# Telemetry discovery and enablement
Amazon CloudWatch telemetry configuration provides a centralized experience to discover and audit the state of telemetry across your Amazon resources, and to create rules that automatically enable telemetry for popular Amazon resource types. You can use telemetry configuration within a single account or across multiple accounts in Amazon Organizations using the management account or a CloudWatch delegated administrator account.
**Topics**
+ [
# What is telemetry discovery and enablement?
](telemetry-config-what-is.md)
+ [
# Setting up telemetry configuration
](telemetry-config-turn-on.md)
+ [
# Discovering resource telemetry
](telemetry-config-view-resources.md)
+ [
# Telemetry enablement rules
](telemetry-config-rules.md)
+ [
# Troubleshooting telemetry configuration
](telemetry-config-troubleshoot.md)
+ [
# Disabling telemetry configuration
](telemetry-config-turn-off.md)
# What is telemetry discovery and enablement?
CloudWatch telemetry configuration gives you two core capabilities:
+ **Discovery and auditing** – Discover Amazon resources across your account or organization and audit which resources have telemetry enabled. The experience shows the configuration status at the resource-type level and at more granular telemetry-detail levels.
+ **Enablement rules** – Create rules that automatically configure telemetry collection for Amazon resources that match your criteria. Rules help you standardize telemetry collection across your organization or accounts and ensure consistent monitoring coverage.
Telemetry configuration supports the following data sources:
+ Amazon Amazon VPC Flow Logs
+ Amazon EKS Control Plane Logs
+ Amazon WAF Logs
+ Amazon Route 53 Resolver Query Logs
+ NLB Access Logs
+ Amazon CloudTrail Data Events and Management Events
+ Amazon Bedrock AgentCore Logs
+ Amazon Amazon EC2 Detailed Metrics
+ Amazon Security Hub
+ Amazon Bedrock Agentcore Gateway
+ Amazon Bedrock Agentcore Memory
+ Amazon CloudFront Distribution
When you enable telemetry configuration, CloudWatch creates Amazon Config service-linked configuration recorders that discover resources and their associated telemetry configuration metadata. For more information, see [Configuration Recorder](https://docs.amazonaws.cn/config/latest/developerguide/config-concepts.html#config-recorder) in the Amazon Config Developer Guide.
**Note**
Amazon Config periodically takes inventory of, or discovers, all the resources in your account as an anti-entropy behavior, regardless of the resource types in scope for your configuration recorders. The inventory includes deleted resources and resources that Amazon Config is not currently recording. This behavior helps maintain data consistency.
This means that although the service-linked configuration recorder for the CloudWatch telemetry configuration feature is configured to record specific resource types, you might see describe calls from `ConfigResourceCompositionSession` and `AWSConfig-Describe` in Amazon CloudTrail. For more information, see [Non-recorded Resources](https://docs.amazonaws.cn/config/latest/developerguide/select-resources.html#select-resources-non-recorded) in the Amazon Config Developer Guide.
Amazon CloudWatch uses Amazon Config Internal service linked recorder. You are not charged for CIs that CloudWatch uses as part of the Internal Service Linked Recorders.
You can manage telemetry configuration across multiple Amazon Regions from a single Region. When you enable multi-Region support, the current Region becomes your home Region and telemetry configuration is replicated to the Regions you select. For more information, see [Setting up telemetry configuration](telemetry-config-turn-on.md).
# Setting up telemetry configuration
Use the CloudWatch console to set up telemetry configuration for your Amazon Web Services account or organization. For an organization, as a management account or a CloudWatch delegated administrator account, CloudWatch discovers Amazon resources and provides visibility into the telemetry configurations across all the member accounts in the organization.
Telemetry config remains active until you turn it off. For more information, see [Disabling telemetry configuration](telemetry-config-turn-off.md).
