By using AWS re:Post, you agree to the Terms of Use

Cross-account cross-region in cloudwatch for specific log group

1

We would like to read events in ec2 machine in one account in one region and to read events in log group in other account and in other region - we saw the option of Cross-account cross-region but we did find any option to allow the other account to access only specific log group - is there such an option? or is there any other solution we can use to solve than problem? Thanks

3 Answers
0

The Cross-Account Cross-Region feature of CloudWatch which you are referring to is usually preferable for sharing metrics/ logs from a whole account to a monitoring account.

If you want just specific log groups (or a specific log group) to be shared with another account I would recommend considering sharing the logs using a CloudWatch Logs subscription and Amazon Kinesis or Amazon Kinesis Data Firehose as per the following documentation: Cross-account log data sharing with subscriptions - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

SUPPORT ENGINEER
answered 8 months ago
  • I agree with Jasper_R the ideal way is to use S3 to share, because S3 has a resource policy you can grant to the source account access. However to post to CloudWatch the FlowLog service must assume a role in the target account which it is not allowed to do. Also the API requires that the log-group be in the same account as the vpc/subnet. If you have to post to a log-group in another account then a subscription model using Amazon Kinesis or Amazon Lambda is a good approach. i.e. log to CloudWatch, subscribe to the log, use Kinesis or Lambda to post to a log group in another account.

0

As per quick research I've made sharing the log groups (any) cross account is not supported unfortunatelly https://stackoverflow.com/questions/62270980/logs-can-only-be-viewed-for-the-account-logged-in-in-aws-cloudwatch-logs-conso

answered 3 months ago
-1

It's possible. Cross Account Cross Region sharing in CloudWatch is enabled by creating an IAM role called CloudWatch-CrossAccountSharingRole. You can let the console create that role for you and then modify it to allow a specific log group to be read. Or else you can create the prebuilt role using CloudFormation/CDK/Terraform or via CLI/API directly.

See Example 3 in resource-based access to CloudWatch Logs. Something like this would be what you need inside policy for CloudWatch-CrossAccountSharingRole:

{
   "Version":"2012-10-17",
   "Statement":[
      {
      "Action": [
        "logs:FilterLogEvents",
        "logs:StartQuery",
        "logs:StopQuery"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
      }
   ]
}

That will allow you to put a log widget in a central dashboard that runs a Logs Insights query on a log in a different account/region.

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions