# Monitor across accounts and Regions
To enable unified monitoring across accounts, CloudWatch offers the following features:
+ **[CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md)**– facilitate observability within a single Region with the Observability Access Manager (OAM) service. You can link accounts and easily view metrics, logs, traces, and other telemetry between accounts. This helps you to unify observability in central monitoring accounts that view telemetry shared from source accounts, and operate on this shared telemetry as if it were native to the monitoring account.
+ **[Cross-account cross-Region CloudWatch console](Cross-Account-Cross-Region.md)**– delivers a console experience that allows you to view dashboards, metrics, and alarms consoles of other accounts across Regions by toggling between accounts. After you set up the necessary permissions, you use an account selector integrated into the alarms, dashboards, and metrics consoles to view metrics, dashboards, and alarms in other accounts without having to log in and out of the accounts. By enabling this feature, you can also set up dashboards that contain cross-account cross-Region metrics for centralized visibility within an account.
+ **[Cross-account cross-Region log centralization](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.html)**– collects copies of log data from multiple member accounts into one data repository using cross-account and cross-region centralization rules. You define the rules that automatically replicate log data from multiple accounts and AWS Regions into a centralized account within your organization. This capability streamlines log consolidation for improved centralized monitoring, analysis, and compliance across your entire AWSinfrastructure.
These three features are complementary to each other and can be used independently or together. See the following table for a comparison of the features. We recommend that you use CloudWatch cross-account observability for the richest cross-account observability and discovery experience within a Region for your metrics, logs, and traces.
| | **[CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md)** | **[Cross-account cross-Region CloudWatch console](Cross-Account-Cross-Region.md)** | **[Cross-account cross-Region log centralization](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.html)** |
| --- | --- | --- | --- |
| **What is it?** | Unified access to underlying telemetry and other observability resources across multiple accounts. After this is configured, observability resources are seamlessly viewable between accounts, eliminating the need for role assumptions. The central monitoring account gains direct access to the telemetry data and resources from source accounts, streamlining the monitoring and observability process. | A designated monitoring account assume a **CrossAccountSharingRole** defined in source accounts from the CloudWatch console. By assuming this role, the monitoring account can invoke operations such as dashboard viewing on behalf of source accounts, directly from its console. | Amazon CloudWatch Logs data centralization capability streamlines log consolidation for improved centralized monitoring, analysis, and compliance across your entire AWS infrastructure. |
| **How does it work?** | A monitoring account, using the Observability Access Monitoring service, creates a *sink* and attaches a sink policy to it. The sink policy defines which resources they would like to view and which source accounts should share them. Then source accounts can create a link to the monitoring account sink, establishing what they actually want to share. After the link is created, the specified resources are visible in the monitoring account. | A source account initiates the configuration by setting up a **CrossAccountSharingRole**, allowing a monitoring account to run operations in the source account. Then, a monitoring account enables the cross-account cross-Region selector in the console by specifying the source account ID. This enables the monitoring account to be able to switch into the source account. When switching, the CloudWatch console checks for the existence of a service-linked role that allows CloudWatch to assume the **CrossAccountSharingRole** that was created in the source account. | Amazon CloudWatch Logs data centralization works with AWS Organizations to copy log data from multiple member accounts into one data repository using cross-account and cross-region centralization rules. You define the rules that automatically replicate log data from multiple accounts and AWS Regions into a centralized account within your organization. |
| **What telemetry is supported?** | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Cross-Account-Methods.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Cross-Account-Methods.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Cross-Account-Methods.html) |
| **What functionality is supported?** | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Cross-Account-Methods.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Cross-Account-Methods.html) For more details, see [Cross-account cross-Region CloudWatch console](Cross-Account-Cross-Region.md). | CloudWatch Logs InsightsSubscription filtersMetric filters |
| **How many accounts can I use it with?** | A monitoring account can see resources from as many as 100,000 source accounts at the same time. A source account can share their resources with as many as five different monitoring accounts. | By using the cross-account cross-Region selector in the console, a monitoring account can switch to one other account at a time but there is no limit on the number of accounts that can be linked. When defining cross-account dashboards and alarms, many source accounts can be referenced. | Works with AWS Organizations supported number of accounts |
| **Does it move telemetry data?** | No. Resources are shared between accounts with the exception of copied traces. | No. An IAM policy is configured to allow embedded account switching for cross-account cross-Region resource visibility. | Yes |
| **How much does it cost?** | No extra charges for shared logs and metrics, and the first trace copy is free. For more information about pricing, see [Amazon CloudWatch pricing](http://aws.amazon.com/cloudwatch/pricing). | No additional charges for cross-account or cross-Region actions. | You can centralize one copy of logs for free. Additional copies are charged at \$10.05/GB of logs centralized (the backup region feature is considered an additional copy). For information about storage cost pricing in the destination account and other value-added experiences see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/). |
| **Does it support observability across Regions?** | No | Yes | Yes, you can centralize data across Regions. |
| **Does it support programmatic access?** | Yes. the AWS CLI, AWS Cloud Development Kit (AWS CDK), and APIs are supported. | No | Yes |
| **Does it support programmatic setup?** | Yes | Yes | Yes |
| **Does it support AWS Organizations?** | Yes | Yes | Yes. AWS Organizations is required to use this feature. |
**Topics**
+ [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md)
+ [Cross-account cross-Region CloudWatch console](Cross-Account-Cross-Region.md)
# CloudWatch cross-account observability
With Amazon CloudWatch cross-account observability, you can monitor and troubleshoot applications that span multiple accounts within a Region. Seamlessly search, visualize, and analyze your metrics, logs, traces, Application Signals services and service level objectives (SLOs), Application Insights applications, and internet monitors in any of the linked accounts without account boundaries.
