Monitor across accounts and Regions

To enable unified monitoring across accounts, CloudWatch offers the following features:

CloudWatch cross-account observability– facilitate observability within a single Region with the Observability Access Manager (OAM) service. You can link accounts and easily view metrics, logs, traces, and other telemetry between accounts. This helps you to unify observability in central monitoring accounts that view telemetry shared from source accounts, and operate on this shared telemetry as if it were native to the monitoring account.
Cross-account cross-Region CloudWatch console– delivers a console experience that allows you to view dashboards, metrics, and alarms consoles of other accounts across Regions by toggling between accounts. After you set up the necessary permissions, you use an account selector integrated into the alarms, dashboards, and metrics consoles to view metrics, dashboards, and alarms in other accounts without having to log in and out of the accounts. By enabling this feature, you can also set up dashboards that contain cross-account cross-Region metrics for centralized visibility within an account.

These two features are complementary to each other and can be used independently or together. See the following table for a comparison of the two features. We recommend that you use CloudWatch cross-account observability for the richest cross-account observability and discovery experience within a Region for your metrics, logs, and traces.

	CloudWatch cross-account observability	Cross-account cross-Region CloudWatch console
What is it?	Unified access to underlying telemetry and other observability resources across multiple accounts. After this is configured, observability resources are seamlessly viewable between accounts, eliminating the need for role assumptions. The central monitoring account gains direct access to the telemetry data and resources from source accounts, streamlining the monitoring and observability process.	A designated monitoring account assume a CrossAccountSharingRole defined in source accounts from the CloudWatch console. By assuming this role, the monitoring account can invoke operations such as dashboard viewing on behalf of source accounts, directly from its console.
How does it work?	A monitoring account, using the Observability Access Monitoring service, creates a sink and attaches a sink policy to it. The sink policy defines which resources they would like to view and which source accounts should share them. Then source accounts can create a link to the monitoring account sink, establishing what they actually want to share. After the link is created, the specified resources are visible in the monitoring account.	A source account initiates the configuration by setting up a CrossAccountSharingRole, allowing a monitoring account to run operations in the source account. Then, a monitoring account enables the cross-account cross-Region selector in the console by specifying the source account ID. This enables the monitoring account to be able to switch into the source account. When switching, the CloudWatch console checks for the existence of a service-linked role that allows CloudWatch to assume the CrossAccountSharingRole that was created in the source account.
What telemetry is supported?	Metrics Traces Logs .	Metrics Traces
What functionality is supported?	Dashboarding Alarms Metrics Insights Anomaly Detection CloudWatch Logs insights Application Insights Other functionalities. For more details see CloudWatch cross-account observability. .	Console switching between accounts and Regions in metrics, alarms, and traces consoles. Custom dashboards with metrics and alarms from other accounts and Regions For more details, see Cross-account cross-Region CloudWatch console.
How many accounts can I use it with?	A monitoring account can see resources from as many as 100,000 source accounts at the same time. A source account can share their resources with as many as five different monitoring accounts.	By using the cross-account cross-Region selector in the console, a monitoring account can switch to one other account at a time but there is no limit on the number of accounts that can be linked. When defining cross-account dashboards and alarms, many source accounts can be referenced.
Does it move telemetry data?	No. Resources are shared between accounts with the exception of copied traces.	No. An IAM policy is configured to allow embedded account switching for cross-account cross-Region resource visibilty.
How much does it cost?	No extra charges for shared logs and metrics, and the first trace copy is free. For more information about pricing, see Amazon CloudWatch pricing.	No additional charges for cross-account or cross-Region actions.
Does it support observability across Regions?	No	Yes
Does it support programmatic access?	Yes. the Amazon CLI, Amazon Cloud Development Kit (Amazon CDK), and APIs are supported.	No.
Does it support programmatic setup?	Yes	Yes
Does it support Amazon Organizations?	Yes	Yes

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

EC2 health

CloudWatch cross-account observability