English
Deutsch
PCG logo
Search Icon
Search Icon
Article
  1. Home
    2. /
  2. Insights
    3. /
  3. Articles

AWS Managed Grafana for one or multiple AWS Organizations

Author: Patrick Zink

01 Nov 2024

In this article, I will explain how AWS Managed Grafana can be used to easily monitor CloudWatch Log Groups and metrics across entire AWS Organizations and create comprehensive dashboards. If needed, multiple AWS Accounts and Organizations can be connected to AWS Managed Grafana using the CloudWatch cross-account observability feature.

image-705de3cba26d

Overview of the solution

As shown in the architecture diagram, AWS Managed Grafana is created in a Monitoring AWS Account. Additionally, an IAM Role is created for each AWS Organization that needs to be connected. This role can be assumed by AWS Managed Grafana and has the CloudWatchReadOnlyAccess permission. The CloudWatch cross-account observability feature can also be activated in the Monitoring Account. To do this, a sink is created in the Monitoring Account, and a link is established in all AWS accounts that need to be connected.

This setup allows the IAM Role, and consequently AWS Managed Grafana, to access all CloudWatch Log Groups and metrics for which a link has been created.

This can also be used across multiple AWS Organizations by creating an IAM Role in the additional AWS Organization plus enabling CloudWatch cross-account observability.

Deployment of the Solution

1. Create CloudWatch cross-account observability Sink

In the Monitoring Account, the CloudWatch cross-account observability Sink is created using a CloudFormation template. If needed, the oam:ResourceTypes can be expanded; currently, only "AWS::CloudWatch::Metric" and "AWS::Logs::LogGroup" are authorized.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a Sink and attach a Policy for CloudWatch cross-account observability

Parameters:
  PrincipalOrgID:
    Type: String
    Description: 'The AWS Organization ID for which the policy will allow access'

Resources:
  ObservabilitySink:
    Type: 'AWS::Oam::Sink'
    Properties:
      Name: 'observabilitySink'
      Policy:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal: "*"
          Resource: "*"
          Action:
          - "oam:CreateLink"
          - "oam:UpdateLink"
          Condition:
            StringEquals:
              aws:PrincipalOrgID: !Ref PrincipalOrgID
            ForAllValues:StringEquals:
              oam:ResourceTypes:
                - "AWS::CloudWatch::Metric"
                - "AWS::Logs::LogGroup"

Outputs:
  SinkIdentifier:
    Description: 'The Sink identifier of the created sink'
    Value: !GetAtt 
      - ObservabilitySink
      - Arn

2. Create CloudWatch cross-account observability Link

In all accounts where Grafana needs to access CloudWatch LogGroups and metrics, the CloudWatch cross-account observability Link must be created using a CloudFormation template. This template can easily be rolled out as a StackSet across all desired accounts.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  MonitoringAccountID:
    Type: String
    Description: AccountID from Monitoring Account

  SinkIdentifier:
    Type: String
    Description: SinkIdentifier for OAM-Link

Conditions:
  SkipMonitoringAccount: !Not
    - !Equals
      - !Ref AWS::AccountId
      - !Ref MonitoringAccountID

Resources:
  Link:
    Type: AWS::Oam::Link
    Condition: SkipMonitoringAccount
    Properties:
      LabelTemplate: "$AccountName"
      ResourceTypes: 
        - "AWS::CloudWatch::Metric"
        - "AWS::Logs::LogGroup"
      SinkIdentifier: !Ref SinkIdentifier

3. Create IAM Role for Grafana

In the Monitoring Account, the following IAM Role must be created, which can be assumed by Grafana with the CloudWatchReadOnlyAccess policy.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: 2010-09-09
Description: Set up an IAM Role for Grafana in the Monitoring Accounts so it can access CloudWatch Metrics and Log Groups

Parameters:
  MonitoringAccountID:
    Type: String
    Description: The AWS Account ID of the monitoring account (e.g., Grafana account)

Resources:
  CloudWatchGrafanaRole:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: CloudWatchGrafanaRole
      AssumeRolePolicyDocument: 
        Version: '2012-10-17'
        Statement: 
          - Effect: 'Allow'
            Principal: 
              AWS: !Sub 'arn:aws:iam::${MonitoringAccountID}:root'
            Action: 'sts:AssumeRole'
            Condition: 
              StringEquals: 
                'sts:ExternalId': 'grafana'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess

4. Create AWS Managed Grafana

In the Monitoring Account, Grafana can now be created. There are various options that can be chosen, such as PluginAdminEnabled or AuthenticationProviders. Below is a CloudFormation template that works for the solution I have described and uses AWS Identity Center as the Authentication Provider.