Set up one or more AWS accounts as *monitoring accounts* and link them with multiple *source accounts*. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account. The shared observability data can include the following types of telemetry:
+ Metrics in Amazon CloudWatch. You can choose to share the metrics from all namespaces with the monitoring account, or filter to a subset of namespaces.
+ Log groups in Amazon CloudWatch Logs. You can choose to share all log groups with the monitoring account, or filter to a subset of log groups.
+ Traces in AWS X-Ray
+ Services and Service level objectives (SLOs) in Application Signals
+ Applications in Amazon CloudWatch Application Insights
+ Monitors in CloudWatch Internet Monitor
To create links between monitoring accounts and source accounts, you can use the CloudWatch console. Alternatively, use the *Observability Access Manager* commands in the AWS CLI and API. For more information, see [Observability Access Manager API Reference](https://docs.aws.amazon.com/OAM/latest/APIReference/Welcome.html).
A *sink* is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to share observability data. Each account can have one sink per Region. Each sink is managed by the monitoring account where it is located. An *observability link* is a resource that represents the link established between a source account and a monitoring account. Links are managed by the source account.
For a video demonstration of setting up CloudWatch cross-account observability, see the following video.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/lUaDO9dqISc)
The next topic explains how to set up CloudWatch cross-account observability in both monitoring accounts and source accounts. For information about the cross-account cross-Region CloudWatch dashboard, see [Cross-account cross-Region CloudWatch console](Cross-Account-Cross-Region.md).
**Use Organizations for source accounts**
There are two options for linking source accounts to your monitoring account. You can use one or both options.
+ Use AWS Organizations to link accounts in an organization or organizational unit to the monitoring account.
+ Connect individual AWS accounts to the monitoring account.
We recommend that you use Organizations so that new AWS accounts created later in the organization are automatically onboarded to cross-account observability as source accounts.
**Details about linking monitoring accounts and source accounts**
+ Each monitoring account can be linked to as many as 100,000 source accounts.
+ Each source account can share data with as many as five monitoring accounts.
+ You can set up a single account as both a monitoring account and a source account. If you do, this account sends only the observability data from itself to its linked monitoring account. It does not relay the data from its source accounts.
+ A monitoring account specifies which telemetry types can be shared with it. A source account specifies which telemetry types it wants to share.
+ If there are more telemetry types selected in the *monitoring account* than in the source account, the accounts are linked. Only the data types that are selected in both accounts are shared.
+ If there are more telemetry types selected in the *source account* than in the monitoring account, the link creation fails and nothing is shared.
+ A metric name doesn't appear in the monitoring account console until that metric emits new data points after the link is created.
+ To remove a link between accounts, do so from the source account.
+ To delete a sink in a monitoring account, you must first remove all links to that sink the monitoring account.
**Pricing**
Cross-account observability in CloudWatch comes with no extra cost for logs and metrics, Application Signals, and the first trace copy is free. For more information about pricing, see [Amazon CloudWatch Pricing](http://aws.amazon.com/cloudwatch/pricing).
