# CloudWatch cross-account observability
With Amazon CloudWatch cross-account observability, you can monitor and troubleshoot applications that span multiple accounts within a Region. Seamlessly search, visualize, and analyze your metrics, logs, traces, Application Signals services and service level objectives (SLOs), Application Insights applications, and internet monitors in any of the linked accounts without account boundaries.
Set up one or more AWS accounts as *monitoring accounts* and link them with multiple *source accounts*. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account. The shared observability data can include the following types of telemetry:
+ Metrics in Amazon CloudWatch. You can choose to share the metrics from all namespaces with the monitoring account, or filter to a subset of namespaces.
+ Log groups in Amazon CloudWatch Logs. You can choose to share all log groups with the monitoring account, or filter to a subset of log groups.
+ Traces in AWS X-Ray
+ Services and Service level objectives (SLOs) in Application Signals
+ Applications in Amazon CloudWatch Application Insights
+ Monitors in CloudWatch Internet Monitor
To create links between monitoring accounts and source accounts, you can use the CloudWatch console. Alternatively, use the *Observability Access Manager* commands in the AWS CLI and API. For more information, see [Observability Access Manager API Reference](https://docs.aws.amazon.com/OAM/latest/APIReference/Welcome.html).
A *sink* is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to share observability data. Each account can have one sink per Region. Each sink is managed by the monitoring account where it is located. An *observability link* is a resource that represents the link established between a source account and a monitoring account. Links are managed by the source account.
For a video demonstration of setting up CloudWatch cross-account observability, see the following video.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/lUaDO9dqISc)
The next topic explains how to set up CloudWatch cross-account observability in both monitoring accounts and source accounts. For information about the cross-account cross-Region CloudWatch dashboard, see [Cross-account cross-Region CloudWatch console](Cross-Account-Cross-Region.md).
**Use Organizations for source accounts**
There are two options for linking source accounts to your monitoring account. You can use one or both options.
+ Use AWS Organizations to link accounts in an organization or organizational unit to the monitoring account.
+ Connect individual AWS accounts to the monitoring account.
We recommend that you use Organizations so that new AWS accounts created later in the organization are automatically onboarded to cross-account observability as source accounts.
**Details about linking monitoring accounts and source accounts**
+ Each monitoring account can be linked to as many as 100,000 source accounts.
+ Each source account can share data with as many as five monitoring accounts.
+ You can set up a single account as both a monitoring account and a source account. If you do, this account sends only the observability data from itself to its linked monitoring account. It does not relay the data from its source accounts.
+ A monitoring account specifies which telemetry types can be shared with it. A source account specifies which telemetry types it wants to share.
+ If there are more telemetry types selected in the *monitoring account* than in the source account, the accounts are linked. Only the data types that are selected in both accounts are shared.
+ If there are more telemetry types selected in the *source account* than in the monitoring account, the link creation fails and nothing is shared.
+ A metric name doesn't appear in the monitoring account console until that metric emits new data points after the link is created.
+ To remove a link between accounts, do so from the source account.
+ To delete a sink in a monitoring account, you must first remove all links to that sink the monitoring account.
**Pricing**
Cross-account observability in CloudWatch comes with no extra cost for logs and metrics, Application Signals, and the first trace copy is free. For more information about pricing, see [Amazon CloudWatch Pricing](http://aws.amazon.com/cloudwatch/pricing).
**Contents**
+ [Link monitoring accounts with source accounts](CloudWatch-Unified-Cross-Account-Setup.md)
+ [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions)
+ [Permissions needed to create links](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-permissions-setup)
+ [Permissions needed to monitor across accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-permissions-monitor)
+ [Setup overview](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-overview)
+ [Step 1: Set up a monitoring account](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-Setup-ConfigureMonitoringAccount)
+ [Step 2: (Optional) Download an CloudFormation template or URL](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-Setup-TemplateOrURL)
+ [Step 3: Link the source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-Setup-ConfigureSourceAccount)
+ [Use an CloudFormation template to set up all accounts in an organization or an organizational unit as source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-SetupSource-OrgTemplate)
+ [Use an CloudFormation template to set up individual source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-SetupSource-SingleTemplate)
+ [Use a URL to set up individual source accounts](CloudWatch-Unified-Cross-Account-Setup.md#Unified-Cross-Account-SetupSource-SingleURL)
+ [Manage monitoring accounts and source accounts](Unified-Cross-Account-Manage.md)
+ [Link more source accounts to an existing monitoring account](Unified-Cross-Account-Manage.md#Unified-Cross-Account-Setup-AddSourceAccounts)
+ [Remove the link between a monitoring account and source account](Unified-Cross-Account-Manage.md#Unified-Cross-Account-Setup-UnlinkAccount)
+ [View information about a monitoring account](Unified-Cross-Account-Manage.md#Unified-Cross-Account-Setup-ManageMonitoringAccount)
# Link monitoring accounts with source accounts
The topics in this section explain how to set up links between monitoring accounts and source accounts.
