Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Enabling cross-account functionality in CloudWatch without AWS console

0

I would like to automate the process of Enabling cross-account functionality in CloudWatch for each new account so that there is no need to go through this link tutorial on each new account.

I have an account dedicated to monitoring that should have CloudWatch access by default in every new and existing account in the organisation.

Ideally, it would be possible to set something like this up via CDK, but any alternative would be welcome.

Topics
Management & GovernanceNetworking & Content Delivery
Tags
Amazon CloudWatchSupport API
Language
English
asked 4 years ago5.2K views
2 Answers
1
Accepted Answer

If you have a look at what the console is doing, it just deploys a single CloudFormation template into the account, creating one IAM role: CloudWatch-CrossAccountSharingRole. Repeating the same with CDK or CloudFormation is how you can automate. For AWS Organizations integration, have a look at CloudFormation StackSets which can auto-deploy the IAM role to new accounts as they are onboarded.

Here is the YAML for a typical CloudFormation stack that creates the needed role (same as what you'll see deployed in the AWS Console):

---
Parameters:
  MonitoringAccountIds:
    Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list
    Type: CommaDelimitedList
    Default: 012345678901

Conditions:
  CWCrossAccountSupported: {"Fn::Equals": [{"Ref": "AWS::Partition"}, "aws"]}

Resources:
  CWCrossAccountSharingRole:
    Condition: "CWCrossAccountSupported"
    Type: AWS::IAM::Role
    Properties:
      RoleName: CloudWatch-CrossAccountSharingRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Split
                - ','
                - !Sub
                  - 'arn:${AWS::Partition}:iam::${inner}:root'
                  - inner: !Join
                      - ':root,arn:${AWS::Partition}:iam::'
                      - Ref: MonitoringAccountIds
            Action:
              - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
        - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
AWS
answered 4 years ago
0

Thank you for submitting your question, AWS-User-0821016! We answered this on an episode of AWS re:Post Live. You can click this link and jump to 48:53 in the time code to listen to us discuss - https://www.twitch.tv/videos/2204463289

AWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content