**Topics**
+ [
## Prerequisites and permissions
](#telemetry-config-prerequisites)
+ [
## Enable telemetry configuration for your account
](#telemetry-config-turn-on-account)
+ [
# Enable telemetry configuration for your organization
](telemetry-config-organization.md)
+ [
## Registering a delegated administrator account for your organization
](#telemetry-config-register-administrator)
## Prerequisites and permissions
Before you can configure telemetry for your organization, you need to enable trusted access between Amazon Organizations and CloudWatch. When you enable trusted access, CloudWatch creates a service-linked role named **AWSServiceRoleForObservabilityAdmin** to support resource and telemetry configuration discovery for the organization. The role is created in all member accounts of the organization.
For more information about the service-linked role, see [Service-linked role permissions for CloudWatch telemetry config](using-service-linked-roles.md#service-linked-role-telemetry-config). For more information about Amazon Organizations, see [Amazon CloudWatch and Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/services-that-can-integrate-cloudwatch.html) in the Amazon Organizations User Guide.
## Enable telemetry configuration for your account
Configure telemetry for your Amazon Web Services account to monitor telemetry for the Amazon resources in that account. If you have an organization in Amazon Organizations, configure telemetry for your organization instead. For more information, see [Configuring telemetry for your organization](telemetry-config-organization.md#telemetry-config-turn-on-organization).
**To configure telemetry for your Amazon Web Services account**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Telemetry config**.
1. Choose the **Data Source** tab, and then select **Enable Resource Discovery**. CloudWatch begins discovering Amazon resources in your account. As CloudWatch discovers resources, it updates information on the **Overview** page.
**Note**
The delay before resources appear on the **Overview** page depends on the number of resources in your account.
### Enabling across Regions
You can extend telemetry configuration to multiple Amazon Regions from a single Region. When you enable multi-Region support, the current Region becomes your *home Region*. Telemetry configuration is replicated to the Regions you select.
**To enable telemetry configuration across Regions for your account (initial setup)**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**, and then choose the **Account** tab.
1. In the **CloudWatch telemetry config** section on the **Global** tab, the status shows **Off**. When multi-Region is enabled, a **Target regions** selector appears inline below the status.
1. Use the **All regions** toggle to include all Regions, or use the multiselect dropdown to choose individual Regions. The current Region is always included automatically and is not shown in the selector.
1. Choose **Turn on**.
1. After telemetry configuration is turned on, a **Region status** table appears showing the per-Region evaluation status.
**To reconfigure Regions (telemetry already running)**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**, and then choose the **Account** tab.
1. In the **CloudWatch telemetry config** section, choose **Configure regions**. The **Target regions** selector appears inline, pre-populated with the currently configured Regions.
1. Modify the Region selection as needed, and then choose **Save**.
If you select **All regions**, new Regions are automatically included when you opt in to them. The system periodically reconciles configuration across Regions to correct any drift.
# Enable telemetry configuration for your organization
To turn on telemetry configuration for your organization, you must use a Amazon Organization management account or a delegated administrator account. CloudWatch uses this account to discover your organization's Amazon resources and configure their telemetry.
Before you can configure telemetry for your organization, you need to enable trusted access between Amazon Organizations and CloudWatch. For more information, see [Prerequisites and permissions](telemetry-config-turn-on.md#telemetry-config-prerequisites).
**To turn on telemetry auditing for your organization**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**.
1. Choose the **Organizations** tab.
1. On the **CloudWatch** settings page, in the **Organizational settings management** pane, choose **Turn on trusted access**. The **Turn on trusted access** page appears.
To review the role policy, choose **View permission details** and the role policy appears in a window. Confirm that you want to provide these permissions to the management account by choosing **Turn on trusted access**.
1. Under **Manage Settings**, in the **Organizations tab** in the **CloudWatch Telemetry Config** block choose **Turn on**.
1. After Telemetry config is turned on for the organization, a notification appears. On the notification, choose Go to Telemetry config. The Telemetry Configuration experience can be accessed in the **Ingestion** page and CloudWatch begins discovering Amazon resources in the organization. As CloudWatch discovers resources, it updates information on the **Telemetry config** page.
**Note**
The time delay before resources appear on the **Telemetry config** page depends on the number of member accounts and resources in your organization or account.