At the location Resources -> AmazonGrafanaWorkspaceIAMRole -> Properties -> Policies -> PolicyDocument -> Statement -> Resource ->, all ARNs of the IAM roles created in Step 3 must be inserted.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an Amazon Managed Grafana workspace for Monitoring

Resources:
  AmazonGrafanaWorkspaceIAMRole:
    Type: 'AWS::IAM::Role'
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonGrafanaCloudWatchAccess'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - grafana.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: AllowSTSforCloudWatch
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 'sts:AssumeRole'
                Resource:
                  - 'arn:aws:iam::1234567890:role/CloudWatchGrafanaRole'

  GrafanaWorkspace:
    Type: AWS::Grafana::Workspace
    Properties: 
      AccountAccessType: CURRENT_ACCOUNT
      AuthenticationProviders: 
        - AWS_SSO
      DataSources: 
        - CLOUDWATCH
      Description: "Monitoring for all CloudWatch Log Groups and Metrics solution"
      Name: Monitoring-CloudWatch-Solution
      PermissionType: SERVICE_MANAGED
      PluginAdminEnabled: true
      GrafanaVersion: 10.4
      RoleArn: !GetAtt 
        - AmazonGrafanaWorkspaceIAMRole
        - Arn


Note: Steps 1-3 must be performed in each AWS organization that needs to be linked to Grafana!


Using the Solution

You can now add yourself as an admin through the Amazon Managed Grafana Service.

image-34e589259ad8

Afterwards, you need to connect the data sources. To do this, simply enter the IAM roles of the individual AWS Organizations and click "Save & Test".

image-a2596abe2aed

In this case, I have set up two data sources: one for the Prod AWS Organization and one for the Test AWS Organization.

image-bf28c03a8c57

Finally, you can now build dashboards as you like, accessing all CloudWatch Log Groups and metrics from all connected accounts.

image-5074be82e447

Costs of the solution

Cross-account observability in CloudWatch comes with no extra cost for logs and metrics.

The Amazon Managed Grafana Service is priced based on active users, which provides an even more cost-effective solution. Here's how it works:

  • Admin/Editor User: $9 USD per active user per month
  • Viewer User: $5 USD per active user per month

Importantly, billing is based on active users, not the total number of users with access. For example:

If you've granted access to 100 Editors and 100 Viewers, but in a given month only 20 Editors and 30 Viewers actually log in to the workspace, you'll only be billed for those active users: 20 Editors and 30 Viewers.

This solution offers great value for your money. It lets you monitor multiple AWS Organizations from one place at a low cost per user. It's especially useful for companies with many AWS accounts that need to keep an eye on everything at once.

Final Words

This AWS Managed Grafana solution for monitoring multiple AWS Organizations showcases the power of cloud-native tools in simplifying complex monitoring tasks. It offers a centralized, cost-effective, and scalable approach to overseeing diverse AWS environments.

Key benefits include:

  • Simplified monitoring across multiple AWS Organizations
  • Cost-effectiveness with active user-based pricing
  • Easy scalability as your infrastructure grows
  • Secure monitoring using AWS's built-in features
  • Customizable dashboards for specific needs

I hope you found this article helpful and informative. Implementing this solution can greatly enhance your AWS monitoring capabilities, but we understand that every organization has unique needs and challenges.

If you need assistance in setting up this solution, customizing it for your specific requirements, or have any questions about AWS monitoring and management, please don't hesitate to reach out to our team at PCG.

Check out our AWS Landing Zone & Monitoring!

Feel free to share your feedback and thoughts on the topic!

Services Used

AWS Landing Zone
Get Started

Continue Reading

Article
Protecting Lambda URLs with Cognito, IAM, Lambda@Edge and CDK

In this article, we’ll look at how to secure Lambda URLs using IAM access control. With complete code to try yourself!

Learn more
Case Study
Education
Cloud Migration
Education
Transforming Robotics Research: RCCL's Migration to AWS

Discover how the Robotics, Automatic Control, and Cyber-Physical Systems Laboratory (RCCL) leveraged AWS to support their advanced research in robotics and IoT data analysis. Learn how they managed real-time sensor data, machine learning techniques, and MATLAB computations on a scalable, secure platform.

Learn more
Article
Securing APIs in an AWS Cloud Environment

In 2019, a major financial services company, Capital One, experienced a severe security breach caused by a misconfigured API. This breach exposed the personal data of over 100 million customers, including sensitive information such as names, addresses, and social security numbers. The incident not only inflicted substantial financial and reputational damage on the company but also underscored the critical importance of securing APIs in today’s interconnected world.

Learn more
Article
AWS Lambda: Avoid these common pitfalls

It's a great offering to get results quickly, but like any good tool, it needs to be used correctly.

Learn more
See all

Let's work together

United Kingdom
Arrow Down