How do I troubleshoot cross account observability when data from the source account doesn’t show in Amazon CloudWatch?

4 minute read

I want to troubleshoot cross account observability when data from the source account doesn’t show in Amazon CloudWatch.

Short description

CloudWatch cross-account observability allows you to configure a source and monitoring account with the appropriate permissions to search, analyze, and correlate cross-account telemetry data.

Resolution

To allow the monitoring account to view and interact with observability data that's shared by the source account, complete the following steps:

Check that the source and monitoring accounts have the necessary permissions to share and view data

To allow the source account to share data and the monitoring account to view it, the source and monitoring accounts must have the necessary permissions. Make sure that the correct permissions policy is granted to the user or role that creates the account link.

Check that the source and monitoring account link

To check the source account setup, complete the following steps:

Open the CloudWatch console, and then navigate to Settings.
Under Use a centralized monitoring account to monitor and troubleshoot applications seamlessly across multiple accounts, select the View monitoring accounts button. If only the Configure button appears, then you must link the source account to the monitoring account.
Under the Monitoring accounts tab, the monitoring account number appears. This indicates that the source and monitoring accounts are linked. If you can't find the monitoring account listed, then link the source accounts.

To check the monitoring account setup, complete the following steps:

Open the CloudWatch console, and then and navigate to Settings.
Under Use a centralized monitoring account to monitor and troubleshoot applications seamlessly across multiple accounts, select the Manage source accounts button. If only the Configure button appears, then you must set up a monitoring account.
Under the Linked source accounts tab, the source account number appears. This indicates that the monitoring account is set up. If you can't find the source account number listed, then link more source accounts to an existing monitoring account.

Check that the data is shared

To check that the data is shared when you link accounts, use either the CloudWatch console or the AWS Command Line Interface (AWS CLI).

Use the CloudWatch console

To check the data that's shared from the source account, complete the following steps:

Open the CloudWatch console, and then and navigate to Settings.
Under Use a centralized monitoring account to monitor and troubleshoot applications seamlessly across multiple accounts, and then select the View monitoring accounts button.
In the list under monitoring accounts the resources that are shared for each account appear.

To check the data that's shared in the monitoring account, complete the following steps:

Open the CloudWatch console, and then and navigate to Settings.
Under Use a centralized monitoring account to monitor and troubleshoot applications seamlessly across multiple accounts, and then select the Resources to link accounts button.
Under Determine how to link your source accounts, select the Configuration details dropdown list, and then check the following:
Monitoring account sink ARN: This ARN can be used to link the source account.
Data shared: data shared by the source account.
Defined account label: the label on the shared data.

Use the AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To check the link and data sharing between a source and monitoring account, use list-links for source accounts and list-attached-links for monitoring accounts. The list-attached-links command needs a sink-identifier listed on the list-sinks command page.

For the source account:

aws oam list-links

For the monitoring account:

aws oam list-sinks

Note: Use the sink-identifier from the preceding list-links command output in the following command.

aws oam list-attached-links -- example-sink-identifier

Note: The link ARN and the sink ARN have the account numbers for the source and monitoring accounts. ResourceTypes lists the resources that share data from the source to monitoring account.

Topics

Management & Governance

Relevant content

How to read cross-account CloudWatch metrics programmatically?
AzNorm
asked 2 years ago
Cross-account cross-region in cloudwatch for specific log group
AWS-User-1046823
asked 2 years ago
CloudWatch log centralization - cross region and cross account
natte
asked a month ago
Using ACM cross-account with ACM PrivateCA in short-lived mode
rePost-User-2301243
asked a year ago
To copy data from S3 bucket cross accounts
Arjun Goel
asked 7 months ago
How do I troubleshoot issues with cross-account or cross-Region Amazon EventBridge rules?
AWS OFFICIALUpdated 8 months ago
How do I troubleshoot cross-account logging issues in CloudWatch?
AWS OFFICIALUpdated 2 years ago
How do I stream log data from CloudWatch Logs to a cross-Region and cross-account Kinesis data stream?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot errors with cross-account dashboard sharing in CloudWatch?
AWS OFFICIALUpdated 10 months ago
How to setup cross-account Redshift auto copy
EXPERT
RiteshKSinha
published 7 months ago