## Configuring telemetry for your organization
Configure telemetry for Amazon Organizations to monitor the telemetry for the Amazon resources across all your member accounts. This also configures the telemetry for individual accounts. You can also configure telemetry for only your account. For more information, see [Enable telemetry configuration for your account](telemetry-config-turn-on.md#telemetry-config-turn-on-account).
You can disable trusted access across all your member accounts. For more information, see [Turning off trusted access for Amazon Organizations](telemetry-config-turn-on.md#telemetry-config-turn-off-trusted-access).
**To configure telemetry auditing for your organization**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Ingestion**.
1. Choose **Data sources**, and then choose the **Enable Resources Discovery Button**. CloudWatch begins discovering Amazon resources in your organization. As CloudWatch discovers resources, it updates information in the **Overview** page.
**Note**
The delay before resources appear on the **Overview** page depends on the number of member accounts and resources in your organization.
## Enabling across Regions
You can extend telemetry configuration to multiple Amazon Regions from a single Region for your entire organization. When you enable multi-Region support, the current Region becomes your *home Region*. Telemetry configuration is replicated to the Regions you select for all member accounts.
**To enable telemetry configuration across Regions for your organization (initial setup)**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**, and then choose the **Organizations** tab.
1. In the **CloudWatch telemetry config** section on the **Global** tab, the status shows **Off**. When multi-Region is enabled, a **Target regions** selector appears inline below the status.
1. Use the **All regions** toggle to include all Regions, or use the multiselect dropdown to choose individual Regions. The current Region is always included automatically and is not shown in the selector.
1. Choose **Turn on**.
1. After telemetry configuration is turned on, a **Region status** table appears showing the per-Region evaluation status.
**To reconfigure Regions for your organization (telemetry already running)**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**, and then choose the **Organizations** tab.
1. In the **CloudWatch telemetry config** section, choose **Configure regions**. The **Target regions** selector appears inline, pre-populated with the currently configured Regions.
1. Modify the Region selection as needed, and then choose **Save**.
If you select **All regions**, new Regions are automatically included when you opt in to them. The system periodically reconciles configuration across Regions to correct any drift.
## Registering a delegated administrator account for your organization
A delegated administrator account is a member account that shares administrator access for service-managed permissions. The account that you register as a delegated administrator must be in your organization. A delegated administrator account for your organization can be used outside of CloudWatch, so make sure that you understand this account type before you follow this procedure. For more information, see [Amazon CloudWatch and Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/services-that-can-integrate-cloudwatch.html) in the Amazon Organizations User Guide.
To remove or change the delegated administrator account, deregister the account first. For more information, see [Deregistering a delegated administrator account](#telemetry-config-deregister-administrator).
**To register a delegated administrator account**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**.
1. Choose the **Organization** tab.
1. In the **Organizational settings management** pane, choose **Register delegated administrator**.
1. In the **Register delegated administrator** dialog, for **Delegated administrator account ID**, enter the 12-digit account ID for an organization member account.
1. Choose **Register delegated administrator**. At the top of the **CloudWatch settings** page, a message appears indicating the account was registered successfully. To see information about the delegated administrator account, select the number below **Delegated administrators**.
### Deregistering a delegated administrator account
Deregister the delegated administrator account before turning off trusted access for Amazon Organizations. You can also deregister a delegated administrator account if it no longer has access to the appropriate Amazon resources for telemetry configuration or to choose a different member account to be the delegated administrator. This account will not be able to perform account management tasks for Amazon Organizations. For more information, see [Amazon CloudWatch and Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/services-that-can-integrate-cloudwatch.html) in the Amazon Organizations User Guide.
**To deregister the delegated administrator account**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**.
1. On the **Organization** tab, choose **Deregister**.
1. On the **Deregister delegated administrator** page, choose **Deregister**.
To register an account as a delegated administrator, see [Registering a delegated administrator account for your organization](#telemetry-config-register-administrator).
### Turning off trusted access for Amazon Organizations
Trusted access extends the functionality of the management account in Amazon Organizations to other Amazon services. When you turn off trusted access, trusted access between your organization and all Amazon services—not just CloudWatch—will stop.
If you no longer want trusted access turned on for your organization, you can turn it off. For more information, see [Amazon CloudWatch and Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/services-that-can-integrate-cloudwatch.html) in the Amazon Organizations User Guide.
