AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-07-01 · Documentation medium

File: AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.md

Summary

Enhanced documentation for cross-account monitoring setup by adding AWS CDK implementation options, detailed policy examples for least-privilege access scoping, and structural improvements with clearer headings.

Security assessment

The changes add security documentation by introducing least-privilege policy examples (organization-scoped, account-specific, and wildcard) for the monitoring role. This promotes secure configurations but doesn't address a specific vulnerability. The added AWS CDK examples and policy conditions help users restrict cross-account access, improving security posture.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.md b/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.md
index 6e93430f9..f8fdc2c4d 100644
--- a//AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.md
+++ b//AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.md
@@ -40 +40 @@ To set up cross-account cross-Region functionality in your CloudWatch console, u
-**Set up a sharing account**
+### Set up a sharing account
@@ -44 +44 @@ You must enable sharing in each account that will make data available to the mon
-This will grant the read-only permissions that you choose in step 5 to all users that view a cross account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
+This grants the read-only permissions that you choose in step 5 to all users that view a cross account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
@@ -79 +79 @@ In the confirmation screen, type `Confirm`, and choose **Launch template**.
-**Sharing with an entire organization**
+#### Sharing with an entire organization
@@ -83 +83 @@ Completing the preceding procedure creates an IAM role which enables your accoun
-This will grant the read-only permissions listed in the policies shown in step 5 of the previous procedure to all users that view a cross-account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
+This grants the read-only permissions listed in the policies shown in step 5 of the previous procedure to all users that view a cross-account dashboard in the account that you share with, if the user has corresponding permissions in the account that you share with.
@@ -152 +152 @@ JSON
-**Set up a monitoring account**
+### Set up a monitoring account
@@ -154 +154,5 @@ JSON
-Enable each monitoring account if you want to view cross-account CloudWatch data. 
+Enable each monitoring account to view cross-account CloudWatch data. You can enable a monitoring account by using the Amazon CloudWatch console or the AWS Cloud Development Kit (AWS CDK).
+
+After you set up a monitoring account, you can create cross-account dashboards. For more information, see [Creating a customized CloudWatch dashboard](./create_dashboard.html).
+
+#### Enable a monitoring account by using the console
@@ -185 +189,81 @@ The account selector settings that a user makes here are retained only for that
-After you complete this setup, you can create cross-account dashboards. For more information, see [Creating a customized CloudWatch dashboard](./create_dashboard.html).
+#### Enable a monitoring account by using the CDK
+
+You can also set up a monitoring account without using the console. Define the **ServiceRoleForCloudWatchCrossAccountV2** role as infrastructure as code. Use this approach when you manage multiple monitoring accounts. It deploys the role consistently across all of them. The following example uses the AWS CDK in TypeScript to define the role with the required trust policy and an inline permissions policy:
+    
+    
+    import { Role, ServicePrincipal, PolicyDocument, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam';
+    
+    new Role(this, 'ServiceRoleForCloudWatchCrossAccountV2', {
+      roleName: 'ServiceRoleForCloudWatchCrossAccountV2',
+      assumedBy: new ServicePrincipal('cloudwatch-crossaccount.amazonaws.com'),
+      description: 'Allows CloudWatch to assume the CloudWatch-CrossAccountSharingRole in sharing accounts.',
+      inlinePolicies: {
+        CrossAccountAccess: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: ['sts:AssumeRole'],
+              resources: ['arn:aws:iam::*:role/CloudWatch-CrossAccountSharingRole'],
+            }),
+          ],
+        }),
+      },
+    });
+
+This example uses a wildcard resource, which is the least restrictive scope. To restrict the monitoring account to specific sharing accounts or to an organization, change the `resources` array. You can add a `conditions` property with an `aws:ResourceOrgID` condition. Either approach matches one of the inline policies in the following section.
+
+To deploy the role to many accounts at once, use the synthesized template with CloudFormation StackSets. A stack set creates the role across multiple accounts and Regions in a single operation. A stack set also automatically deploys the role to new accounts that join your organization. For more information about CloudFormation StackSets, see [Working with CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the _CloudFormation User Guide_.
+
+#### Scope of accounts the monitoring account can access
+
+When you define the role with the AWS CDK, the inline permissions policy grants `sts:AssumeRole` permission. CloudWatch uses this permission to assume the **CloudWatch-CrossAccountSharingRole** in your sharing accounts. To follow the principle of least privilege, limit the `Resource` of the `sts:AssumeRole` action to only the accounts that the monitoring account needs. You can scope access in the following ways, from most restrictive to least restrictive:
+
+  * **An entire organization** – Allow the monitoring account to assume the sharing role only in accounts that belong to your organization. Replace `org-id` with the ID of your organization (for example, `o-a1b2c3d4e5`). Use the following JSON inline policy:
+    
+        {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "arn:aws:iam::*:role/CloudWatch-CrossAccountSharingRole",
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceOrgID": "org-id"
+            }
+          }
+        }
+      ]
+    }
+
+  * **A list of accounts** – Allow the monitoring account to assume the sharing role only in the accounts that you list. Replace each example account ID (such as `111122223333`) with the ID of a sharing account. Use the following JSON inline policy:
+    
+        {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": [
+            "arn:aws:iam::111122223333:role/CloudWatch-CrossAccountSharingRole",
+            "arn:aws:iam::444455556666:role/CloudWatch-CrossAccountSharingRole"
+          ]
+        }
+      ]
+    }
+
+  * **Any account** – Allow the monitoring account to assume the sharing role in any account. This matches the permissions of the role that CloudWatch creates for you, but it is the least restrictive option. Use the following JSON inline policy:
+    
+        {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "arn:aws:iam::*:role/CloudWatch-CrossAccountSharingRole"
+        }
+      ]
+    }
+
+
+
@@ -187 +271 @@ After you complete this setup, you can create cross-account dashboards. For more
-**Cross-Region functionality**
+### Cross-Region functionality
@@ -189 +273 @@ After you complete this setup, you can create cross-account dashboards. For more
-Cross-Region functionality is built in to this feature automatically. You do not need to take any extra steps to be able to display metrics from different Regions in a single account on the same graph or the same dashboard. Cross-Region functionality is not supported for alarms, so you can't create an alarm in one Region that watches a metric in a different Region.
+This feature provides Cross-Region functionality automatically. You do not need to take any extra steps to display metrics from different Regions in a single account on the same graph or the same dashboard. Cross-Region functionality is not supported for alarms, so you cannot create an alarm in one Region that watches a metric in a different Region.
@@ -223 +307 @@ Check the following:
-  * Your monitoring account should have a role named **ServiceRoleForCloudWatchCrossAccountV2**. If it does not, you need to create this role. For more information, see Set Up a Monitoring Account.
+  * Your monitoring account must have a role named **ServiceRoleForCloudWatchCrossAccountV2**. If it does not, create this role. For more information, see Set up a monitoring account.
@@ -228 +312 @@ Check the following:
-  * Each sharing account should have a role named **CloudWatch-CrossAccountSharingRole**. If it does not, you need to create this role. For more information, see Set Up A Sharing Account.
+  * Each sharing account must have a role named **CloudWatch-CrossAccountSharingRole**. If it does not, create this role. For more information, see Set up a sharing account.