Cross-account investigations
Cross-account CloudWatch investigations enables you to investigate application issues that span multiple Amazon Web Services accounts from a centralized monitoring account. This feature allows you to correlate telemetry data, metrics, and logs across up to 25 accounts, in addition to the monitoring account, to gain comprehensive visibility into distributed applications and troubleshoot complex multi-account scenarios.
Topics
Prerequisites
-
Multi-account investigation requires you to already have cross-account observability set up in order to view cross-account telemetries. To complete the prerequisite, set up either cross-account observability or the cross-account dashboard.
-
Setup an investigation group. For cross-account observability, this should be in the monitoring account. You can also set them up in the source accounts and run single account investigations there.
Setup your monitoring account for cross-account access
Setup your monitoring account for cross-account access
Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/
. -
In the left navigation pane, choose AI Operations, Configuration.
-
Under Configure Cross-account access, select Configure.
-
Add the Account ID for up to 25 accounts under the List source accounts section.
-
Update your IAM role.
-
Automatically
-
If you choose Automatically update the assistant role(recommended), this creates a customer managed policy named
AIOpsAssistantCrossAccountPolicy-${guid}with thests:AssumeRolestatements to assume the provided source account roles. Choosing the automatic update option defaults the IAM role name toAIOps-CrossAccountInvestigationRolein the source accounts .{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::777777777777:role/AIOps-CrossAccountInvestigationRole" "arn:aws:iam::555555555555:role/AIOps-CrossAccountInvestigationRole" "arn:aws:iam::666666666666:role/AIOps-CrossAccountInvestigationRole" ] } } -
If the monitoring account owner removes a source account from the cross-account configuration, the IAM policy will not update automatically. You must manually update the IAM role and policy to ensure it always has the minimum permissions possible.
-
You may reach the limit of managed policies per role if the permissions are not manually updated when a source account is removed. You must delete any unused managed policies attached to your investigation role.
-
-
Manually
-
Below is an example of what the trust policy of the assistant role should look like. For more information, see Getting started.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": { "Service": "aiops.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:aiops:us-east-1:123456789012:investigation-group/*" } } } ] }To grant cross-account access, the permission policy of the investigation role in the monitoring account must contain the following. If you are configuring the monitoring account manually, the role name can be whatever you choose. It does not default to
AIOps-CrossAccountInvestigationRole{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::777777777777:role/source_role_name_1" "arn:aws:iam::555555555555:role/source_role_name_2" "arn:aws:iam::666666666666:role/source_role_name_3" ] } }
-
-
Setup your source account(s) for cross-account access
-
Provision an IAM role with the name
AIOps-CrossAccountInvestigationRoleif you selected the Automatically update the assistant role option to set up the monitoring account. If you used the manual setup option, provision the IAM role with your customized source account role name.-
Attach the Amazon managed policy
AIOpsAssistantPolicyto the role in the IAM console. -
The trust policy of the role on the source account looks like this.
ExternalIDmust be specified on the policy. Use the monitoring account investigation group arn.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/investigation-role-name" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "investigation-group-arn" } } } ]
-
-
This must be done in each of the source accounts.
-
If you set up the monitoring account role through the console, the role name of the source account defaults to
AIOps-CrossAccountInvestionRole. -
Confirm access by logging into the monitoring account, navigating to Investigation Group, then Configuration, and then choosing Cross-account setup.
Make sure the source account shows up in the cross-account configuration, and the status is Linked to monitoring account.
Investigating multi-account issues
After you set up OAM or cross-account dashboard, you can view and investigate from a cross-account telemetry in your monitoring account. You must add a cross-account telemetry from the source account in order to run an investigation into that source account.
For detailed information about how to create an investigation, see Investigate operational issues in your environment.