We recommend that you create a new AWS account to serve as the monitoring account for your organization.
**Contents**
+ [Necessary permissions](#CloudWatch-Unified-Cross-Account-Setup-permissions)
+ [Permissions needed to create links](#Unified-Cross-Account-permissions-setup)
+ [Permissions needed to monitor across accounts](#Unified-Cross-Account-permissions-monitor)
+ [Setup overview](#CloudWatch-Unified-Cross-Account-Setup-overview)
+ [Step 1: Set up a monitoring account](#Unified-Cross-Account-Setup-ConfigureMonitoringAccount)
+ [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL)
+ [Step 3: Link the source accounts](#Unified-Cross-Account-Setup-ConfigureSourceAccount)
+ [Use an CloudFormation template to set up all accounts in an organization or an organizational unit as source accounts](#Unified-Cross-Account-SetupSource-OrgTemplate)
+ [Use an CloudFormation template to set up individual source accounts](#Unified-Cross-Account-SetupSource-SingleTemplate)
+ [Use a URL to set up individual source accounts](#Unified-Cross-Account-SetupSource-SingleURL)
## Necessary permissions
### Permissions needed to create links
To create links between a monitoring account and a source account, you must be signed in with certain permissions.
+ **To set up a monitoring account** – You must have either full administrator access in the monitoring account, or you must sign in to that account with the following permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSinkModification",
"Effect": "Allow",
"Action": [
"oam:CreateSink",
"oam:DeleteSink",
"oam:PutSinkPolicy",
"oam:TagResource"
],
"Resource": "*"
},
{
"Sid": "AllowReadOnly",
"Effect": "Allow",
"Action": ["oam:Get*", "oam:List*"],
"Resource": "*"
}
]
}
```
------
+ **Source account, scoped to a specific monitoring account** – To create, update, and manage links for just one specified monitoring account, you must sign in to account with at least the following permissions. In this example, the monitoring account is `999999999999`.
If the link isn't going to share all seven resource types (metrics, logs, traces, Application Insights applications, Application Signals services and service level objectives (SLOs), and Internet Monitor monitors), you can omit `cloudwatch:Link`, `logs:Link`, `xray:Link`, `applicationinsights:Link`, `application-signals:Link`, or `internetmonitor:Link` as needed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"oam:CreateLink",
"oam:UpdateLink",
"oam:DeleteLink",
"oam:GetLink",
"oam:TagResource"
],
"Effect": "Allow",
"Resource": "arn:*:oam:*:*:link/*"
},
{
"Action": [
"oam:CreateLink",
"oam:UpdateLink"
],
"Effect": "Allow",
"Resource": "arn:*:oam:*:*:sink/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": [
"999999999999"
]
}
}
},
{
"Action": "oam:ListLinks",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudwatch:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "logs:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "xray:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "applicationinsights:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "internetmonitor:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "application-signals:Link",
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
+ **Source account, with permissions to link to any monitoring account** – To create a link to any existing monitoring account sink and share metrics, log groups, traces, Application Insights applications, and Internet Monitor monitors, you must sign in to the source account with full administrator permissions or sign in there with the following permissions
If the link isn't going to share all seven resource types (metrics, logs, traces, Application Insights applications, Application Signals services and service level objectives (SLOs), and Internet Monitor monitors), you can omit `cloudwatch:Link`, `logs:Link`, `xray:Link`, `applicationinsights:Link`, `application-signals:Link`, or `internetmonitor:Link` as needed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"oam:CreateLink",
"oam:UpdateLink"
],
"Resource": [
"arn:aws:oam:*:*:link/*",
"arn:aws:oam:*:*:sink/*"
]
},
{
"Effect": "Allow",
"Action": [
"oam:List*",
"oam:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oam:DeleteLink",
"oam:GetLink",
"oam:TagResource"
],
"Resource": "arn:aws:oam:*:*:link/*"
},
{
"Action": "cloudwatch:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "xray:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "logs:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "applicationinsights:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "internetmonitor:Link",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "application-signals:Link",
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
### Permissions needed to monitor across accounts
After a link has been created, to view source account information from a monitoring account, you must be signed in to an account with one of the following:
+ Full administrator access in the monitoring account
+ The following cross-account permissions, in addition to permissions to view the specific types of resources that you will be monitoring
```
{
"Sid": "AllowReadOnly",
"Effect": "Allow",
"Action": [
"oam:Get*",
"oam:List*"
],
"Resource": "*"
}
```
## Setup overview
The following high-level steps show you how to set up CloudWatch cross-account observability.