**Note**
Before turning off trusted access for an organization, deregister the delegated administrator account. For more information, see [Deregistering a delegated administrator account](#telemetry-config-deregister-administrator).
**To turn off trusted access for Amazon Organizations**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Settings**.
1. Choose the **Organization** tab.
1. In the **Organizational Management Settings** section, select **Turn off**.
# Discovering resource telemetry
The telemetry configuration experience displays Amazon resources in two places: as an overview on the **Ingestion – Data sources** and in detail on the **Discovered resources** page.
**Topics**
+ [
## Viewing data sources
](#telemetry-config-view-data-sources)
+ [
## Viewing discovered resources
](#telemetry-config-view-discovered)
+ [
## Filtering and preferences
](#telemetry-config-filter-resource-view)
## Viewing data sources
The **Ingestion – Data sources** shows the Amazon resources that you can send to CloudWatch. For specific resource types, it shows the percentage of resources with telemetry configured and the total number of resources detected. You can filter the display of resources in the **Data source** tab by account ID or by the tags applied to your resources.
**To view resources on the **Ingestion** page**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Ingestion**.
1. The **Ingestion** page shows the total number of each resource that was discovered by CloudWatch, the number of resources providing telemetry, and the percentage of discovered resources that are providing telemetry.
1. To see recent changes to resources, choose **Refresh**.
## Viewing discovered resources
The **Discovered resources** page shows details about each Amazon resource that has been discovered by telemetry configuration, including the resource ID, the type of telemetry each resource is providing, and the time when information about the resource was last refreshed.
For each Amazon resource tracked by CloudWatch, the **Discovered resources** page shows the status of its telemetry by providing the following information:
+ For telemetry types that CloudWatch detects that the resource is sending to CloudWatch, the **Discovered resources** page shows **On**.
+ For telemetry types that CloudWatch detects the resource is not providing, the **Discovered resources** page shows **Off**.
+ For telemetry types that are not supported for a resource, the **Discovered resources** page shows **NS**, that is, not supported.
**To view resources on the **Discovered resources** page**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Ingestion**.
1. Do one of the following to view all resource types discovered by telemetry configuration or to view one resource type:
1. To view all resources that have been discovered by CloudWatch, click **View data sources**. The **Discovered resources** page appears and shows all resources discovered.
1. To view one resource type, click the name of the Amazon resource type in the **Ingestion > Data sources**. The **Discovered resources** page appears. The **Discovered resources** page shows that a filter has been applied for that data source and now displays all discovered resources for that resource type.
1. On the **Discovered resources** page, to view information about the resource or to change its telemetry settings, click the resource ID. The console page for the Amazon resource will open, navigate to the configuration setting and turn on or off the configuration.
**Note**
You can only view a resource on its console page if the resource belongs to your account. To determine if the resource belongs to your account, check the **Amazon Web Services account** column. If the **Amazon Web Services account** column does not appear, change your **Discovered resources** page preferences. For more information, see [Changing preferences for the Discovered resources page](#telemetry-config-resource-view-prefs).
### Viewing resources across Regions
When multi-Region support is active, the **Discovered resources** page includes a **Region** column. You can filter resources by Region to focus on specific Regions.
CloudWatch uses a Amazon Config aggregator to collect resource data across Regions. Because of this, there may be a short delay before resources from spoke Regions appear in the home Region view.
## Filtering and preferences
You can use one or more filters on the **Ingestion > Data Sources** page and the **Discovered resources** page to change your view of the resources. Your filter settings persist across both pages.
**To filter resources on the **Data Sources** page**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Ingestion**, and then choose **Data sources**.
1. You can filter the discovered resources that are displayed on the page by specifying an account ID or tag value.
1. Choose **Find resource**.
1. Choose **Account ID** or **Tag value**, and then choose additional options for the filter. Statistics about telemetry coverage for each resource change based on your filter options.
1. To remove a filter, in the filter text box, choose **X**.
**To filter resources on the **Discovered Data sources** page**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Ingestion**.
