Cross-account cross-region in cloudwatch for specific log group


We would like to read events in ec2 machine in one account in one region and to read events in log group in other account and in other region - we saw the option of Cross-account cross-region but we did find any option to allow the other account to access only specific log group - is there such an option? or is there any other solution we can use to solve than problem? Thanks

3 Answers

The Cross-Account Cross-Region feature of CloudWatch which you are referring to is usually preferable for sharing metrics/ logs from a whole account to a monitoring account.

If you want just specific log groups (or a specific log group) to be shared with another account I would recommend considering sharing the logs using a CloudWatch Logs subscription and Amazon Kinesis or Amazon Kinesis Data Firehose as per the following documentation: Cross-account log data sharing with subscriptions -

answered 2 years ago
  • I agree with Jasper_R the ideal way is to use S3 to share, because S3 has a resource policy you can grant to the source account access. However to post to CloudWatch the FlowLog service must assume a role in the target account which it is not allowed to do. Also the API requires that the log-group be in the same account as the vpc/subnet. If you have to post to a log-group in another account then a subscription model using Amazon Kinesis or Amazon Lambda is a good approach. i.e. log to CloudWatch, subscribe to the log, use Kinesis or Lambda to post to a log group in another account.


As per quick research I've made sharing the log groups (any) cross account is not supported unfortunatelly

answered 2 years ago

It's possible. Cross Account Cross Region sharing in CloudWatch is enabled by creating an IAM role called CloudWatch-CrossAccountSharingRole. You can let the console create that role for you and then modify it to allow a specific log group to be read. Or else you can create the prebuilt role using CloudFormation/CDK/Terraform or via CLI/API directly.

See Example 3 in resource-based access to CloudWatch Logs. Something like this would be what you need inside policy for CloudWatch-CrossAccountSharingRole:

      "Action": [
      "Effect": "Allow",
      "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"

That will allow you to put a log widget in a central dashboard that runs a Logs Insights query on a log in a different account/region.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions