Turning on CloudWatch telemetry auditing
Use the CloudWatch console to turn on telemetry auditing for your or AWS Organization or account. For an AWS Organization, CloudWatch will use a management account or a delegated administrator account to discover AWS resources and the telemetry configurations for all of the member accounts in the Organization. Turning on the telemetry auditing experience does not incur any additional cost.
Telemetry auditing will remain on until you turn it off. For more information, see Turning off CloudWatch telemetry auditing.
Topics
Auditing telemetry configurations for your AWS Organization
To turn on telemetry config for your AWS Organization, you must either use a management account or a delegated administrator account. CloudWatch will use this account to discover your Organization's AWS resources and their telemetry configurations.
Before turning on telemetry auditing for your Organization, you need to enable trusted access between AWS Organizations and CloudWatch. When you enable trusted access, CloudWatch will create a service-linked role named AWSServiceRoleForObservabilityAdmin to support resource and telemetry configuration discovery for the Organization. The role is created in all member accounts of the Organization. For more information about the service-linked role, see Service-linked role permissions for CloudWatch telemetry config. For more information about AWS Organizations, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
To use a management account for telemetry config, be logged in with that account, enable trusted access, and turn on telemetry auditing. For more information, see Turning on telemetry auditing for your AWS Organization.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pain, choose Settings.
-
Choose the Organizations tab.
-
In Organizational Management Settings, choose Turn on. The Enable trusted access page appears.
-
To review the role policy, choose View permission details and the role policy appears in a window. Choose Enable trusted access. The telemetry config Overview page appears and CloudWatch begins discovering AWS resources in the AWS Organization. As CloudWatch discovers resources, it automatically updates information in the Overview page.
Note
The amount of time before resources appear in the Overview page depends on the number of member accounts and resources in your Organization or account.
Registering a delegated administrator account for your AWS Organization
A delegated administrator account is a member account that shares administrator access for service-managed permissions. The account you want to register as a delegated administrator must be in your AWS Organization. A delegated administrator account for your Organization has effects outside of CloudWatch, so make sure you understand this account type before following this procedure. For more information, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
To remove or change the delegated administrator account, deregister the account first. For more information, see Deregistering a delegated administrator account.
To register a delegated administrator account
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings.
Choose the Organization tab.
Choose Register delegated administrator.
In the Register delegated administrator window, in the Delegated administrator account ID field, enter the 12-digit Organization member account ID.
Choose Register delegated administrator. At the top of the page, a message appears indicating the account was registered successfully. The Organization Settings page appears. To see information about the delegated administrator account, hover over the number below Delegated administrators.
Turning on telemetry auditing for your AWS Organization
Turn on telemetry auditing for your AWS Organization to monitor the telemetry for the AWS resources across all your member accounts. This also turns on the telemetry auditing experience for individual accounts. You can also turn on the telemetry auditing experience for only your account. For more information, see Turning on telemetry auditing for your account.
You can turn off trusted access for your AWS Organization. For more information, see Turning off trusted access for an AWS Organization.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Telemetry config.
Choose Turn on, then theOrganization tab. The telemetry config Overview page appears and CloudWatch begins discovering AWS resources in your account. As CloudWatch discovers resources, it automatically updates information in the Overview page.
Note
The amount of time before resources appear in the Overview page depends on the number of member accounts and resources in your Organization or account.
Turning on telemetry auditing for your account
Turn on telemetry auditing for your AWS account to monitor the telemetry for the AWS resources in that account. If you have an AWS Organization, turn on telemetry config for your Organization instead. For more information, see Turning on telemetry auditing for your AWS Organization.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings, Telemetry config.
Choose Turn on, then This account, if you are using a management account or a delegated admin account. The telemetry config Overview page appears and CloudWatch begins discovering AWS resources in your account. As CloudWatch discovers resources, it automatically updates information in the Overview page.
Note
The amount of time before resources appear in the Overview page depends on the number of member accounts and resources in your Organization or account.
Deregistering a delegated administrator account
Deregister the delegated administrator account before turning off trusted access for your AWS Organization. You can also deregister a delegated administrator account if it no longer has access to the appropriate AWS resources for telemetry auditing or to choose a different AWS Organization account to be the delegated administrator. This account will not be able to perform account management tasks for your AWS Organization. For more information, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings.
-
Choose the Organization tab.
-
Choose Deregister.
-
In the Deregister delegated administrator window, choose Deregister.
To register an account as a delegated administrator, see Registering a delegated administrator account for your AWS Organization.
Turning off trusted access for an AWS Organization
Trusted access extends the functionality of managing the AWS Organization's management account to other AWS services. When you turn off trusted access, trusted access between the Organization and all AWS services will stop, not just CloudWatch.
If you no longer want trusted access enabled for your AWS Organization, you can turn it off. For more information, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
Note
Before turning off trusted access for an AWS Organization, deregister the delegated administrator account. For more information, see Deregistering a delegated administrator account.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings.
Choose the Organization tab.
In the Organizational Management Settings section, select Turn off.