**Note**
We recommend creating a new AWS account to use as your organization's monitoring account.
1. Set up a dedicated monitoring account.
1. (Optional) Download an CloudFormation template or copy a URL to link source accounts.
1. Link source accounts to the monitoring account.
After completing these steps, you can use the monitoring account to view the observability data of the source accounts.
## Step 1: Set up a monitoring account
Follow the steps in this section to set up an AWS account as a monitoring account for CloudWatch cross-account observability.
**Prerequisites**
+ **If you're setting up accounts in an AWS Organizations organization as the source accounts** – Get the organization path or organization ID.
+ **If you're not using Organizations for the source accounts** – Get the account IDs of the source accounts.
To set up an account as a monitoring account, you must have certain permissions. For more information, see [Necessary permissions](#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To set up a monitoring account**
1. Sign in to the account that you want to use as a monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Configure**.
1. For **Select data**, choose whether this monitoring account will be able to view **Logs**, **Metrics**, **Traces**, **Application Insights - Applications**, **Internet Monitor - Monitors**, and **Application Signals - Services, Service Level Objectives (SLOs)** data from the source accounts it is linked to.
1. For **List source accounts**, enter the source accounts that this monitoring account will view. To identify the source accounts, enter individual account IDs, organization paths, or organization IDs. If you enter an organization path or organization ID, this monitoring account is allowed to view observability data from all linked accounts in that organization.
Separate the entries in this list with commas.
**Important**
When you enter an organization path, follow the exact format. The ou-id must end with a `/` (a slash character). For example: `o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbb/`
1. For **Define a label to use to identify your source account**, you can define alabel that is used to create a CloudFormation template. The label is then applied to source accounts when that template is used to link the source accounts to this monitoring account.
You can specify whether to use account names or email addresses in this label, and also use variables such as `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain`.
**Note**
In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, the only supported option is to use custom labels, and the `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.
1. Choose **Configure**.
**Important**
The link between the monitoring and source accounts is not complete until you configure the source accounts. For more information, see the following sections.
## Step 2: (Optional) Download an CloudFormation template or URL
To link source accounts to a monitoring account, we recommend using an AWS CloudFormation template or a URL.
+ **If you are linking an entire organization** – CloudWatch provides an CloudFormation template.
+ **If you are linking individual accounts** – Use either an CloudFormation template or a URL that CloudWatch provides.
To use an CloudFormation template, you must download it during these steps. After you link the monitoring account with at least one source account, the CloudFormation template is no longer available to download.
**To download an CloudFormation template or copy a URL for linking source accounts to the monitoring account**
1. Sign in to the account that you want to use as a monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Resources to link accounts**.
1. Do one of the following:
+ Choose **AWS organization** to get a template to use to link accounts in an organization to this monitoring account.
+ Choose **Any account** to get a template or URL for setting up individual accounts as source accounts.
1. Do one of the following:
+ If you chose **AWS organization**, choose **Download CloudFormation template**.
+ If you chose **Any account**, choose either **Download CloudFormation template** or **Copy URL**.
1. (Optional) Repeat steps 5-6 to download both the CloudFormation template and the URL.
## Step 3: Link the source accounts
Use the steps in these sections to link source accounts to a monitoring account.
To link monitoring accounts with source accounts, you must have certain permissions. For more information, see [Necessary permissions](#CloudWatch-Unified-Cross-Account-Setup-permissions).
### Use an CloudFormation template to set up all accounts in an organization or an organizational unit as source accounts
These steps assume that you already downloaded the necessary CloudFormation template by performing the steps in [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL).