**Contents**
+ [Link monitoring accounts with source accounts](CloudWatch-Unified-Cross-Account-Setup.md)
+ [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions)
+ [Permissions needed to create links](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-permissions-setup)
+ [Permissions needed to monitor across accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-permissions-monitor)
+ [Setup overview](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-overview)
+ [Step 1: Set up a monitoring account](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-Setup-ConfigureMonitoringAccount)
+ [Step 2: (Optional) Download an CloudFormation template or URL](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-Setup-TemplateOrURL)
+ [Step 3: Link the source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-Setup-ConfigureSourceAccount)
+ [Use an CloudFormation template to set up all accounts in an organization or an organizational unit as source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-SetupSource-OrgTemplate)
+ [Use an CloudFormation template to set up individual source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-SetupSource-SingleTemplate)
+ [Use a URL to set up individual source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-SetupSource-SingleURL)
+ [Manage monitoring accounts and source accounts](Unified-Cross-Account-Manage.md)
+ [Link more source accounts to an existing monitoring account](Unified-Cross-Account-Manage.md#Unified-Cross-Account-Setup-AddSourceAccounts)
+ [Remove the link between a monitoring account and source account](Unified-Cross-Account-Manage.md#Unified-Cross-Account-Setup-UnlinkAccount)
+ [View information about a monitoring account](Unified-Cross-Account-Manage.md#Unified-Cross-Account-Setup-ManageMonitoringAccount)
# Link monitoring accounts with source accounts
The topics in this section explain how to set up links between monitoring accounts and source accounts.
We recommend that you create a new AWS account to serve as the monitoring account for your organization.
**Contents**
+ [Necessary permissions](#CloudWatch-Unified-Cross-Account-Setup-permissions)
+ [Permissions needed to create links](#Unified-Cross-Account-permissions-setup)
+ [Permissions needed to monitor across accounts](#Unified-Cross-Account-permissions-monitor)
+ [Setup overview](#CloudWatch-Unified-Cross-Account-Setup-overview)
+ [Step 1: Set up a monitoring account](#Unified-Cross-Account-Setup-ConfigureMonitoringAccount)
+ [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL)
+ [Step 3: Link the source accounts](#Unified-Cross-Account-Setup-ConfigureSourceAccount)
+ [Use an CloudFormation template to set up all accounts in an organization or an organizational unit as source accounts](#Unified-Cross-Account-SetupSource-OrgTemplate)
+ [Use an CloudFormation template to set up individual source accounts](#Unified-Cross-Account-SetupSource-SingleTemplate)
+ [Use a URL to set up individual source accounts](#Unified-Cross-Account-SetupSource-SingleURL)
## Necessary permissions
### Permissions needed to create links
To create links between a monitoring account and a source account, you must be signed in with certain permissions.
+ **To set up a monitoring account** – You must have either full administrator access in the monitoring account, or you must sign in to that account with the following permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSinkModification",
"Effect": "Allow",
"Action": [
"oam:CreateSink",
"oam:DeleteSink",
"oam:PutSinkPolicy",
"oam:TagResource"
],
"Resource": "*"
},
{
"Sid": "AllowReadOnly",
"Effect": "Allow",
"Action": ["oam:Get*", "oam:List*"],
"Resource": "*"
}
]
}
```
------
+ **Source account, scoped to a specific monitoring account** – To create, update, and manage links for just one specified monitoring account, you must sign in to account with at least the following permissions. In this example, the monitoring account is `999999999999`.
If the link isn't going to share all seven resource types (metrics, logs, traces, Application Insights applications, Application Signals services and service level objectives (SLOs), and Internet Monitor monitors), you can omit `cloudwatch:Link`, `logs:Link`, `xray:Link`, `applicationinsights:Link`, `application-signals:Link`, or `internetmonitor:Link` as needed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"oam:CreateLink",
"oam:UpdateLink",
"oam:DeleteLink",
"oam:GetLink",
"oam:TagResource"
],
"Effect": "Allow",
"Resource": "arn:*:oam:*:*:link/*"
},
{
"Action": [
"oam:CreateLink",
"oam:UpdateLink"
],
"Effect": "Allow",
"Resource": "arn:*:oam:*:*:sink/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": [
"999999999999"
]
}
}
},
{
"Action": "oam:ListLinks",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudwatch:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "logs:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "xray:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "applicationinsights:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "internetmonitor:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "application-signals:Link",
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
+ **Source account, with permissions to link to any monitoring account** – To create a link to any existing monitoring account sink and share metrics, log groups, traces, Application Insights applications, and Internet Monitor monitors, you must sign in to the source account with full administrator permissions or sign in there with the following permissions
If the link isn't going to share all seven resource types (metrics, logs, traces, Application Insights applications, Application Signals services and service level objectives (SLOs), and Internet Monitor monitors), you can omit `cloudwatch:Link`, `logs:Link`, `xray:Link`, `applicationinsights:Link`, `application-signals:Link`, or `internetmonitor:Link` as needed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"oam:CreateLink",
"oam:UpdateLink"
],
"Resource": [
"arn:aws:oam:*:*:link/*",
"arn:aws:oam:*:*:sink/*"
]
},
{
"Effect": "Allow",
"Action": [
"oam:List*",
"oam:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oam:DeleteLink",
"oam:GetLink",
"oam:TagResource"
],
"Resource": "arn:aws:oam:*:*:link/*"
},
{
"Action": "cloudwatch:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "xray:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "logs:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "applicationinsights:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "internetmonitor:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "application-signals:Link",
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
### Permissions needed to monitor across accounts
After a link has been created, to view source account information from a monitoring account, you must be signed in to an account with one of the following:
+ Full administrator access in the monitoring account
+ The following cross-account permissions, in addition to permissions to view the specific types of resources that you will be monitoring
```
{
"Sid": "AllowReadOnly",
"Effect": "Allow",
"Action": [
"oam:Get*",
"oam:List*"
],
"Resource": "*"
}
```
## Setup overview
The following high-level steps show you how to set up CloudWatch cross-account observability.
