- Newest
- Most votes
- Most comments
The Cross-Account Cross-Region feature of CloudWatch which you are referring to is usually preferable for sharing metrics/ logs from a whole account to a monitoring account.
If you want just specific log groups (or a specific log group) to be shared with another account I would recommend considering sharing the logs using a CloudWatch Logs subscription and Amazon Kinesis or Amazon Kinesis Data Firehose as per the following documentation: Cross-account log data sharing with subscriptions - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html
As per quick research I've made sharing the log groups (any) cross account is not supported unfortunatelly https://stackoverflow.com/questions/62270980/logs-can-only-be-viewed-for-the-account-logged-in-in-aws-cloudwatch-logs-conso
It's possible. Cross Account Cross Region sharing in CloudWatch is enabled by creating an IAM role called CloudWatch-CrossAccountSharingRole. You can let the console create that role for you and then modify it to allow a specific log group to be read. Or else you can create the prebuilt role using CloudFormation/CDK/Terraform or via CLI/API directly.
See Example 3 in resource-based access to CloudWatch Logs. Something like this would be what you need inside policy for CloudWatch-CrossAccountSharingRole:
{
"Version":"2012-10-17",
"Statement":[
{
"Action": [
"logs:FilterLogEvents",
"logs:StartQuery",
"logs:StopQuery"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
}
]
}
That will allow you to put a log widget in a central dashboard that runs a Logs Insights query on a log in a different account/region.
Relevant content
- asked 4 months ago
- Generate specific parameters to appear in SNS email notification in CloudWatch Alarm for a Log GroupAccepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
I agree with Jasper_R the ideal way is to use S3 to share, because S3 has a resource policy you can grant to the source account access. However to post to CloudWatch the FlowLog service must assume a role in the target account which it is not allowed to do. Also the API requires that the log-group be in the same account as the vpc/subnet. If you have to post to a log-group in another account then a subscription model using Amazon Kinesis or Amazon Lambda is a good approach. i.e. log to CloudWatch, subscribe to the log, use Kinesis or Lambda to post to a log group in another account.