Description:  

CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources. Cloudwatch  cross-account functionality to your CloudWatch console. This functionality provides you with cross-account visibility to your dashboards, alarms, metrics, and automatic dashboards without having to log in and log out of different accounts.


Rationale:

Amazon CloudWatch dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different Regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your AWS resources.


Impact:

Enabling cross-account sharing gives the monitoring account access to your sharing accounts data.


Default Value:

By default, AWS doesn’t allow accessing the AWS services data between AWS accounts, even when they belong to the same organization.


Pre-Requisite:

  • You must know the Account ID of each of your AWS accounts.


Remediation:

Test Plan:

  1. Sign in to the AWS Management Console

  2. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch.

  3. Go to CloudWatch and check the left side panel for Settings. Click on Settings.

  4. On the Cloudwatch setting dashboard, you can see whether cross-account sharing is enabled or not. 

  5. Here you can see that Cross-account sharing is not configured. 



Implementation: 

To enable your account to view cross-account cross-Region CloudWatch data

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Settings.

  3. On the Cloudwatch setting dashboard, you can see whether cross-account sharing is enabled or not, for enabling it then choose Configure. 

  4. After selecting configure Scroll down under View cross-account cross-region select Enable.
  5. Under View cross-account cross-region, choose one of the following options:
    • Account Id Input. This option prompts you to manually input an account ID each time that you want to switch accounts when you view cross-account data.

    • AWS Organization account selector. This option causes the accounts that you specified when you completed your cross-account cross-Region integration with Organizations to appear. When you next use the console, CloudWatch displays a dropdown list of these accounts for you to select from when you are viewing cross-account data.

      You must have first used your organization's master account to allow CloudWatch to see a list of accounts in your organization. For more information, see (Optional) Integrate With AWS Organizations.

    • Custom account selector. This option prompts you to enter a list of account IDs. When you next use the console, CloudWatch displays a dropdown list of these accounts for you to select from when you are viewing cross-account data.

      You can also enter a label for each of these accounts to help you identify them when choosing accounts to view.

  6. Choose Enable.



Backout Plan:

  1. Log in to your monitoring account, and Navigate to the IAM console.

  2.  Click Roles under the Access management section, next on the list of roles.

  3. Check the CloudWatchCrossAccountSharingRole role, select that role, and click Delete role. 

  4. At the next prompt, confirm the deletion by clicking on the Yes, delete button 


Reference:

Cross-account cross-Region CloudWatch console - Amazon CloudWatch