AWS::Oam::Sink - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples

AWS::Oam::Sink

Creates or updates a sink in the current account, so that it can be used as a monitoring account in CloudWatch cross-account observability. A sink is a resource that represents an attachment point in a monitoring account, which source accounts can link to to be able to send observability data.

After you create a sink, you must create a sink policy that allows source accounts to attach to it. For more information, see PutSinkPolicy.

An account can have one sink.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::Oam::Sink",
  "Properties" : {
      "Name" : String,
      "Policy" : Json,
      "Tags" : {Key: Value, ...}
    }
}

YAML

Type: AWS::Oam::Sink
Properties:
  Name: String
  Policy: Json
  Tags: 
    Key: Value

Properties

Name

A name for the sink.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9_.-]+$

Minimum: 1

Maximum: 255

Update requires: Replacement

Policy

The IAM policy that grants permissions to source accounts to link to this sink. The policy can grant permission in the following ways:

  • Include organization IDs or organization paths to permit all accounts in an organization

  • Include account IDs to permit the specified accounts

Required: No

Type: Json

Update requires: No interruption

Tags

An array of key-value pairs to apply to the sink.

For more information, see Tag.

Required: No

Type: Object of String

Pattern: ^(?!aws:.*).{1,128}$

Minimum: 0

Maximum: 256

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the link. For example, arn:aws:oam:us-west-1:111111111111:link:abcd1234-a123-456a-a12b-a123b456c789.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The ARN of the sink. For example, arn:aws:oam:us-west-1:111111111111:sink:abcd1234-a123-456a-a12b-a123b456c789

Examples

Sample sink to connect that permits links to all accounts in an organization

This example creates a sink that allows all accounts in a specified organization to create links to share metric and log data.

JSON

"Name": "SampleSink",
"Policy": {
   "Version": "2012-10-17",
   "Statement": [{
       "Effect": "Allow",
       "Principal": "*",
       "Resource": "*",
       "Action": [ "oam:CreateLink", "oam:UpdateLink" ],
       "Condition": {
        "StringEquals": {"aws:PrincipalOrgID":"o-xxxxxxxxxxx"},
        "ForAllValues:StringEquals": {
          "oam:ResourceTypes": [
            "AWS::CloudWatch::Metric",
            "AWS::Logs::LogGroup"
          ]
        }
       }
    }]
}

YAML

Name: "SampleSink"
Policy:
  Version: '2012-10-17'
  Statement:
  - Effect: Allow
    Principal: "*"
    Resource: "*"
    Action:
    - "oam:CreateLink"
    - "oam:UpdateLink"
    Condition:
      StringEquals:
        aws:PrincipalOrgID: o-xxxxxxxxxxx
      ForAllValues:StringEquals:
        oam:ResourceTypes:
          - "AWS::CloudWatch::Metric"
          - "AWS::Logs::LogGroup"

Sample sink that permits a link to an individual account

This example creates a sink that allows the account with the ID 111111111111 to create a link to share metrics, logs, and traces.

JSON

"Name": "SampleSink",
"Policy": {
   "Version": "2012-10-17",
   "Statement": [{
       "Effect": "Allow",
       "Resource": "*",
       "Action": "oam:*",
       "Principal": {
        "AWS": [ "1111111111111" ]
       },
       "Condition": {
        "ForAllValues:StringEquals": {
          "oam:ResourceTypes": [
            "AWS::CloudWatch::Metric",
            "AWS::Logs::LogGroup",
            "AWS::XRay::Trace"
          ]
        }
       }
    }]
}

YAML

Name: "SampleSink"
Policy:
  Version: '2012-10-17'
  Statement:
  - Effect: Allow
    Resource: "*"
    Action: "oam:*"
    Principal:
      AWS:
      - '1111111111111'
    Condition:
      ForAllValues:StringEquals:
        oam:ResourceTypes:
          - "AWS::CloudWatch::Metric"
          - "AWS::Logs::LogGroup"
          - "AWS::XRay::Trace"

Sample sink for CloudWatch Application Insights applications support

This example creates a sink that allows the account with the ID 111111111111 to create a link to share metrics, logs, traces, and Application Insights applications.

JSON

"Name": "SampleSink",
 "Policy": {
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Resource": "*",
        "Action": "oam:*",
        "Principal": {
         "AWS": [ "1111111111111" ]
        },
        "Condition": {
         "ForAllValues:StringEquals": {
           "oam:ResourceTypes": [
             "AWS::CloudWatch::Metric",
             "AWS::Logs::LogGroup",
             "AWS::XRay::Trace",
             "AWS::ApplicationInsights::Application"
           ]
         }
        }
     }]
 }

YAML

Name: "SampleSink"
 Policy:
   Version: '2012-10-17'
   Statement:
   - Effect: Allow
     Resource: "*"
     Action: "oam:*"
     Principal:
       AWS:
       - '1111111111111'
     Condition:
       ForAllValues:StringEquals:
         oam:ResourceTypes:
           - "AWS::CloudWatch::Metric"
           - "AWS::Logs::LogGroup"
           - "AWS::XRay::Trace"
           - "AWS::ApplicationInsights::Application"