**Note**
We recommend creating a new AWS account to use as your organization's monitoring account.
1. Set up a dedicated monitoring account.
1. (Optional) Download an CloudFormation template or copy a URL to link source accounts.
1. Link source accounts to the monitoring account.
After completing these steps, you can use the monitoring account to view the observability data of the source accounts.
## Step 1: Set up a monitoring account
Follow the steps in this section to set up an AWS account as a monitoring account for CloudWatch cross-account observability.
**Prerequisites**
+ **If you're setting up accounts in an AWS Organizations organization as the source accounts** – Get the organization path or organization ID.
+ **If you're not using Organizations for the source accounts** – Get the account IDs of the source accounts.
To set up an account as a monitoring account, you must have certain permissions. For more information, see [Necessary permissions](#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To set up a monitoring account**
1. Sign in to the account that you want to use as a monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Configure**.
1. For **Select data**, choose whether this monitoring account will be able to view **Logs**, **Metrics**, **Traces**, **Application Insights - Applications**, **Internet Monitor - Monitors**, and **Application Signals - Services, Service Level Objectives (SLOs)** data from the source accounts it is linked to.
1. For **List source accounts**, enter the source accounts that this monitoring account will view. To identify the source accounts, enter individual account IDs, organization paths, or organization IDs. If you enter an organization path or organization ID, this monitoring account is allowed to view observability data from all linked accounts in that organization.
Separate the entries in this list with commas.
**Important**
When you enter an organization path, follow the exact format. The ou-id must end with a `/` (a slash character). For example: `o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbb/`
1. For **Define a label to use to identify your source account**, you can define alabel that is used to create a CloudFormation template. The label is then applied to source accounts when that template is used to link the source accounts to this monitoring account.
You can specify whether to use account names or email addresses in this label, and also use variables such as `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain`.
**Note**
In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, the only supported option is to use custom labels, and the `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.
1. Choose **Configure**.
**Important**
The link between the monitoring and source accounts is not complete until you configure the source accounts. For more information, see the following sections.
## Step 2: (Optional) Download an CloudFormation template or URL
To link source accounts to a monitoring account, we recommend using an AWS CloudFormation template or a URL.
+ **If you are linking an entire organization** – CloudWatch provides an CloudFormation template.
+ **If you are linking individual accounts** – Use either an CloudFormation template or a URL that CloudWatch provides.
To use an CloudFormation template, you must download it during these steps. After you link the monitoring account with at least one source account, the CloudFormation template is no longer available to download.
**To download an CloudFormation template or copy a URL for linking source accounts to the monitoring account**
1. Sign in to the account that you want to use as a monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Resources to link accounts**.
1. Do one of the following:
+ Choose **AWS organization** to get a template to use to link accounts in an organization to this monitoring account.
+ Choose **Any account** to get a template or URL for setting up individual accounts as source accounts.
1. Do one of the following:
+ If you chose **AWS organization**, choose **Download CloudFormation template**.
+ If you chose **Any account**, choose either **Download CloudFormation template** or **Copy URL**.
1. (Optional) Repeat steps 5-6 to download both the CloudFormation template and the URL.
## Step 3: Link the source accounts
Use the steps in these sections to link source accounts to a monitoring account.
To link monitoring accounts with source accounts, you must have certain permissions. For more information, see [Necessary permissions](#CloudWatch-Unified-Cross-Account-Setup-permissions).
### Use an CloudFormation template to set up all accounts in an organization or an organizational unit as source accounts
These steps assume that you already downloaded the necessary CloudFormation template by performing the steps in [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL).
**To use an CloudFormation template to link accounts in an organization or organizational unit to the monitoring account**
1. Sign in to the organization's management account.
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. In the left navigation bar, choose **StackSets**.
