All Posts
2026-02-18DevOpsN Team

AWS CloudWatch Log Centralization: Simplified Cross-Account Logging

AWSCloudWatchLoggingSecurityObservabilityDevOps
A

AWS recommends having a central logging account for security and compliance. Until recently, achieving this required complex setups involving Subscription Filters, Kinesis, or the Observability Access Manager (OAM). In 2025, AWS launched a native Log Centralization feature that simplifies this process significantly using Organization-wide rules.

Why Centralize Logs?

Centralizing logs provides a single pane of glass for monitoring, security auditing (SOC2, ISO27001), and troubleshooting across your entire AWS Organization. It eliminates the need to switch between accounts to find logs.

Prerequisites

  • AWS Organization: You must have an AWS Organization set up (Control Tower is recommended).
  • Delegated Administrator: It is best practice to delegate a member account (e.g., your Security or Logging account) as the CloudWatch administrator.

Step-by-Step Setup Guide

1. Delegate an Administrator

From your Management Account, delegate your logging account as the CloudWatch administrator. This allows the logging account to create rules that apply to the entire organization.

2. Create a Log Replication Rule

In your Logging Account, navigate to CloudWatch > Settings > Log Replication.

  1. Click Create rule.
  2. Source: Select 'Entire Organization', specific 'Organizational Units (OUs)', or a list of accounts.
  3. Log Groups: Choose to replicate all log groups or filter by prefix.
  4. Destination: Select 'Current account' (this is your central logging account).
  5. Region: Choose the target region (Cross-region replication is supported).

Log Replication Settings

Automatic Field Enrichment: @aws.account and @aws.region

A major advantage of this new feature is that CloudWatch automatically adds @aws.account and @aws.region fields to every replicated log event. You no longer need to parse log group names to identify the source.

Example Query

You can use CloudWatch Logs Insights to query logs from specific accounts:

fields @timestamp, @aws.account, @aws.region, @message
| filter @aws.account = "123456789012"
| sort @timestamp desc
| limit 100

Important Considerations

Retention Settings Are Not Inherited

Replicated log groups in the central account do not inherit retention settings from the source. By default, they may have different retention periods (often indefinite).

Best Practice: Use a Lambda function or EventBridge Scheduler to enforce retention policies on the central log groups (e.g., 1 year for compliance) while keeping source logs shorter (e.g., 30 days).

Pricing

  • First Copy: The first copy of your log data within the organization is generally free (check official pricing for details).
  • Additional Copies: Subsequent copies may incur charges (e.g., $0.05/GB).
  • Storage: Standard CloudWatch Logs storage rates apply in the destination account.

For more advanced AWS implementations, check out our AWS Consultancy Services.