Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cross-Account Observability with CloudWatch: Logs can only be viewed for the account logged in

0

I am having an issue that I just cannot seem to identify why it is happening.

I have CloudWatch setup for Cross-Account Observability. I did this with CloudFormation using Stacks and Stacksets.

  • Each member account was updated via Stacksets to deploy the CloudWatch-CrossAccountSharingRole and this role has the expected 4 attached policies (I confirmed that log group permissions are in the attached policies). The trust relationship for this policy has the correct account ids for the monitoring accounts (I have 3).
  • The managed account (default AWS account that controls the organization) has a Stack that deploys the CloudWatch-CrossAccountSharing-ListAccounts role. The trust relationship for this policy has the correct account ids.

When I am in the monitoring accounts, I am able to see everything (dashboards, alarms, metrics, xrays, events) but not log groups. When I try to look at loggroups for the member accounts, I get the error

Logs can only be viewed for the account logged in - CURRENTACCOUNTALIAS. You are viewing data for MEMBERACCOUNTALIAS. Go back to CURRENTACCOUNTALIAS in CURRENTACCOUNTREGION

I provided the templates below.

I confirmed the monitoring accounts have the role AWSServiceRoleForCloudWatchCrossAccount. It has this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws-us-gov:iam::*:role/CloudWatch-CrossAccountSharing*"
            ],
            "Effect": "Allow"
        }
    ]
}

with this trust:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudwatch-crossaccount.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

What can I do to allow me to see the log groups? What am I missing?

Note: I am in GovCloud, wanted to make note of that in case this matters. It should also be noted that I am using SSO to access the accounts.

Thank you for your time.

Templates:

Stackset for member accounts:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: Enables CloudWatch in central monitoring accounts to assume permissions to view CloudWatch data in the current account

Parameters:
  MonitoringAccountIds:
    Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list
    Type: CommaDelimitedList

  Policy:
    Description: The level of access to give to the Monitoring accounts
    Type: String
    Default: View-Access-for-all-services
    AllowedValues:
      - CloudWatch-and-AutomaticDashboards
      - CloudWatch-and-ServiceLens
      - CloudWatch-AutomaticDashboards-and-ServiceLens
      - CloudWatch-core-permissions
      - View-Access-for-all-services

Conditions:
  DoFullReadOnly: !Equals [!Ref Policy, View-Access-for-all-services]
  DoAutomaticDashboards:
    !Equals [!Ref Policy, CloudWatch-and-AutomaticDashboards]
  DoServiceLens: !Equals [!Ref Policy, CloudWatch-and-ServiceLens]
  DoServiceLensAndAutomaticDashboards:
    !Equals [!Ref Policy, CloudWatch-AutomaticDashboards-and-ServiceLens]

Resources:
  CWCrossAccountSharingRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - I3042
    Properties:
      RoleName: CloudWatch-CrossAccountSharingRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Split
                - ","
                - !Sub
                  - "arn:${AWS::Partition}:iam::${inner}:root"
                  - inner: !Join
                      - ":root,arn:aws-us-gov:iam::"
                      - Ref: MonitoringAccountIds
            Action:
              - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns: !If
        - DoFullReadOnly
        - - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchReadOnlyAccess
          - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
          - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess
          - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSXrayReadOnlyAccess
        - !If
          - DoAutomaticDashboards
          - - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchReadOnlyAccess
            - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
          - !If
            - DoServiceLens
            - - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchReadOnlyAccess
              - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSXrayReadOnlyAccess
            - !If
              - DoServiceLensAndAutomaticDashboards
              - - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchReadOnlyAccess
                - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
                - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSXrayReadOnlyAccess
              - - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchReadOnlyAccess

Managed account Stack:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: Enables monitoring accounts to list the accounts information in an AWS Organization

Parameters:
  MonitoringAccountIds:
    Description: Allows one or more monitoring accounts to view AWS Organization account list. Enter AWS account ids, 12 numeric digits in comma-separated list
    Type: CommaDelimitedList

Resources:
  CWCrossAccountListAccountsRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - I3042
    Properties:
      RoleName: CloudWatch-CrossAccountSharing-ListAccountsRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Split
                - ","
                - !Sub
                  - "arn:aws-us-gov:iam::${inner}:root"
                  - inner: !Join
                      - ":root,arn:aws-us-gov:iam::"
                      - Ref: MonitoringAccountIds
            Action:
              - sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: CloudWatch-CrossAccountSharing-ListAccounts-Policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - organizations:ListAccounts
                  - organizations:ListAccountsForParent
                Resource: "*"
                Effect: Allow
Topics
Management & Governance
Tags
Amazon CloudWatch LogsMonitoring
Language
English
asked 2 years ago798 views
1 Answer
2
Accepted Answer

I'm not a GovCloud user, but documentation says cross-account observability shouldn't be working in GovCloud at all: "Amazon CloudWatch cross-account observability is not available in AWS GovCloud (US)." (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-cw.html) It sounds plausible log sharing might simply not be available, as you were thinking.

Since you are in GovCloud, you probably have Enterprise level support too. Opening a support case is probably the quickest way to confirm the actual current restrictions and if there's anything missing from your configuration.

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content