1. Check that you are signed in to the Region that you want, then choose **Create StackSet**.
1. Choose **Next**.
1. Choose **Template is ready** and choose **Upload a template file**.
1. Choose **Choose file**, choose the template that you downloaded from the monitoring account, and choose **Open**.
1. Choose **Next**.
1. For **Specify StackSet details**, enter a name for the StackSet and choose **Next**.
1. For **Add stacks to stack set**, choose **Deploy new stacks**.
1. For **Deployment targets**, choose whether to deploy to the entire organization or to specified organizational units.
1. For **Specify regions**, choose which Regions to deploy CloudWatch cross-account observability to.
1. Choose **Next**.
1. On the **Review** page, confirm your selected options and choose **Submit**.
1. In the **Stack instances** tab, refresh the screen until you see that your stack instances have the status **CREATE\$1COMPLETE**.
### Use an CloudFormation template to set up individual source accounts
These steps assume that you already downloaded the necessary CloudFormation template by performing the steps in [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL).
**To use an CloudFormation template to set up individual source accounts for CloudWatch cross-account observability**
1. Sign in to the source account.
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. In the left navigation bar, choose **Stacks**.
1. Check that you are signed in to the Region that you want, then choose **Create stack**, **With new resources (standard)**.
1. Choose **Next**.
1. Choose **Upload a template file**.
1. Choose **Choose file**, choose the template that you downloaded from the monitoring account, and choose **Open**.
1. Choose **Next**.
1. For **Specify stack details**, enter a name for the stack and choose **Next**.
1. On the **Configure stack options** page, choose **Next**.
1. On the **Review** page, choose **Submit**.
1. On the status page for your stack, refresh the screen until you see that your stack has the status **CREATE\$1COMPLETE**.
1. To use this same template to link more source accounts to this monitoring account, sign out of this account and sign in to the next source account. Then repeat steps 2-12.
### Use a URL to set up individual source accounts
These steps assume that you already copied the necessary URL by performing the steps in [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL).
**To use a URL to link individual source accounts to the monitoring account**
1. Sign in to the account that you want to use as a source account.
1. Enter the URL that you copied from the monitoring account.
You see the CloudWatch settings page, with some information filled in.
1. For **Select data**, choose whether this source account will share **Logs**, **Metrics**, **Traces**, **Application Insights - Applications**, and **Internet Monitor - Monitors** data to this monitoring account.
For both **Logs** and **Metrics**, you can choose whether to share all resources or a subset with the monitoring account.
1. (Optional) To share a subset of this account's log groups with the monitoring account, select **Logs** and choose **Filter Logs**. Then use the **Filter Logs** box to construct a query to find the log groups that you want to share. The query will use the term `LogGroupName` and one or more of the following operands.
+ `=` and `!=`
+ `AND`
+ `OR`
+ `^` indicates LIKE and `!^` indicates NOT LIKE. These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.
+ `IN` and `NOT IN`, using parentheses (`( )`)
The complete query must be no more than 2000 characters and is limited to five conditional operands. Conditional operands are `AND` and `OR`. There isn't a limit on the number of other operands.
**Tip**
Choose **View sample queries** to see the correct syntax for common query formats.
1. (Optional) To share a subset of this account's metric namespaces with the monitoring account, select **Metrics** and choose **Filter Metrics**. Then use the **Filter Metrics** box to construct a query to find the metric namespaces that you want to share. Use the term `Namespace` and one or more of the following operands.
+ `=` and `!=`
+ `AND`
+ `OR`
+ `LIKE` and `NOT LIKE`. These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.
+ `IN` and `NOT IN`, using parentheses (`( )`)
The complete query must be no more than 2000 characters and is limited to five conditional operands. Conditional operands are `AND` and `OR`. There isn't a limit on the number of other operands.
**Tip**
Choose **View sample queries** to see the correct syntax for common query formats.
1. Do not change the ARN in **Enter monitoring account configuration ARN**.
1. The **Define a label to identify your source account** section is pre-filled with the label choice from the monitoring account, if there is one. Optionally, choose **Edit** to change it.
**Note**
In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, the only supported option is to use custom labels, and the `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.
1. Choose **Link**.
1. Enter **Confirm** in the box and choose **Confirm**.
1. To use this same URL to link more source accounts to this monitoring account, sign out of this account and sign in to the next source account. Then repeat steps 2-7.
# Manage monitoring accounts and source accounts
After you set up your monitoring accounts and source accounts, you can use the steps in these sections to manage them.
**Contents**
+ [Link more source accounts to an existing monitoring account](#Unified-Cross-Account-Setup-AddSourceAccounts)
+ [Remove the link between a monitoring account and source account](#Unified-Cross-Account-Setup-UnlinkAccount)
+ [View information about a monitoring account](#Unified-Cross-Account-Setup-ManageMonitoringAccount)
## Link more source accounts to an existing monitoring account
Follow the steps in this section to add links from additional source accounts to an existing monitoring account.
