Use Amazon CloudWatch Observability Access Manager to create and manage links between source accounts and monitoring accounts by using CloudWatch cross-account observability. With CloudWatch cross-account observability, you can monitor and troubleshoot applications that span multiple accounts within a Region. Seamlessly search, visualize, and analyze your metrics, logs, traces, and Application Insights applications in any of the linked accounts without account boundaries.

Set up one or more Amazon Web Services accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central Amazon Web Services account that can view and interact with observability data generated from source accounts. A source account is an individual Amazon Web Services account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account. The shared observability data can include metrics in Amazon CloudWatch, logs in Amazon CloudWatch Logs, traces in X-Ray, and applications in Amazon CloudWatch Application Insights.

Installation

NPM
npm install @aws-sdk/client-oam
Yarn
yarn add @aws-sdk/client-oam
pnpm
pnpm add @aws-sdk/client-oam

OAMClient Operations

Command
Summary
CreateLinkCommand

Creates a link between a source account and a sink that you have created in a monitoring account. After the link is created, data is sent from the source account to the monitoring account. When you create a link, you can optionally specify filters that specify which metric namespaces and which log groups are shared from the source account to the monitoring account.

Before you create a link, you must create a sink in the monitoring account and create a sink policy in that account. The sink policy must permit the source account to link to it. You can grant permission to source accounts by granting permission to an entire organization or to individual accounts.

For more information, see CreateSink  and PutSinkPolicy .

Each monitoring account can be linked to as many as 100,000 source accounts.

Each source account can be linked to as many as five monitoring accounts.

CreateSinkCommand

Use this to create a sink in the current account, so that it can be used as a monitoring account in CloudWatch cross-account observability. A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to send observability data.

After you create a sink, you must create a sink policy that allows source accounts to attach to it. For more information, see PutSinkPolicy .

Each account can contain one sink per Region. If you delete a sink, you can then create a new one in that Region.

DeleteLinkCommand

Deletes a link between a monitoring account sink and a source account. You must run this operation in the source account.

DeleteSinkCommand

Deletes a sink. You must delete all links to a sink before you can delete that sink.

GetLinkCommand

Returns complete information about one link.

To use this operation, provide the link ARN. To retrieve a list of link ARNs, use ListLinks .

GetSinkCommand

Returns complete information about one monitoring account sink.

To use this operation, provide the sink ARN. To retrieve a list of sink ARNs, use ListSinks .

GetSinkPolicyCommand

Returns the current sink policy attached to this sink. The sink policy specifies what accounts can attach to this sink as source accounts, and what types of data they can share.

ListAttachedLinksCommand

Returns a list of source account links that are linked to this monitoring account sink.

To use this operation, provide the sink ARN. To retrieve a list of sink ARNs, use ListSinks .

To find a list of links for one source account, use ListLinks .

ListLinksCommand

Use this operation in a source account to return a list of links to monitoring account sinks that this source account has.

To find a list of links for one monitoring account sink, use ListAttachedLinks  from within the monitoring account.

ListSinksCommand

Use this operation in a monitoring account to return the list of sinks created in that account.

ListTagsForResourceCommand

Displays the tags associated with a resource. Both sinks and links support tagging.

PutSinkPolicyCommand

Creates or updates the resource policy that grants permissions to source accounts to link to the monitoring account sink. When you create a sink policy, you can grant permissions to all accounts in an organization or to individual accounts.

You can also use a sink policy to limit the types of data that is shared. The three types that you can allow or deny are:

  • Metrics - Specify with AWS::CloudWatch::Metric

  • Log groups - Specify with AWS::Logs::LogGroup

  • Traces - Specify with AWS::XRay::Trace

  • Application Insights - Applications - Specify with AWS::ApplicationInsights::Application

See the examples in this section to see how to specify permitted source accounts and data types.

TagResourceCommand

Assigns one or more tags (key-value pairs) to the specified resource. Both sinks and links can be tagged.

Tags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values.

Tags don't have any semantic meaning to Amazon Web Services and are interpreted strictly as strings of characters.

You can use the TagResource action with a resource that already has tags. If you specify a new tag key for the alarm, this tag is appended to the list of tags associated with the alarm. If you specify a tag key that is already associated with the alarm, the new tag value that you specify replaces the previous value for that tag.

You can associate as many as 50 tags with a resource.

Unlike tagging permissions in other Amazon Web Services services, to tag or untag links and sinks you must have the oam:ResourceTag permission. The iam:ResourceTag permission does not allow you to tag and untag links and sinks.

UntagResourceCommand

Removes one or more tags from the specified resource.

Unlike tagging permissions in other Amazon Web Services services, to tag or untag links and sinks you must have the oam:ResourceTag permission. The iam:TagResource permission does not allow you to tag and untag links and sinks.

UpdateLinkCommand

Use this operation to change what types of data are shared from a source account to its linked monitoring account sink. You can't change the sink or change the monitoring account with this operation.

When you update a link, you can optionally specify filters that specify which metric namespaces and which log groups are shared from the source account to the monitoring account.

To update the list of tags associated with the sink, use TagResource .

OAMClient Configuration

Parameter
Type
Description
defaultsMode
Optional
DefaultsMode | Provider<DefaultsMode>
The @smithy/smithy-client#DefaultsMode that will be used to determine how certain default configuration options are resolved in the SDK.
disableHostPrefix
Optional
boolean
Disable dynamically changing the endpoint of the client based on the hostPrefix trait of an operation.
extensions
Optional
RuntimeExtension[]
Optional extensions
logger
Optional
Logger
Optional logger for logging debug/info/warn/error.
maxAttempts
Optional
number | Provider<number>
Value for how many times a request will be made at most in case of retry.
profile
Optional
string
Setting a client profile is similar to setting a value for the AWS_PROFILE environment variable. Setting a profile on a client in code only affects the single client instance, unlike AWS_PROFILE.When set, and only for environments where an AWS configuration file exists, fields configurable by this file will be retrieved from the specified profile within that file. Conflicting code configuration and environment variables will still have higher priority.For client credential resolution that involves checking the AWS configuration file, the client's profile (this value) will be used unless a different profile is set in the credential provider options.
region
Optional
string | Provider<string>
The AWS region to which this client will send requests
requestHandler
Optional
__HttpHandlerUserInput
The HTTP handler to use or its constructor options. Fetch in browser and Https in Nodejs.
retryMode
Optional
string | Provider<string>
Specifies which retry algorithm to use.
useDualstackEndpoint
Optional
boolean | Provider<boolean>
Enables IPv6/IPv4 dualstack endpoint.
useFipsEndpoint
Optional
boolean | Provider<boolean>
Enables FIPS compatible endpoints.
Additional config fields are described in the full configuration type: OAMClientConfig