{"id":77855,"date":"2026-03-12T09:18:55","date_gmt":"2026-03-12T03:48:55","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=77855"},"modified":"2026-03-16T15:41:52","modified_gmt":"2026-03-16T10:11:52","slug":"how-to-centralize-aws-monitoring-a-guide-to-cloudwatch-cross-account-metrics","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/how-to-centralize-aws-monitoring-a-guide-to-cloudwatch-cross-account-metrics\/","title":{"rendered":"How to Centralize AWS Monitoring: A Guide to CloudWatch Cross-Account Metrics"},"content":{"rendered":"<p>It is painfully inefficient to check metrics across a large collection of AWS accounts (development, staging, uat, production, etc.). This is a major time waster, not just a small irritation. In addition to wasting valuable engineering time, you run a much higher risk of missing an alert that could result in a full-blown outage every time you jump consoles or set up a redundant alarm.<\/p>\n<h2>Use Case<\/h2>\n<p>This setup shines when you want one central monitoring account to see all CloudWatch metrics from your source accounts. From there you can:<\/p>\n<ul>\n<li>Build unified dashboards<\/li>\n<li>Set up centralized alarms and notifications (e.g., via SNS)<\/li>\n<li>Investigate issues without logging into every account<\/li>\n<li>Scale alerting for production environments<\/li>\n<\/ul>\n<p>It&#8217;s especially useful for EC2, EKS, Lambda, or any service emitting CloudWatch metrics. Once linked, the monitoring account treats source metrics almost like native ones for graphing, alarming, and dashboards.<\/p>\n<p>The feature relies on Observability Access Manager (OAM) and is <strong>Region-specific<\/strong>.<\/p>\n<h2>Prerequisites<\/h2>\n<ul>\n<li>Admin-level access (or IAM policies for <code>oam:*<\/code> actions for the POLP) in both accounts.<\/li>\n<li>Same AWS Region for sink and links (repeat setup per Region).<\/li>\n<li>Source account IDs handy.<\/li>\n<\/ul>\n<h2>Setup Steps<\/h2>\n<h3>Monitoring Account (Central Management Account)<\/h3>\n<ol>\n<li>Log in to the AWS Console with your central management account. Go to <strong>CloudWatch<\/strong> \u2192 <strong><strong>Settings<\/strong><\/strong>\n<p><div id=\"attachment_77854\" style=\"width: 1698px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77854\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-77854 size-full\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1.png\" alt=\"CW Settings\" width=\"1688\" height=\"788\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1.png 1688w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1-300x140.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1-1024x478.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1-768x359.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1-1536x717.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/1.-CloudWatch-_-us-east-1-624x291.png 624w\" sizes=\"(max-width: 1688px) 100vw, 1688px\" \/><p id=\"caption-attachment-77854\" class=\"wp-caption-text\">CloudWatch Settings<\/p><\/div><\/li>\n<li>Under <strong style=\"font-style: italic; text-align: center;\">Monitoring account configuration<\/strong><span style=\"font-style: italic; text-align: center;\">, click <\/span><strong style=\"font-style: italic; text-align: center;\">Configure<\/strong><span style=\"font-style: italic; text-align: center;\"><span style=\"font-style: italic; text-align: center;\">.<\/span><\/span>\n<p><div id=\"attachment_77851\" style=\"width: 1753px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77851\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77851\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558.png\" alt=\"CW Monitoring Account Setup\" width=\"1743\" height=\"652\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558.png 1743w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558-300x112.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558-1024x383.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558-768x287.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558-1536x575.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/2.-Screenshot-2026-02-16-190558-624x233.png 624w\" sizes=\"(max-width: 1743px) 100vw, 1743px\" \/><p id=\"caption-attachment-77851\" class=\"wp-caption-text\">CW Monitoring Account Setup<\/p><\/div><\/li>\n<li>Select <strong>Metrics<\/strong> as the data type to make visible from source accounts. Enter the source account ID. For <strong>Account label<\/strong>, choose <strong>Account Name<\/strong>. Click <strong>Confirm<\/strong>. This creates the OAM <strong>sink<\/strong>.\n<p><div id=\"attachment_77853\" style=\"width: 1578px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77853\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77853\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1.png\" alt=\"Configure OAM Sink\" width=\"1568\" height=\"814\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1.png 1568w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-300x156.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-1024x532.