How To Set up a Multi-Account Dashboard

Disclaimer: All the views and opinions expressed in the blog belong solely to the author and not necessarily to the author's employer or any other group or individual. This is not a promotion of any service, feature, or platform. 

Amazon Web Services (AWS Cloud) released a new feature related to multi-account observability using CloudWatch in November 2022. This article provides a step-by-step guide for configuring CloudWatch(CW) cross-account observability for AWS Organization. Once the one-time configuration is done, metric data will be available in the monitoring account automatically. Once the metric data from all the AWS accounts are available in the monitoring account, you can create CW alarms or dashboards for your AWS Organization and monitor all your resources from a single account.

Step 1: Identify and Configure Monitoring Account(s) For AWS Organization

The first step is identifying an AWS Organization account as the monitoring account. Ideally, organizations should have a centralized logging and monitoring account(AWS recommends avoiding the root/management account for such activity). After the AWS account is identified, you need to make sure the user has the required permissions to perform the configuration. Please refer to the AWS documentation for setting up the user permissions.

1. Log in and navigate to the CloudWatch console in the monitoring account. 
2. Configure the monitoring account as per the screenshot below. Feel free to customize as per your need.
   1. Choose the appropriate data that the monitoring account will receive. I chose only Metrics as I want the monitoring account to only receive Metrics data from source accounts.
   2. Put the AWS Organization path in the source account box. I have constructed the path to allow any OU or AWS accounts under the OU (ou-0abc-0xyzdsdasd)to send Metric data to this monitoring account. If you don't want to include sub-OUs, then remove "/*" from the end.
   3. Choosing the Account Name in the label will help you to identify the Metric from a specific source account, as the account name will be appended to the metric name in CloudWatch.

Step 2: Configure Source Account(s) For Cloudwatch Cross-Account Observability Monitoring Account

The second step is to create a link between the source and the monitoring accounts so that the monitoring account can receive the metrics from the source accounts.

1. Create an AWS CloudFormation template as below. You can also download the template from the monitoring account CloudWatch Console by navigating to Setting -> Resources to link accounts. Be sure to replace the AccountId in Ref and the SinkIdentifier value.

2. Log in to your CloudFormation Delegated Administrator account (your organization's management account has the permissions by default) and navigate to CloudFormation Console.

3. Create a StackSet using the template from step 1. Make sure the StackSet is deployed to OU and put the same OU id from the organization path that you have set during the monitoring account configuration. Also, choose the region and other parameters as per your requirement. Refer to the AWS documentation for creating a StackSet.

4. After the StackSet deployment is successful, you should see the source accounts listed in the monitoring account if you navigate to CloudWatch Console -> Settings -> Manage source accounts.

5. Now, you should see the metric data coming from source accounts in the monitoring account if you navigate to CloudWatch Metrics in the monitoring account. 

Step 3: Create the CloudWatch Dashboard Using the Metric Data Available in the Monitoring Account

1. Once the metric data is available in the monitoring account, you can create dashboards and widgets using metric data from different accounts to give you one single place to look at your infrastructure and services across your AWS Organization. For more information on how to create CloudWatch Dashboard using metric data, refer to the AWS documentation.