**To use an CloudFormation template to link accounts in an organization or organizational unit to the monitoring account**
1. Sign in to the organization's management account.
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. In the left navigation bar, choose **StackSets**.
1. Check that you are signed in to the Region that you want, then choose **Create StackSet**.
1. Choose **Next**.
1. Choose **Template is ready** and choose **Upload a template file**.
1. Choose **Choose file**, choose the template that you downloaded from the monitoring account, and choose **Open**.
1. Choose **Next**.
1. For **Specify StackSet details**, enter a name for the StackSet and choose **Next**.
1. For **Add stacks to stack set**, choose **Deploy new stacks**.
1. For **Deployment targets**, choose whether to deploy to the entire organization or to specified organizational units.
1. For **Specify regions**, choose which Regions to deploy CloudWatch cross-account observability to.
1. Choose **Next**.
1. On the **Review** page, confirm your selected options and choose **Submit**.
1. In the **Stack instances** tab, refresh the screen until you see that your stack instances have the status **CREATE\$1COMPLETE**.
### Use an CloudFormation template to set up individual source accounts
These steps assume that you already downloaded the necessary CloudFormation template by performing the steps in [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL).
**To use an CloudFormation template to set up individual source accounts for CloudWatch cross-account observability**
1. Sign in to the source account.
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. In the left navigation bar, choose **Stacks**.
1. Check that you are signed in to the Region that you want, then choose **Create stack**, **With new resources (standard)**.
1. Choose **Next**.
1. Choose **Upload a template file**.
1. Choose **Choose file**, choose the template that you downloaded from the monitoring account, and choose **Open**.
1. Choose **Next**.
1. For **Specify stack details**, enter a name for the stack and choose **Next**.
1. On the **Configure stack options** page, choose **Next**.
1. On the **Review** page, choose **Submit**.
1. On the status page for your stack, refresh the screen until you see that your stack has the status **CREATE\$1COMPLETE**.
1. To use this same template to link more source accounts to this monitoring account, sign out of this account and sign in to the next source account. Then repeat steps 2-12.
### Use a URL to set up individual source accounts
These steps assume that you already copied the necessary URL by performing the steps in [Step 2: (Optional) Download an CloudFormation template or URL](#Unified-Cross-Account-Setup-TemplateOrURL).
**To use a URL to link individual source accounts to the monitoring account**
1. Sign in to the account that you want to use as a source account.
1. Enter the URL that you copied from the monitoring account.
You see the CloudWatch settings page, with some information filled in.
1. For **Select data**, choose whether this source account will share **Logs**, **Metrics**, **Traces**, **Application Insights - Applications**, and **Internet Monitor - Monitors** data to this monitoring account.
For both **Logs** and **Metrics**, you can choose whether to share all resources or a subset with the monitoring account.
1. (Optional) To share a subset of this account's log groups with the monitoring account, select **Logs** and choose **Filter Logs**. Then use the **Filter Logs** box to construct a query to find the log groups that you want to share. The query will use the term `LogGroupName` and one or more of the following operands.
+ `=` and `!=`
+ `AND`
+ `OR`
+ `^` indicates LIKE and `!^` indicates NOT LIKE. These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.
+ `IN` and `NOT IN`, using parentheses (`( )`)
The complete query must be no more than 2000 characters and is limited to five conditional operands. Conditional operands are `AND` and `OR`. There isn't a limit on the number of other operands.
**Tip**
Choose **View sample queries** to see the correct syntax for common query formats.
1. (Optional) To share a subset of this account's metric namespaces with the monitoring account, select **Metrics** and choose **Filter Metrics**. Then use the **Filter Metrics** box to construct a query to find the metric namespaces that you want to share. Use the term `Namespace` and one or more of the following operands.
+ `=` and `!=`
+ `AND`
+ `OR`
+ `LIKE` and `NOT LIKE`. These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.
+ `IN` and `NOT IN`, using parentheses (`( )`)
The complete query must be no more than 2000 characters and is limited to five conditional operands. Conditional operands are `AND` and `OR`. There isn't a limit on the number of other operands.
**Tip**
Choose **View sample queries** to see the correct syntax for common query formats.
1. Do not change the ARN in **Enter monitoring account configuration ARN**.
1. The **Define a label to identify your source account** section is pre-filled with the label choice from the monitoring account, if there is one. Optionally, choose **Edit** to change it.