1. To view all resource types discovered by telemetry configuration or to view one resource type, do one of the following:
1. To view all resources discovered by CloudWatch, choose **View data sources**. The **Discovered resources** page appears and shows all resources discovered.
1. To view one resource type, at the bottom of the page, choose a type of Amazon resource. The **Discovered resources** page appears. The **Discovered resources** page filters all discovered resources for that resource type.
1. You can filter the resources displayed in the page based on any of the columns in the page. You can change the columns in the page by changing your preferences for the **Discovered resources** page. For more information, see the preferences procedure below.
1. Choose **Find resource**. Filters for each column in the page appear. Choose one, then choose additional options to define the filter. Resources appear in the page that match the filter settings.
1. To further filter the resources displayed in the page, choose **Find resources** again, choose another filter, and choose additional options. Resources appear in the page that match all of the filter settings.
1. To remove one of the filters, in the filter text box, choose **X**.
1. To remove all of the filters and see all resource types discovered, choose **Clear filters**.
### Changing preferences for the Discovered resources page
You can change your preferences for the **Discovered resources** page to control how many resources appear per page and which detailed metrics appear in the page. Only detailed metrics in view can be used to filter the resources displayed in the discovered resources page. For more information, see [Filtering and preferences](#telemetry-config-filter-resource-view).
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Ingestion** and **Data sources tab**.
1. Choose **Discovered resources**. The **Discovered resources** page appears.
1. Choose the gear icon.
1. In the **Preferences** dialog box, choose the number of resources per page and the visible content to show as columns.
1. Choose **Confirm**.
# Telemetry enablement rules
You can create telemetry enablement rules to automatically configure telemetry collection for your Amazon resources. Rules help you standardize telemetry collection across your organization or accounts and ensure consistent monitoring coverage.
**Topics**
+ [
## How rules work
](#telemetry-config-rules-behavior)
+ [
## Creating a telemetry enablement rule
](#telemetry-config-rules-create)
+ [
## Managing telemetry rules
](#telemetry-config-rules-manage)
+ [
## Supported data sources
](#telemetry-config-troubleshoot-service)
## How rules work
Telemetry configuration follows specific patterns when evaluating and applying rules.
### Rule evaluation hierarchy
Enablement rules are evaluated according to a hierarchical pattern. Organizational rules are evaluated first, then rules that apply to organizational units (OUs), and finally rules that apply to individual accounts. Rules at the organizational level provide the baseline required telemetry for your organization. Rules at the OU and account level can collect additional telemetry data, but they cannot collect less telemetry data. If such a rule is created, it will create a rule conflict.
Within each scope (organization, OU, or account), rules must maintain uniqueness based on their resource type, telemetry type, and destination configuration. Duplicate rules trigger a conflict exception. If the same rule exists in different scopes, such as an organization level rule for Amazon VPC Flow logs to CloudWatch and an OU level rule for Amazon VPC Flow logs, the rule higher in the hierarchy is applied. However, if there are multiple conflicting rules, none of the rules are applied.
When multiple rules apply to the same resource, telemetry configuration resolves conflicts using these priorities:
1. Organizational-level rules take precedence over account-level rules
1. More specific tag matches take precedence over general rules
1. If there are multiple conflicting rules, none of the rules are applied. You must resolve the conflicts first.
### Rule behavior on updates
If you update an enablement rule, only new resources that match the rule adopt the updated configuration. The existing telemetry settings remain unchanged for existing resources. If a resource becomes non-compliant with an existing rule due to manual deletion of telemetry data, the new enablement rule is adopted once the resource is brought back into compliance.
For Amazon VPC Flow logs, telemetry config only creates new flow logs for resources that match the rule scope. It does not delete or impact previously established Amazon VPC Flow logs, even if they differ from current rule parameters. For CloudWatch Logs, existing log groups are maintained provided they match the resource pattern.
### Integration with Amazon Config
CloudWatch telemetry auditing and configuration integrates with Amazon Config to automatically discover resources that match your enablement rule and apply it to your telemetry data collection. When you create an enablement rule, the telemetry configuration creates a corresponding Amazon Config recorder. This recorder includes configuration items for the specific resource types you define in the enablement rule.
