Turning on CloudWatch telemetry auditing
Use the CloudWatch console to turn on telemetry auditing for your AWS account or organization. For an organization, CloudWatch uses a management account or a delegated administrator account to discover AWS resources and the telemetry configurations for all of the member accounts in the organization. Turning on the telemetry auditing experience does not incur any additional cost.
Telemetry auditing remains on until you turn it off. For more information, see Turning off CloudWatch telemetry auditing.
Topics
Auditing telemetry configurations for your organization
To turn on telemetry configuration for your organization, you must use a management account or a delegated administrator account. CloudWatch uses this account to discover your organization's AWS resources and their telemetry configurations.
Before you can turn on telemetry auditing for your organization, you need to turn on trusted access between AWS Organizations and CloudWatch. When you turn on trusted access, CloudWatch creates a service-linked role named AWSServiceRoleForObservabilityAdmin to support resource and telemetry configuration discovery for the organization. The role is created in all member accounts of the organization. For more information about the service-linked role, see Service-linked role permissions for CloudWatch telemetry config. For more information about AWS Organizations, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
To use a management account for telemetry configuration, log in with the account, turn on trusted access, and then turn on telemetry auditing. For more information, see Turning on telemetry auditing for your AWS Organizations.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pain, choose Settings.
-
Choose the Organizations tab.
-
In Organizational Management Settings, choose Turn on. The Enable trusted access page appears.
-
To review the role policy, choose View permission details and the role policy appears in a window. Choose Enable trusted access. The telemetry configuration Overview page appears and CloudWatch begins discovering AWS resources in the organization. As CloudWatch discovers resources, it updates information on the Overview page.
Note
The time delay before resources appear on the Overview page depends on the number of member accounts and resources in your organization or account.
Registering a delegated administrator account for your organization
A delegated administrator account is a member account that shares administrator access for service-managed permissions. The account that you register as a delegated administrator must be in your organization. A delegated administrator account for your organization can be used outside of CloudWatch, so make sure that you understand this account type before you follow this procedure. For more information, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
To remove or change the delegated administrator account, deregister the account first. For more information, see Deregistering a delegated administrator account.
To register a delegated administrator account
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings.
Choose the Organization tab.
Choose Register delegated administrator.
On the Register delegated administrator page, for Delegated administrator account ID, enter the 12-digit account ID for an organization member.
Choose Register delegated administrator. At the top of the page, a message appears indicating the account was registered successfully. The Organization Settings page appears. To see information about the delegated administrator account, hover over the number below Delegated administrators.
Turning on telemetry auditing for your AWS Organizations
Turn on telemetry auditing for your AWS Organizations to monitor the telemetry for the AWS resources across all your member accounts. This also turns on the telemetry auditing experience for individual accounts. You can also turn on the telemetry auditing experience for only your account. For more information, see Turning on telemetry auditing for your account.
You can turn off trusted access across all your member accounts. For more information, see Turning off trusted access for Organizations.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Telemetry config.
Choose Turn on, and then choose the Organization tab. The telemetry config Overview page appears and CloudWatch begins discovering AWS resources in your account. As CloudWatch discovers resources, it updates information in the Overview page.
Note
The delay before resources appear on the Overview page depends on the number of member accounts and resources in your organization or account.
Turning on telemetry auditing for your account
Turn on telemetry auditing for your AWS account to monitor telemetry for the AWS resources in that account. If you have an organization in AWS Organizations, turn on telemetry configuration for your organization instead. For more information, see Turning on telemetry auditing for your AWS Organizations.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings, Telemetry config.
Choose Turn on, then This account, if you are using a management account or a delegated administrator account. The telemetry configuration Overview page appears and CloudWatch begins discovering AWS resources in your account. As CloudWatch discovers resources, it updates information on the Overview page.
Note
The delay before resources appear on the Overview page depends on the number of member accounts and resources in your organization or account.
Deregistering a delegated administrator account
Deregister the delegated administrator account before turning off trusted access for Organizations. You can also deregister a delegated administrator account if it no longer has access to the appropriate AWS resources for telemetry auditing or to choose a different member account to be the delegated administrator. This account will not be able to perform account management tasks for Organizations. For more information, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings.
-
On the Organization tab, choose Deregister.
-
On the Deregister delegated administrator page, choose Deregister.
To register an account as a delegated administrator, see Registering a delegated administrator account for your organization.
Turning off trusted access for Organizations
Trusted access extends the functionality of the management account in AWS Organizations to other AWS services. When you turn off trusted access, trusted access between your organization and all AWS services—not just CloudWatch—will stop.
If you no longer want trusted access turned on for your organization, you can turn it off. For more information, see Amazon CloudWatch and AWS Organizations in the AWS Organizations User Guide.
Note
Before turning off trusted access for an organization, deregister the delegated administrator account. For more information, see Deregistering a delegated administrator account.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Settings.
Choose the Organization tab.
In the Organizational Management Settings section, select Turn off.
