All Posts
2026-02-18

Easy Cross-Account Aggregation with CloudWatch OAM

AWSCloudWatchOAMObservabilityDevOps
E
<div class="toc"> <h3>Table of Contents</h3> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#what-is-oam">What is Observability Access Manager (OAM)?</a></li> <li><a href="#setting-up-oam">Setting Up OAM: Sinks and Links</a></li> <li><a href="#step-by-step-guide">Step-by-Step Implementation</a></li> <li><a href="#verification">Verifying the Setup</a></li> <li><a href="#conclusion">Conclusion</a></li> <li><a href="#faq">Frequently Asked Questions</a></li> </ul> </div> <h2 id="introduction">Introduction</h2> <p>Managing observability data across multiple AWS accounts can be challenging. Without a centralized view, debugging distributed systems often requires switching between different accounts, which is time-consuming and inefficient. AWS CloudWatch Observability Access Manager (OAM) solves this problem by allowing you to aggregate logs, metrics, and traces from multiple source accounts into a single monitoring account.</p> <h2 id="what-is-oam">What is Observability Access Manager (OAM)?</h2> <p>OAM simplifies cross-account observability by introducing two key concepts: <strong>Sinks</strong> and <strong>Links</strong>.</p> <ul> <li><strong>Sink:</strong> Created in the centralized monitoring account. It acts as the destination for observability data.</li> <li><strong>Link:</strong> Created in the source accounts. It defines which data types (logs, metrics, traces) are shared with the Sink.</li> </ul> <h2 id="setting-up-oam">Setting Up OAM: Sinks and Links</h2> <p>The setup involves configuring a Sink in your monitoring account and creating Links in your source accounts to send data to that Sink. This architecture eliminates the need for complex manual forwarding solutions.</p> <h2 id="step-by-step-guide">Step-by-Step Implementation</h2> <p>Here is how you can set up OAM using Terraform. This example assumes you have an AWS Organization set up.</p> <h3 id="1-configure-the-sink">1. Configure the Sink (Monitoring Account)</h3> <p>First, create the Sink in your centralized monitoring account and define a policy that allows source accounts to send data.</p> <pre><code class="language-hcl"> resource "aws_oam_sink" "monitoring_sink" { name = "CentralMonitoringSink" } resource "aws_oam_sink_policy" "monitoring_sink_policy" { sink_identifier = aws_oam_sink.monitoring_sink.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { AWS = ["arn:aws:iam::123456789012:root", "arn:aws:iam::987654321098:root"] } # Replace with your Source Account IDs or Org ID Action = ["oam:CreateLink", "oam:UpdateLink"] Resource = "*" Condition = { "ForAllValues:StringEquals" = { "oam:ResourceTypes" = ["AWS::CloudWatch::Metric", "AWS::Logs::LogGroup", "AWS::XRay::Trace"] } } } ] }) } </code></pre> <h3 id="2-create-links">2. Create Links (Source Accounts)</h3> <p>In each source account, create a Link that points to the Sink's ARN.</p> <pre><code class="language-hcl"> resource "aws_oam_link" "source_link" { label_template = "" resource_types = ["AWS::CloudWatch::Metric", "AWS::Logs::LogGroup", "AWS::XRay::Trace"] sink_identifier = "arn:aws:oam:us-east-1:111111111111:sink/example-sink-id" # Replace with your Sink ARN } </code></pre> <h2 id="verification">Verifying the Setup</h2> <p>Once deployed, verify the configuration in the AWS Console:</p> <ol> <li>Go to the <strong>CloudWatch Console</strong> in your Monitoring Account.</li> <li>Navigate to <strong>Settings</strong> > <strong>Manage Cross-Account Observability</strong>.</li> <li>You should see "Monitoring account enabled".</li> <li>In Source Accounts, you will see the status as "Linked".</li> </ol> <h2 id="conclusion">Conclusion</h2> <p>AWS CloudWatch OAM significantly reduces the operational overhead of monitoring multi-account environments. By centralizing your logs, metrics, and traces, you gain a unified view of your infrastructure, enabling faster troubleshooting and better insights.</p> <h2 id="faq">Frequently Asked Questions</h2> <div class="faq-item"> <h3>Does OAM support all AWS regions?</h3> <p>OAM is supported in most commercial AWS regions. Check the official documentation for the latest availability.</p> </div> <div class="faq-item"> <h3>Is there a cost for using OAM?</h3> <p>OAM itself doesn't have a direct cost, but standard CloudWatch charges for cross-account data transfer and ingestion apply.</p> </div> <div class="faq-item"> <h3>Can I link multiple source accounts to one sink?</h3> <p>Yes, OAM is designed for many-to-one aggregation, allowing multiple source accounts to send data to a single monitoring account.</p> </div> <p><em>This part could not be verified: Some sources suggest limits on the number of Sinks per region might be flexible, but official docs state strict quotas.</em></p> <p>For more details on cloud strategies, check our guides on <a href="/en/tech/aws-consultancy">AWS Consultancy</a> and <a href="/en/tech/kubernetes-consultancy">Kubernetes Consultancy</a>.</p> <p>Kaynak / Source: <a href="https://awsfundamentals.com/blog/easy-cross-account-aggregation-of-logs-metrics-and-traces-on-cloudwatch-with-observability-access-manager">https://awsfundamentals.com/blog/easy-cross-account-aggregation-of-logs-metrics-and-traces-on-cloudwatch-with-observability-access-manager</a></p>