Amazon CloudWatch uses Amazon Config Internal service linked recorder. You are not charged for CIs that CloudWatch uses as part of the Internal Service Linked Recorders.
**Note**
When you create an enablement rule, we discover non-compliant resources (those without telemetry enabled) through Amazon Config Configuration Items (CIs) before turning them on based on your enablement rule scope. The initial discovery of the resources may take up to 24 hours to complete in some cases.
Telemetry config uses Amazon Config to:
+ Discover resources across your organization or accounts
+ Track telemetry configuration changes
### Rules across Regions
When you create a rule with target Regions, the current Region becomes the *home Region* for that rule. The rule is automatically replicated to the spoke Regions you select.
Key concepts for multi-Region rules:
+ Replicated rules cannot be edited or deleted in spoke Regions. You must navigate to the home Region to modify or remove them.
+ If you select **All regions**, new Regions are automatically included when you opt in to them.
+ The system periodically reconciles rules across Regions to correct any drift between the home Region and spoke Regions.
+ Tags applied to rules in the home Region are replicated to spoke Regions.
When a replicated rule is created, updated, or deleted in a spoke Region, Amazon CloudTrail records an `AwsServiceEvent` in the spoke Region. These events are logged with `observabilityadmin.amazonaws.com` as the invoking service and include the rule ARN in the spoke Region. You can use these events to audit multi-Region rule replication activity.
The following is an example Amazon CloudTrail event recorded when a replicated rule is created in a spoke Region:
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "123456789012",
"invokedBy": "observabilityadmin.amazonaws.com"
},
"eventTime": "2026-04-06T19:50:37Z",
"eventSource": "observabilityadmin.amazonaws.com",
"eventName": "CreateTelemetryRule",
"awsRegion": "us-east-1",
"sourceIPAddress": "observabilityadmin.amazonaws.com",
"userAgent": "observabilityadmin.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"eventID": "435d6da2-d099-4775-8944-1e039418de6f",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::ObservabilityAdmin::TelemetryRule",
"ARN": "arn:aws:observabilityadmin:us-east-1:123456789012:telemetry-rule/my-multi-region-rule"
}
],
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
The `eventName` field reflects the operation performed on the replicated rule: `CreateTelemetryRule`, `UpdateTelemetryRule`, or `DeleteTelemetryRule`. The `eventType` is always `AwsServiceEvent` because the operation is performed by the ObservabilityAdmin service on behalf of the customer, not by a direct customer API call.
## Creating a telemetry enablement rule
When you create a telemetry enablement rule, you specify:
+ The scope of the rule (organization, organizational unit, or account)
+ The resource types the rule applies to
+ The telemetry types to enable (metrics, logs, or traces)
+ Optional tags to filter which resources the rule affects
+ Optional target Regions to replicate the rule across multiple Regions
**To create a telemetry enablement rule**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Telemetry config**.
1. Choose the **Enablement rules** tab.
1. Choose **Add rule**.
1. For **Rule name**, enter a name for your rule.
1. For **Rule scope**, choose one of the following:
+ **Organization** – Rule applies across your entire Amazon Organizations
+ **Organizational unit** – Rule applies to a specific OU
+ **Account** – Rule applies to a single account
1. For **Data source**, select the Amazon service to configure.
1. For **Telemetry type**, select the types of telemetry to enable.
1. (Optional) Add tags to filter which resources the rule affects.
1. (Optional) For **Target regions**, select the Regions where you want this rule to apply. The current Region is automatically designated as the home Region for the rule. If you select **All regions**, new Regions are automatically included when you opt in to them.
1. Choose **Create rule**.
## Managing telemetry rules
After creating rules, you can edit or delete them. You can also view which resources each rule affects and monitor rule compliance.
**To manage an existing rule**
1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).
1. In the navigation pane, choose **Telemetry config**.
1. Choose the **Enablement rules** tab.
1. Select a rule to view its details or choose one of these actions:
+ **Edit rule** – Modify rule settings
+ **Delete** – Remove the rule
### Managing replicated rules
When you view a replicated rule in a spoke Region, the console displays an informational alert indicating that the rule was replicated from another Region. The **Edit rule** and **Delete** actions are disabled for replicated rules in spoke Regions.
