d-4daf-9b42-1e17d5f145ef"
Sample link for CloudWatch Application Insights applications support
This example creates a link from the current source account to the sink created
in the 111111111111 account.
To properly view Application Insights applications with dashboards,
logs, metrics, traces, and Application Insights applications must be shared.
JSON
{ "LabelTemplate": "$AccountEmail", "ResourceTypes": [ "AWS::Logs::LogGroup", "AWS::CloudWatch::Metric", "AWS::XRay::Trace", "AWS::ApplicationInsights::Application" ], "SinkIdentifier": "arn:aws:oam:eu-north-1:111111111111:sink/EXAMPLE-206d-4daf-9b42-1e17d5f145ef" }
YAML
LabelTemplate: "$AccountEmail" ResourceTypes: - "AWS::Logs::LogGroup" - "AWS::CloudWatch::Metric" - "AWS::XRay::Trace" - "AWS::ApplicationInsights::Application" SinkIdentifier: "arn:aws:oam:eu-north-1:111111111111:sink/EXAMPLE-206d-4daf-9b42-1e17d5f145ef" SinkIdentifier: "arn:aws:oam:eu-north-1:1111111111111111:sink/EXAMPLE-206d-4daf-9b42-1e17d5f145ef"
Cross-account observability link with resource filtering.
This example creates a link that shares only one metric namespace and one log group from the source account to the monitoring account.
JSON
{ "TestLink": { "Type": "AWS::Oam::Link", "Properties": { "LabelTemplate": "$AccountEmail", "ResourceTypes": [ "AWS::CloudWatch::Metric", "AWS::Logs::LogGroup" ], "SinkIdentifier": { "Fn::ImportValue": "export-canary-sinkarn" }, "LinkConfiguration": { "MetricConfiguration": { "Filter": "Namespace = 'TestNamespace'" }, "LogGroupConfiguration": { "Filter": "LogGroupName = 'TestLogGroupName'" } } } } }
YAML
TestLink: DependsOn: WaiterCustomResource Type: AWS::Oam::Link Properties: LabelTemplate: "$AccountEmail" ResourceTypes: - "AWS::CloudWatch::Metric" - "AWS::Logs::LogGroup" SinkIdentifier: !ImportValue export-canary-sinkarn LinkConfiguration: MetricConfiguration: Filter: "Namespace = 'TestNamespace'" LogGroupConfiguration: Filter: "LogGroupName = 'TestLogGroupName'"