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-768x399.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-1536x797.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/3.-Monitoring-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-624x324.png 624w\" sizes=\"(max-width: 1568px) 100vw, 1568px\" \/><p id=\"caption-attachment-77853\" class=\"wp-caption-text\">Configure OAM Sink<\/p><\/div><\/li>\n<li>The monitoring setup is done. Now copy the <strong>Sink ARN<\/strong>: Still in Settings \u2192 Monitoring account configuration \u2192 look under configuration details or <strong>Manage monitoring account<\/strong> section. Copy the full ARN.\n<p><div id=\"attachment_77852\" style=\"width: 1578px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77852\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77852\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1.png\" alt=\"Sink ARN\" width=\"1568\" height=\"436\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1.png 1568w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1-300x83.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1-1024x285.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1-768x214.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1-1536x427.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/5.-Manage-monitoring-account-_-Settings-_-CloudWatch-_-us-east-1-624x174.png 624w\" sizes=\"(max-width: 1568px) 100vw, 1568px\" \/><p id=\"caption-attachment-77852\" class=\"wp-caption-text\">Sink ARN<\/p><\/div><\/li>\n<\/ol>\n<h3>Source Account<\/h3>\n<ol start=\"5\">\n<li>Log in to the source account. Go to <strong>CloudWatch<\/strong> \u2192 <strong>Settings<\/strong>.<\/li>\n<li>Click <strong>Configure source account<\/strong>.\n<p><div id=\"attachment_77850\" style=\"width: 1751px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77850\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77850\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1.png\" alt=\"CW Source Account Config\" width=\"1741\" height=\"670\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1.png 1741w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1-300x115.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1-1024x394.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1-768x296.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1-1536x591.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/6.-Settings-_-CloudWatch-_-us-east-1-624x240.png 624w\" sizes=\"(max-width: 1741px) 100vw, 1741px\" \/><p id=\"caption-attachment-77850\" class=\"wp-caption-text\">CW Source Account Config<\/p><\/div><\/li>\n<li>Select <strong>Metrics<\/strong> as the data type. Paste the <strong>Monitoring account Sink ARN<\/strong> from step 4. Set <strong>Account label<\/strong> to <strong>Account Name<\/strong>. Click Link and Confirm. This creates the OAM <strong>link<\/strong> from source \u2192 monitoring.\n<p><div id=\"attachment_77849\" style=\"width: 1762px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77849\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77849\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1.png\" alt=\"Setup OAM Link\" width=\"1752\" height=\"905\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1.png 1752w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-300x155.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-1024x529.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-768x397.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-1536x793.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/7.-Source-account-configuration-_-Settings-_-CloudWatch-_-us-east-1-624x322.png 624w\" sizes=\"(max-width: 1752px) 100vw, 1752px\" \/><p id=\"caption-attachment-77849\" class=\"wp-caption-text\">Setup OAM Link<\/p><\/div><\/li>\n<li>That&#8217;s it for configuration. Metrics can be visible in <strong>10 &#8211; 15 minutes<\/strong> in the monitoring account.<\/li>\n<\/ol>\n<h2>Verification<\/h2>\n<ol>\n<li>In the <strong>source account<\/strong>: Go to <strong>CloudWatch<\/strong> \u2192 <strong>Metrics<\/strong> \u2192 <strong>All metrics<\/strong> \u2192 <strong>AWS\/EC2<\/strong> (or Per-Instance Metrics). Confirm your EC2 metrics (CPUUtilization, NetworkIn, etc.) are emitting normally.\n<p><div id=\"attachment_77848\" style=\"width: 1761px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77848\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77848\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1.png\" alt=\"EC2 metrics - Source Account\" width=\"1751\" height=\"699\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1.png 1751w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1-300x120.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1-1024x409.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1-768x307.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1-1536x613.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/9.