To edit or delete a replicated rule, navigate to the home Region where the rule was originally created. The home Region is displayed in the informational alert.
You can add or modify tags on replicated rules in spoke Regions. Tag changes made in spoke Regions apply only to the local copy of the rule and are not replicated back to the home Region.
## Supported data sources
The following data sources are supported by telemetry enablement rules. Each data source has specific behavior and configuration considerations.
**Amazon VPC Flow Logs**
When creating flow logs:
+ Uses default pattern /aws/vpc/vpc-id if none specified
+ Existing customer-created flow logs are preserved
+ Rule updates only affect new flow logs
+ You can use , macros to split log groups.
+ CloudWatch does not create flow logs for VPCs that already are ingesting logs to CloudWatch Logs
**Amazon EKS Control Plane Logs**
When enabling control plane logging:
+ Uses default CloudWatch log group pattern /aws/eks//cluster. Amazon EKS creates Log Group per Cluster automatically.
+ Rule updates only affect new clusters or only clusters that do not have the scoped log types enabled
+ Can enable specific log types: api, audit, authenticator, controllerManager, scheduler
**Amazon WAF Web ACL Logs**
When creating WAF logs:
+ Uses default CloudWatch log group pattern and always prefixes with aws-waf-logs-
+ Rule updates only affect new Web ACLs or existing Web ACLs that do not have logging enabled to CloudWatch Logs
+ CloudWatch does not enable logs for Web ACLs that already are ingesting logs to CloudWatch Logs
**Amazon Route 53 Resolver Logs**
When enabling resolver query logging:
+ Uses default CloudWatch log group pattern /aws/route53resolver if none specified
+ You can use macros to split log groups.
+ CloudWatch does not create resolver query logs for VPCs that already are ingesting logs to CloudWatch Logs
+ Enablement rules configure Route 53 query logging for your VPCs based on rule scope. CloudWatch does not discover Route 53 profiles and related configurations.
**NLB Access Logs**
When enabling access logs:
+ Uses default CloudWatch log group pattern with prefix /aws/nlb/access-logs if none specified
+ CloudWatch does not enable log deliveries for NLBs that already are ingesting logs to CloudWatch Logs
**CloudTrail Logs using service-linked channel**
When enabling CloudTrail logs using the SLC path:
+ Uses managed CloudWatch log groups aws/cloudtrail/
+ Existing customer-created CloudTrail Trail forwarding configurations are preserved
+ CloudWatch Enablement Rules only uses service-linked channel to ingest logs
+ Events use the retention period configured for the log group
+ For CloudTrail events, as part of the enablement wizard, you can choose at least one event type to ingest to CloudWatch.
+ If events are delivered with delay (indicated by addendum reason DELIVERY\$1DELAY) and you previously configured a shorter retention period, delayed events might only be available for the duration of the shorter retention period.
To configure CloudTrail logs across multiple Regions, use the **Target regions** selector when creating your enablement rule. This replicates the rule to your selected Regions automatically from the home Region.
**Amazon Amazon EC2 Detailed Metrics**
When enabling detailed monitoring:
+ Instance state changes may affect metric collection
**Amazon Security Hub**
When enabling Security Hub logging:
+ Uses managed CloudWatch log group pattern /aws/securityhub\$1cspm/findings
+ CloudWatch does not enable log deliveries for Security Hub that already are ingesting logs to managed CloudWatch Logs
**Amazon Bedrock AgentCore**
+ Enable both logs and traces emitted from all available Bedrock AgentCore primitives such as Runtime, Browser Tools, Code Interpreter Tools, etc. Follow the Telemetry Configure console experience for creating a logs delivery rule then followed by creating a traces delivery rule.
+ When creating a trace delivery rule, Transaction Search will be enabled and additional permission policy will be created to allow for CloudWatch X-Ray to send correlated trace to managed log group in your account. In addition, X-Ray resource policy will be created to allow for current and new Bedrock AgentCore primitives to deliver traces to your account.