Each source account can be linked to as many as five monitoring accounts. Each monitoring account can be linked to as many as 100,000 source accounts.
To manage a source account, you must have certain permissions. For more information, see [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To add more source accounts to a monitoring account**
1. Sign in to the monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Manage source accounts**.
1. Choose the **Configuration policy** tab.
1. In the **Configuration policy** box, add the new source account ID in the **Principal** line.
For example, suppose the **Principal** line is currently the following:
```
"Principal": {"AWS": ["111111111111", "222222222222"]}
```
To add `999999999999` as a third source account, edit the line to the following:
```
"Principal": {"AWS": ["111111111111", "222222222222", "999999999999"]}
```
1. Choose **Update**.
1. Choose the **Configuration details** tab.
1. Choose the copy icon that is next to the monitoring account's sink ARN.
1. Sign in to the account that you want to use as a new source account.
1. Paste the monitoring account's sink ARN that you copied in Step 9.
You see the CloudWatch settings page, with some information filled in.
1. For **Select data**, choose whether this source account will send **Logs**, **Metrics**, **Traces**, and **Application Insights - Applications**, **Internet Monitor - Monitors**, and **Application Signals -Services, Service Level Objectives (SLOs)** data to the monitoring accounts it is linked to.
1. Do not change the ARN in **Enter monitoring account configuration ARN**.
1. The **Define a label to identify your source account** section is pre-filled with the label choice from the monitoring account, if there is one. Optionally, choose **Edit** to change it.
**Note**
In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, the only supported option is to use custom labels, and the `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.
1. Choose **Link**.
1. Enter **Confirm** in the box and choose **Confirm**.
## Remove the link between a monitoring account and source account
Follow the steps in this section to stop sending data from one source account to a monitoring account.
**Note**
After the source account stops sharing the metrics with the *Monitoring* account, the *Source* account metrics data is not accessible to the monitoring account. Source metric names can be visible to the monitoring account for upto 14 days.
You must have the permissions required to manage a source account to complete this task. For more information, see [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To remove the link between a source account and a monitoring account**
1. Sign in to the source account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Source account configuration**, choose **View linked monitoring accounts**.
1. Select the check box next to the monitoring account that you want to stop sharing data with.
1. Choose **Remove monitoring account**, **Confirm**.
1. Sign in to the monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. Choose **Settings**.
1. By **Monitoring account configuration**, choose **Manage monitoring account**.
1. In the **Configuration policy** box, delete the source account ID from the **Principal** line and choose **Update**.
## View information about a monitoring account
Follow the steps in this section to view the cross-account settings for a monitoring account.
To manage a monitoring account, you must have certain permissions. For more information, see [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To manage a monitoring account**
1. Sign in to the monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Manage monitoring accounts**.
1. To view the Observability Access Manager policy that enables this account to be a monitoring account, choose the **Configuration policy** tab.
1. To view the source accounts that are linked to this monitoring account, choose the **Linked source accounts** tab.
1. To view the monitoring account sink ARN, and the types of data that this monitoring account can view in linked source accounts, choose the **Linked source accounts** tab.
# Cross-account cross-Region CloudWatch console
**Note**
We recommend that you use CloudWatch cross-account observability to get the richest cross-account observability and discovery experience for your metrics, logs, and traces within a Region. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).
The cross-account, cross-Region CloudWatch console allows you to easily switch between different accounts and Region by using selectors in the console to view the dashboards, alarms, and metrics in other accounts and Regions. This feature also allows you to create cross-account, cross-Region dashboards which summarize your CloudWatch metrics from multiple AWS accounts and multiple Regions into a single dashboard, making them accessible without having to switch accounts or Regions.
Many organizations have their AWS resources deployed in multiple accounts, to provide billing and security boundaries. In this case, we recommend that you designate one or more of your accounts as your *monitoring accounts*, and build your cross-account cross-Region dashboards in these accounts. Cross-account cross-Region console functionality is integrated with AWS Organizations, to help you efficiently build your cross-account cross-Region dashboards.
The cross-account, cross-region CloudWatch console experience does not provide cross-account cross-Region visibility for logs. Additionally, it does not support the creation of alarms on metrics in other accounts or Regions from within a monitoring account.
