1 Answer
- Newest
- Most votes
- Most comments
1
If you have a look at what the console is doing, it just deploys a single CloudFormation template into the account, creating one IAM role: CloudWatch-CrossAccountSharingRole
. Repeating the same with CDK or CloudFormation is how you can automate. For AWS Organizations integration, have a look at CloudFormation StackSets which can auto-deploy the IAM role to new accounts as they are onboarded.
Here is the YAML for a typical CloudFormation stack that creates the needed role (same as what you'll see deployed in the AWS Console):
---
Parameters:
MonitoringAccountIds:
Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list
Type: CommaDelimitedList
Default: 012345678901
Conditions:
CWCrossAccountSupported: {"Fn::Equals": [{"Ref": "AWS::Partition"}, "aws"]}
Resources:
CWCrossAccountSharingRole:
Condition: "CWCrossAccountSupported"
Type: AWS::IAM::Role
Properties:
RoleName: CloudWatch-CrossAccountSharingRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Split
- ','
- !Sub
- 'arn:${AWS::Partition}:iam::${inner}:root'
- inner: !Join
- ':root,arn:${AWS::Partition}:iam::'
- Ref: MonitoringAccountIds
Action:
- sts:AssumeRole
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
answered 2 years ago
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
do you need to create OAM::Link ?