AWS Cloudwatch Centerlized Monitoring

Centralize your cloudwatch metrics, alarms and dashboards

Introduction

Since introduction of Cross-account Cross-region Cloudwatch data sharing, AWS has recently introduced Cross-Account Alarms.

AWS also provides ability to allow Delegated/Authorized access to AWS Organization to member accounts to access account list in tree view.

With the above features, AWS now allows operations teams, DevOps engineers, and service owners to monitor, troubleshoot, and analyze applications running in multiple regions and in many accounts from a central monitoring account.

If an alarm is received an on-call engineer can now login into a central account to view dashboards for multiple accounts to diagnose the issue without login to other accounts to view additional dashboards for multiple application components or dependencies.

Design

The solution design utilizes AWS Organization to get the account list from the master account to view the metrics from the monitored accounts.

Configuration

First create a central monitoring account, you can also use log achieve account created by AWS Landing Zone Solution or AWS Control Tower.

The following are the high level steps to we are going to follow.

  1. Create CloudWatch-CrossAccountSharing-ListAccountsRole IAM role in the AWS Master Account with Monitoring Account Id as trusted principal. You can use the cloudformation template link reference [3] section.
  2. Create CloudWatch-CrossAccountSharingRole in the Monitored Accounts with Monitoring Account Id as trusted principal. You can use the cloudformation template in the link reference [4] section.
  3. Configure Monitoring Account to enable Cloudwatch Data Collection.
  4. Configure Monitored Accounts to share Cloudwatch Data to Monitoring Account.

AWS Master Account

In the AWS master account, under Cloudwatch -> Settings, click on Configure

In the next page, Click on Share organization account list, under Grant Permission to the list of accounts in the organization.

Add your Monitoring Account Id, in the next page.

You can now either launch the cloudformation template to create a cross account role if you not already created it before.

AWS Monitoring Account

In the AWS Monitoring Account, under Cloudwatch -> Settings, click on Enable.

In the next page, select AWS Organization account selector to allow switching monitoring account using the account list view while view the metrics, alarms and dashboards.

AWS Monitored Account

In the monitored account, under Cloudwatch -> Settings, click on Share data.

In the next page, add the monitoring account id to share the cloudwatch data data.

Leave the default read-only permission for the Monitoring Account.

You can now either launch the cloudformation template to create a cross account role if you not already created it before.

Verification

Now you can go the Monitoring Account and view the monitored account metrics, alarms and dashboards by selecting account name from the drop down list.

Dashboard

Now you can also create cross-account, cross-region dashboard. Please follow the instruction given in Reference [5].

References

  1. https://aws.amazon.com/about-aws/whats-new/2021/08/announcing-amazon-cloudwatch-cross-account-alarms/
  2. https://aws.amazon.com/blogs/aws/cross-account-cross-region-dashboards-with-amazon-cloudwatch/
  3. Cloudformation template for Cross Account ListAccount Role— https://cloudwatch-console-static-content-prod-syd.s3.ap-southeast-2.amazonaws.com/2392d3b157338c0faed7496717502c8e2c12e15a/cross-account/CloudWatch-CrossAccountListAccountsRole-AccountList-aws.yaml
  4. Cloudformation template for Cross Account Sharing Role - https://cloudwatch-console-static-content-prod-syd.s3.ap-southeast-2.amazonaws.com/2392d3b157338c0faed7496717502c8e2c12e15a/cross-account/CloudWatch-CrossAccountSharingRole-AccountList-aws.yaml
  5. https://aws.amazon.com/blogs/aws/cross-account-cross-region-dashboards-with-amazon-cloudwatch/

Everything is Code