**Topics**
+ [Enabling cross-account cross-Region functionality in CloudWatch](#enable-cross-account-cross-Region)
+ [(Optional) Integrate with AWS Organizations](#cross-account-and-AWS-organizations)
+ [Troubleshooting your CloudWatch cross-account setup](#troubleshooting-cross-account-cross-Region)
+ [Monitoring account permissions for cross-account access](#cross-account-cross-region-limitations)
+ [Disabling and cleaning up after using cross-account](#cleanup-cross-account-cross-Region)
## Enabling cross-account cross-Region functionality in CloudWatch
To set up cross-account cross-Region functionality in your CloudWatch console, use the CloudWatch console to set up your sharing accounts and monitoring accounts.
**Set up a sharing account**
You must enable sharing in each account that will make data available to the monitoring account.
This will grant the read-only permissions that you choose in step 5 to all users that view a cross account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
**To enable your account to share CloudWatch data with other accounts**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Settings**.
1. For **Share your CloudWatch data**, choose **Configure**.
1. For **Sharing**, choose **Specific accounts** and enter the IDs of the accounts that you want to share data with.
Any accounts that you specify here can view your account's CloudWatch data. Specify the IDs only of accounts that you know and trust.
1. For **Permissions**, specify how to share your data with one of the following options:
+ **Provide read-only access to your CloudWatch metrics, dashboards, and alarms**. This option enables the monitoring accounts to create cross-account dashboards that include widgets that contain CloudWatch data from your account.
+ **Include CloudWatch automatic dashboards**. If you select this option, users in the monitoring account can also view the information in this account's automatic dashboards. For more information, see [Getting started with CloudWatch automatic dashboards](GettingStarted.md).
+ **Include X-Ray read-only access for the X-Ray Trace Map**. If you select this option, users in the monitoring account can also view the X-Ray trace map and X-Ray trace information in this account. For more information, see [Using the X-Ray Trace Map](https://docs.aws.amazon.com/xray/latest/devguide/xray-console-servicemap.html).
+ **Include read-only access for Database Insights**. If you select this option, users in the monitoring account can also view Database Insights telemetry in this account. For more information, see [ Set up cross-account cross-region monitoring for CloudWatch Database Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Database-Insights-Cross-Account-Cross-Region.html).
+ **Full read-only access to everything in your account**. This option enables the accounts that you use for sharing to create cross-account dashboards that include widgets that contain CloudWatch data from your account. It also enables those accounts to look deeper into your account and view your account's data in the consoles of other AWS services.
1. Choose **Launch CloudFormation template**.
In the confirmation screen, type **Confirm**, and choose **Launch template**.
1. Select the **I acknowledge... ** check box, and choose **Create stack**.
**Sharing with an entire organization**
Completing the preceding procedure creates an IAM role which enables your account to share data with one account. You can create or edit an IAM role that shares your data with all accounts in an organization. Do this only if you know and trust all accounts in the organization.
This will grant the read-only permissions listed in the policies shown in step 5 of the previous procedure to all users that view a cross-account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
**To share your CloudWatch account data with all accounts in an organization**
1. If you haven't already, complete the preceding procedure to share your data with one AWS account.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list of roles, choose **CloudWatch-CrossAccountSharingRole**.
1. Choose **Trust relationships**, **Edit trust relationship**.
You see a policy like this:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Change the policy to the following, replacing *org-id* with the ID of your organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "org-id"
}
}
}
]
}
```
------
1. Choose **Update Trust Policy**.
**Set up a monitoring account**
Enable each monitoring account if you want to view cross-account CloudWatch data.
When you complete the following procedure, CloudWatch creates a service-linked role that CloudWatch uses in the monitoring account to access data shared from your other accounts. This service-linked role is called **AWSServiceRoleForCloudWatchCrossAccount**. For more information, see [Using service-linked roles for CloudWatch](using-service-linked-roles.md).
**To enable your account to view cross-account CloudWatch data**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Settings**, and then, in the **Cross-account cross-region** section, choose **Configure**.
1. Under the **View cross-account cross-region** section, choose **Enable**, and then select the **Show selector in the console** checkbox to enable an account selector to appear in the CloudWatch console when you're graphing a metric or creating an alarm.
1. Under **View cross-account cross-region**, choose one of the following options:
+ **Account Id Input**. This option prompts you to manually input an account ID each time that you want to switch accounts when you view cross-account data.
+ **AWS Organization account selector**. This option causes the accounts that you specified when you completed your cross-account integration with Organizations to appear. When you next use the console, CloudWatch displays a dropdown list of these accounts for you to select from when you are viewing cross-account data.
To do this, you must have first used your organization management account to allow CloudWatch to see a list of accounts in your organization. For more information, see [(Optional) Integrate with AWS Organizations](#cross-account-and-AWS-organizations).
+ **Custom account selector**. This option prompts you to enter a list of account IDs. When you next use the console, CloudWatch displays a dropdown list of these accounts for you to select from when you are viewing cross-account data.
