CloudWatch Cross-Account Observability
Monitoring applications deployed across multiple AWS accounts within a single AWS Region can be challenging. Amazon CloudWatch's cross-account observability1 simplifies this process by enabling seamless monitoring and troubleshooting of applications spanning multiple accounts within a AWS Region2. This tutorial provides a step-by-step guide, complete with screenshots, on configuring cross-account observability between two AWS accounts. Additionally, it's worth noting that deployment can also be achieved through AWS Organizations for broader scalability.
Terminology
For effective cross-account observability with Amazon CloudWatch, you must understand the following key terms:
Term | Description |
---|---|
Monitoring Account | A central AWS account that can view and interact with observability data generated from multiple source accounts |
Source Account | An individual AWS account that generates observability data for the resources that reside in it |
Sink | A resource in a monitoring account that serves as an attachment point for source accounts to link and share their observability data. Each account can have one Sink per AWS Region2 |
Observability Link | A resource that represents the connection established between a source account and a monitoring account, facilitating the sharing of observability data. Links are managed by the source account. |
Understand these definitions to successfully configure and manage cross-account observability in Amazon CloudWatch.
Things to consider
-
Account Limits: You can link up to 100,000 source accounts to a single monitoring account, accommodating even the largest enterprise setups.
-
Cross Region: Cross-Region functionality is built in to this feature automatically. You do not need to take any extra steps to be able to display metrics from different Regions in a single account on the same graph or the same dashboard.
-
Data Retention: All data retention is handled at the source account level. The monitoring account does not store or duplicate data. The monitoring account has read-only access to the source accounts' data. There's no actual data transfer or synchronization involved.
-
Cost Implications: Surprisingly, there are no additional costs associated with Cross-Account Observability. Since data remains in the source accounts and is only read by the monitoring account, there are no extra data transfer or storage charges.
-
When using cross-account observability to share traces from a source account (X) with a monitoring account (Y), the traces are duplicated and stored in the monitoring account (Y). This process does not incur additional costs for the source account (X), ensuring that monitoring capabilities can be extended across accounts without impacting the original billing.
-
According to CloudWatch Service Quotas, each dashboard can have up to 500 widgets. A unique widget can have up to 500 metrics, and a unique dashboard can have up to 2500 metrics across all widgets. These quotas include all metrics retrieved for use in metric math functions, even if those metrics are not displayed on the graph. These quotas are hard quotas and they cannot be changed.
-
In Amazon CloudWatch Logs Insights, you can query a maximum of 50 log groups per query if you specify them individually. This limit is fixed and cannot be increased. However, if you use log group criteria—such as selecting log groups based on name prefixes or opting to query "all log groups"