AWS Notes
Cloudwatch Cross-Account Cross-Region
By enabling this feature you can create Master-Member relationship to share Cloudwatch data. Any accounts can be set up as master. And in AWS Organization, you can allow any account to have access to list of accounts in your Org. With this enabled, you can switch to view another account's Cloudwatch data and you can also create a Dashboard that contains dataset from any of its member accounts.
References:
Setup Cloudwatch's Master account(s)
To allow these accounts to obtain list of all accounts in Org. Create this role and policy in the AWS Org's Master account. The name must be exactly as shown. Add the account number of your selected Cloudwatch Master account.
Policy
Name: CloudWatch-CrossAccountSharing-ListAccounts-Policy
Body:
Name: CloudWatch-CrossAccountSharing-ListAccounts-Policy
Body:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts" ], "Resource": "*" } ] }
Role
Name: CloudWatch-CrossAccountSharing-ListAccountsRole
Body:
Body:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::999999999999:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Setup Member account(s)
To expose an account's data, do this for every member account. Add the account number of your selected Cloudwatch Master account.
Role
Name: CloudWatch-CrossAccountSharingRole
Body:
Role
Name: CloudWatch-CrossAccountSharingRole
Body:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::99999999999:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Choose from these collection of AWS Managed Policies based on your needs
1) Full Read Only:
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
- arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess
2) Both Dashboard and X-Ray
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
- arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
3) Dashboard only
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
4) X-ray only
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
- arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess
2) Both Dashboard and X-Ray
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
- arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
3) Dashboard only
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess
4) X-ray only
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
- arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess
Finally, you do this once in every Cloudwatch's Master account. I could not figure out a way to do this programmatically
- Cloudwatch
- Settings
- Configure Cross-account cross-region
- Edit cross-account cross-region
- Select AWS Org selector and Save
No comments:
Post a Comment