CloudWatch cross-account observability - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CloudWatch cross-account observability

With Amazon CloudWatch cross-account observability, you can monitor and troubleshoot applications that span multiple accounts within a Region. Seamlessly search, visualize, and analyze your metrics, logs, traces, and Application Insights applications in any of the linked accounts without account boundaries.

Set up one or more Amazon accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central Amazon account that can view and interact with observability data generated from source accounts. A source account is an individual Amazon account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account. The shared observability data can include the following types of telemetry:

  • Metrics in Amazon CloudWatch

  • Log groups in Amazon CloudWatch Logs

  • Traces in Amazon X-Ray

  • Applications in Amazon CloudWatch Application Insights

To create links between monitoring accounts and source accounts, you can use the CloudWatch console. Alternatively, use the Observability Access Manager commands in the Amazon CLI and API. For more information, see Observability Access Manager API Reference.

A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to share observability data. Each sink is managed by the monitoring account where it is located. An observability link is a resource that represents the link established between a source account and a monitoring account. Links are managed by the source account.

The next topic explains how to set up CloudWatch cross-account observability in both monitoring accounts and source accounts. For information about the cross-account cross-Region CloudWatch dashboard, see Cross-account cross-Region CloudWatch console.

Use Organizations for source accounts

There are two options for linking source accounts to your monitoring account. You can use one or both options.

  • Use Amazon Organizations to link accounts in an organization or organizational unit to the monitoring account.

  • Connect individual Amazon accounts to the monitoring account.

We recommend that you use Organizations so that new Amazon accounts created later in the organization are automatically onboarded to cross-account observability as source accounts.

Details about linking monitoring accounts and source accounts

  • Each monitoring account can be linked to as many as 100,000 source accounts.

  • Each source account can share data with as many as five monitoring accounts.

  • You can set up a single account as both a monitoring account and a source account. If you do, this account sends only the observability data from itself to the its linked monitoring account. It does not relay the data from its source accounts.

  • A monitoring account specifies which telemetry types can be shared with it. A source account specifies which telemetry types it wants to share.

    • If there are more telemetry types selected in the monitoring account than in the source account, the accounts are linked. Only the data types that are selected in both accounts are shared.

    • If there are more telemetry types selected in the source account than in the monitoring account, the link creation fails and nothing is shared.

  • To remove a link between accounts, do so from the source account.

  • To delete the sink in a monitoring account, you must first remove all links to the monitoring account.

Pricing

Cross-account observability in CloudWatch comes with no extra cost for logs and metrics, and the first trace copy is free. For more information about pricing, see Amazon CloudWatch Pricing.