**Note**
In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, the only supported option is to use custom labels, and the `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.
1. Choose **Link**.
1. Enter **Confirm** in the box and choose **Confirm**.
1. To use this same URL to link more source accounts to this monitoring account, sign out of this account and sign in to the next source account. Then repeat steps 2-7.
# Manage monitoring accounts and source accounts
After you set up your monitoring accounts and source accounts, you can use the steps in these sections to manage them.
**Contents**
+ [Link more source accounts to an existing monitoring account](#Unified-Cross-Account-Setup-AddSourceAccounts)
+ [Remove the link between a monitoring account and source account](#Unified-Cross-Account-Setup-UnlinkAccount)
+ [View information about a monitoring account](#Unified-Cross-Account-Setup-ManageMonitoringAccount)
## Link more source accounts to an existing monitoring account
Follow the steps in this section to add links from additional source accounts to an existing monitoring account.
Each source account can be linked to as many as five monitoring accounts. Each monitoring account can be linked to as many as 100,000 source accounts.
To manage a source account, you must have certain permissions. For more information, see [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To add more source accounts to a monitoring account**
1. Sign in to the monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Manage source accounts**.
1. Choose the **Configuration policy** tab.
1. In the **Configuration policy** box, add the new source account ID in the **Principal** line.
For example, suppose the **Principal** line is currently the following:
```
"Principal": {"AWS": ["111111111111", "222222222222"]}
```
To add `999999999999` as a third source account, edit the line to the following:
```
"Principal": {"AWS": ["111111111111", "222222222222", "999999999999"]}
```
1. Choose **Update**.
1. Choose the **Configuration details** tab.
1. Choose the copy icon that is next to the monitoring account's sink ARN.
1. Sign in to the account that you want to use as a new source account.
1. Paste the monitoring account's sink ARN that you copied in Step 9.
You see the CloudWatch settings page, with some information filled in.
1. For **Select data**, choose whether this source account will send **Logs**, **Metrics**, **Traces**, and **Application Insights - Applications**, **Internet Monitor - Monitors**, and **Application Signals -Services, Service Level Objectives (SLOs)** data to the monitoring accounts it is linked to.
1. Do not change the ARN in **Enter monitoring account configuration ARN**.
1. The **Define a label to identify your source account** section is pre-filled with the label choice from the monitoring account, if there is one. Optionally, choose **Edit** to change it.
**Note**
In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, the only supported option is to use custom labels, and the `$AccountName`, `$AcccountEmail`, and `$AcccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.
1. Choose **Link**.
1. Enter **Confirm** in the box and choose **Confirm**.
## Remove the link between a monitoring account and source account
Follow the steps in this section to stop sending data from one source account to a monitoring account.
**Note**
After the source account stops sharing the metrics with the *Monitoring* account, the *Source* account metrics data is not accessible to the monitoring account. Source metric names can be visible to the monitoring account for upto 14 days.
You must have the permissions required to manage a source account to complete this task. For more information, see [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To remove the link between a source account and a monitoring account**
1. Sign in to the source account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Source account configuration**, choose **View linked monitoring accounts**.
1. Select the check box next to the monitoring account that you want to stop sharing data with.
1. Choose **Remove monitoring account**, **Confirm**.
1. Sign in to the monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. Choose **Settings**.
1. By **Monitoring account configuration**, choose **Manage monitoring account**.
1. In the **Configuration policy** box, delete the source account ID from the **Principal** line and choose **Update**.
## View information about a monitoring account
Follow the steps in this section to view the cross-account settings for a monitoring account.
To manage a monitoring account, you must have certain permissions. For more information, see [Necessary permissions](CloudWatch-Unified-Cross-Account-Setup.md#CloudWatch-Unified-Cross-Account-Setup-permissions).
**To manage a monitoring account**
1. Sign in to the monitoring account.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the left navigation pane, choose **Settings**.
1. By **Monitoring account configuration**, choose **Manage monitoring accounts**.
1. To view the Observability Access Manager policy that enables this account to be a monitoring account, choose the **Configuration policy** tab.
1. To view the source accounts that are linked to this monitoring account, choose the **Linked source accounts** tab.
1. To view the monitoring account sink ARN, and the types of data that this monitoring account can view in linked source accounts, choose the **Linked source accounts** tab.