-Metrics-_-CloudWatch-_-us-east-1-624x249.png 624w\" sizes=\"(max-width: 1751px) 100vw, 1751px\" \/><p id=\"caption-attachment-77848\" class=\"wp-caption-text\">EC2 metrics &#8211; Source Account<\/p><\/div><\/li>\n<li>In the <strong>monitoring account<\/strong>: Go to <strong>CloudWatch<\/strong> \u2192 <strong>Metrics<\/strong> \u2192 <strong>All metrics<\/strong>. Browse <strong>AWS\/EC2<\/strong> namespace. Metrics should appear with InstanceId dimensions. You can now create alarms, add to dashboards, or set up alerting &#8211; all centralized.\n<p><div id=\"attachment_77847\" style=\"width: 1924px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-77847\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-77847\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1.png\" alt=\"EC2 metrics - Monitoring Account\" width=\"1914\" height=\"716\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1.png 1914w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1-300x112.png 300w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1-1024x383.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1-768x287.png 768w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1-1536x575.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2026\/02\/10.-Metrics-_-CloudWatch-_-us-east-1-624x233.png 624w\" sizes=\"(max-width: 1914px) 100vw, 1914px\" \/><p id=\"caption-attachment-77847\" class=\"wp-caption-text\">EC2 metrics &#8211; Monitoring Account<\/p><\/div><\/li>\n<\/ol>\n<h2>Adding More Source Accounts to an Existing Monitoring Account<\/h2>\n<p>If you already have the monitoring account configured:<\/p>\n<ol>\n<li>In monitoring account: CloudWatch \u2192 Settings \u2192 <strong>Configuration Policy<\/strong> (or Manage monitoring account policy).<\/li>\n<li>Edit policy. Update the <strong>Principal<\/strong> section to include additional account IDs:\n<pre>\"Principal\": {\"AWS\": [\"12121212121212\", \"12121212121212\"]}<\/pre>\n<\/li>\n<li>Save the updated policy.<\/li>\n<li>In each new source account: Repeat steps 5-7 (configure source, paste existing Sink ARN, set label).<\/li>\n<\/ol>\n<h2>Key Considerations<\/h2>\n<ul>\n<li><strong>Historical Data<\/strong>: You don&#8217;t begin at zero. After linking, all historical metrics kept in the source account are instantly accessible to the monitoring account.<\/li>\n<li><strong>Region Specificity<\/strong>: OAM Sinks are Region-specific. If you have resources in us-east-1 and eu-west-1, you must repeat this setup for both Regions.<\/li>\n<li><strong>No Extra Cost<\/strong>: CloudWatch cross-account observability for metrics and logs comes at no additional cost. You only pay for the underlying metrics and logs ingestion.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>Once set up, this turns fragmented monitoring into a single pane of glass-perfect for faster troubleshooting and cleaner alerting. You no longer need to &#8220;context switch&#8221; between accounts to understand the health of your entire stack.<\/p>\n<h2>Automate Cross-Account Observability with AWS Organizations<\/h2>\n<p>If you are managing a large number of accounts, manually linking each one is inefficient. (For a detailed, organization-level guide on this automation, see our companion blog: &#8216;<strong>From Zero to Hundreds: Onboarding Your Entire AWS Fleet to Centralized CloudWatch in Under an Hour<\/strong>&#8216;.)<\/p>\n<ul>\n<li><strong>Automatic Onboarding<\/strong>: To have new accounts added automatically, designate your entire AWS Organization or certain Organisational Units (OUs) as the &#8220;Source.&#8221;<\/li>\n<li><strong>CloudFormation StackSets:<\/strong> Deploy the OAM &#8220;Link&#8221; to all current and future accounts automatically using StackSets. New accounts gain instant visibility in your central monitoring hub without manual intervention.<\/li>\n<li><strong>Centralized Governance:<\/strong> Manage permissions and ensure observability is never accidentally disabled by enforcing controls at scale using Service Control Policies (SCPs).<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>It is painfully inefficient to check metrics across a large collection of AWS accounts (development, staging, uat, production, etc.). This is a major time waster, not just a small irritation. In addition to wasting valuable engineering time, you run a much higher risk of missing an alert that could result in a full-blown outage every [&hellip;]<\/p>\n","protected":false},"author":1811,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":36},"categories":[2348],"tags":[248,8377,8380,8379,5547,1266,7459,8378,1892,1499,8376,7501,7723],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/77855"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1811"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=77855"}],"version-history":[{"count":12,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/77855\/revisions"}],"predecessor-version":[{"id":78533,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/77855\/revisions\/78533"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=77855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=77855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=77855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}