Sharing CloudWatch metrics cross-account (part 2)
Part 1 shows how to enable cross-account access using role suggested by AWS.
Let’s make it more secure by limiting:
- trust relationships for that role to only CloudWatch cross-account service,
- and permissions to only metrics.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from aws_cdk import aws_iam
import aws_cdk
class CloudWatchSharingStack(aws_cdk.Stack):
def __init__(self, **kwargs):
super().__init__(**kwargs)
actions = [
'cloudwatch:GetMetricData',
'cloudwatch:GetMetricStatistics',
'cloudwatch:ListMetrics',
]
service_role = '/'.join([
'aws-service-role',
'cloudwatch-crossaccount.amazonaws.com',
'AWSServiceRoleForCloudWatchCrossAccount',
])
aws_iam.Role(
scope=self,
id="Role",
role_name='CloudWatch-CrossAccountSharingRole',
assumed_by=aws_iam.CompositePrincipal(
*(
aws_iam.ArnPrincipal(f'arn:aws:iam::{account_id}:role/{service_role}')
for account_id in self.node.get_context('TrustedAccountIds').split(',')
)
),
description="A role for sharing CloudWatch metrics across accounts",
inline_policies={
'AllowMetrics': aws_iam.PolicyDocument(
statements=[
aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=actions,
resources=['*'],
),
],
),
},
)
This post is licensed under CC BY 4.0 by the author.