**Amazon Bedrock Agentcore Gateway**
When enabling Bedrock Agentcore Gateway logging:
+ Uses default CloudWatch log group pattern /aws/bedrock/agentcore if none specified
+ CloudWatch does not enable log deliveries for Bedrock Agentcore Gateway that already are ingesting logs to CloudWatch Logs
**Amazon Bedrock Agentcore Memory**
When enabling Bedrock Agentcore Memory logging:
+ Uses default CloudWatch log group pattern /aws/bedrock/agentcore if none specified
+ CloudWatch does not enable log deliveries for Bedrock Agentcore Memory that already are ingesting logs to CloudWatch Logs
**Amazon CloudFront Distribution**
When enabling CloudFront Distribution logging:
+ CloudWatch does not enable log deliveries for CloudFront distributions that already are ingesting logs to CloudWatch Logs
# Troubleshooting telemetry configuration
This section describes common issues you might encounter when using telemetry configuration and how to resolve them.
## Resources not appearing
If resources are not appearing in discovery, verify the following:
+ The resource type is supported by telemetry configuration. For a list of supported data sources, see [Supported data sources](telemetry-config-rules.md#telemetry-config-troubleshoot-service).
+ The Amazon Config recorder is enabled in your account. Telemetry configuration requires Amazon Config service-linked recorders to discover resources.
+ You have appropriate IAM permissions to view the resources.
+ Sufficient time has elapsed since enabling telemetry configuration. The initial discovery of resources may take up to 24 hours to complete in some cases.
## Rules not applying
If enablement rules are not applying to your resources, check the following:
+ Verify the rule scope configuration. Ensure the rule targets the correct organization, OU, or account.
+ Check tag filters. If the rule uses tag-based filtering, verify that the target resources have the expected tags.
+ Check for rule conflicts. If multiple conflicting rules exist, none of the conflicting rules are applied. For more information, see [Rule evaluation hierarchy](telemetry-config-rules.md#telemetry-config-rules-hierarchy).
**Note**
When you create an enablement rule, we discover non-compliant resources (those without telemetry enabled) through Amazon Config Configuration Items (CIs) before turning them on based on your enablement rule scope. The initial discovery of the resources may take up to 24 hours to complete in some cases.
## Multi-Region issues
When using multi-Region telemetry configuration, you might encounter the following issues:
+ **Spoke Region failures** – If a rule fails to replicate to a spoke Region, the failure is visible in the rule status dashboard. The system automatically retries failed replications. Check the per-Region status in the console or by using the API to identify which Regions are affected.
+ **Delayed resource discovery** – Resources from spoke Regions may take longer to appear in the home Region view because CloudWatch uses a Amazon Config aggregator to collect resource data across Regions.
+ **Reconciliation drift** – The system periodically reconciles rules across Regions to correct drift. If you notice inconsistencies between the home Region and spoke Regions, allow time for the reconciliation process to complete.
## Home Region conflicts
You might encounter errors when attempting to edit or delete a rule from a Region that is not the home Region for that rule. Replicated rules can only be modified in the home Region where they were originally created.
To resolve home Region conflicts:
+ Check the informational alert displayed on the rule in the console. The alert identifies the home Region for the rule.
+ Navigate to the home Region in the CloudWatch console to edit or delete the rule.
+ If you need to create a different rule in the spoke Region, create a new rule with a different name and scope that does not conflict with the replicated rule.
# Disabling telemetry configuration
When you no longer need telemetry configuration, you can turn it off. When telemetry configuration is turned off, it no longer shows the status of telemetry for resources in your account or organization. You can turn on telemetry configuration again at any time. For more information, see [Setting up telemetry configuration](telemetry-config-turn-on.md).
**To turn off telemetry configuration**
1. [Open the CloudWatch console](https://console.aws.amazon.com/cloudwatch/home#telemetry-config:account-settings).
1. In the navigation pane, choose **Telemetry config**.
1. Choose **Turn off**.
**Note**
Turning off telemetry configuration does not delete or modify any existing telemetry settings for your resources. It only stops the centralized management and visibility of these settings.