You can also enter a label for each of these accounts to help you identify them when choosing accounts to view.
The account selector settings that a user makes here are retained only for that user, not for all other users in the monitoring account.
1. Choose **Enable**.
After you complete this setup, you can create cross-account dashboards. For more information, see [Creating a customized CloudWatch dashboard](create_dashboard.md).
**Cross-Region functionality**
Cross-Region functionality is built in to this feature automatically. You do not need to take any extra steps to be able to display metrics from different Regions in a single account on the same graph or the same dashboard. Cross-Region functionality is not supported for alarms, so you can't create an alarm in one Region that watches a metric in a different Region.
## (Optional) Integrate with AWS Organizations
If you want to integrate cross-account functionality with AWS Organizations, you must make a list of all accounts in the organization available to the monitoring accounts.
**To enable cross-account CloudWatch functionality to access a list of all accounts in your organization**
1. Sign in to your organization's management account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Settings**, then choose **Configure**.
1. For **Grant permission to view the list of accounts in the organization**, choose **Specific accounts** to be prompted to enter a list of account IDs. The list of accounts in your organization are shared with only the accounts that you specify here.
1. Choose **Share organization account list**.
1. Choose **Launch CloudFormation template**.
In the confirmation screen, type **Confirm**, and choose **Launch template**.
## Troubleshooting your CloudWatch cross-account setup
This section contains troubleshooting tips for cross-account, console deployment in CloudWatch.
**I am getting access denied errors displaying cross-account data**
Check the following:
+ Your monitoring account should have a role named **AWSServiceRoleForCloudWatchCrossAccount**. If it does not, you need to create this role. For more information, see [Set Up a Monitoring Account](#setup_monitoring_account).
+ Each sharing account should have a role named **CloudWatch-CrossAccountSharingRole**. If it does not, you need to create this role. For more information, see [Set Up A Sharing Account](#setup_sharing_account).
+ The sharing role must trust the monitoring account.
**To confirm that your roles are set up properly for the CloudWatch cross-account console**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list of roles, make sure the needed role exists. In a sharing account, look for **CloudWatch-CrossAccountSharingRole**. In a monitoring account, look for **AWSServiceRoleForCloudWatchCrossAccount**.
1. If you are in a sharing account and **CloudWatch-CrossAccountSharingRole** already exists, choose **CloudWatch-CrossAccountSharingRole**.
1. Choose **Trust relationships**, **Edit trust relationship**.
1. Confirm that the policy lists either the account ID of the monitoring account, or the organization ID of an organization that contains the monitoring account.
**I don't see an account dropdown in the console**
First, check that you have created the correct IAM roles, as discussed in the preceding troubleshooting section. If those are set up correctly, make sure that you have enabled this account to view cross-account data, as described in [Enable Your Account to View Cross-Account Data](#view_cross_account).
## Monitoring account permissions for cross-account access
To access an action in source accounts successfully, the user in the monitoring account must have the equivalent permission for all resources (\$1) for that action in the monitoring account. This is a local permission requirement in the monitoring account and is unrelated to permissions in the cross-account sharing role in source accounts.
### Example
To start a Logs query in a source account, you must have wildcard (\$1) access to StartQuery in the monitoring account. The source account's cross-account role can still restrict access to specific log groups.
**Supported - wildcard resource:**
```
{
"Effect": "Allow",
"Action": "logs:StartQuery",
"Resource": "*"
}
```
**Not supported - specific ARN:**
```
{
"Effect": "Allow",
"Action": "logs:StartQuery",
"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/my-function:*"
}
```
## Disabling and cleaning up after using cross-account
To disable cross-account functionality for CloudWatch, follow these steps.
**Step 1: Remove the cross-account stacks or roles**
The best method is to remove the CloudFormation stacks that were used to enable cross-account functionality.
+ In each of the sharing accounts, remove the **CloudWatch-CrossAccountSharingRole** stack.
+ If you used AWS Organizations to enable cross-account functionality with all accounts in an organization, remove the **CloudWatch-CrossAccountListAccountsRole ** stack in the organization's management account.
If you didn't use the CloudFormation stacks to enable cross-account functionality, do the following:
+ In each of the sharing accounts, delete the **CloudWatch-CrossAccountSharingRole** IAM role.
+ If you used AWS Organizations to enable cross-account functionality with all accounts in an organization, delete the **CloudWatch-CrossAccountSharing-ListAccountsRole** IAM role in the organization's management account.
**Step 2: Remove the service-linked role**
In the monitoring account, delete the **AWSServiceRoleForCloudWatchCrossAccount** service-linked IAM role.