PCG logo
Article

AWS Managed Grafana for one or multiple AWS Organizations

In this article, I will explain how AWS Managed Grafana can be used to easily monitor CloudWatch Log Groups and metrics across entire AWS Organizations and create comprehensive dashboards. If needed, multiple AWS Accounts and Organizations can be connected to AWS Managed Grafana using the CloudWatch cross-account observability feature.

image-705de3cba26d

Overview of the solution

As shown in the architecture diagram, AWS Managed Grafana is created in a Monitoring AWS Account. Additionally, an IAM Role is created for each AWS Organization that needs to be connected. This role can be assumed by AWS Managed Grafana and has the CloudWatchReadOnlyAccess permission. The CloudWatch cross-account observability feature can also be activated in the Monitoring Account. To do this, a sink is created in the Monitoring Account, and a link is established in all AWS accounts that need to be connected.

This setup allows the IAM Role, and consequently AWS Managed Grafana, to access all CloudWatch Log Groups and metrics for which a link has been created.

This can also be used across multiple AWS Organizations by creating an IAM Role in the additional AWS Organization plus enabling CloudWatch cross-account observability.

Deployment of the Solution

1. Create CloudWatch cross-account observability Sink

In the Monitoring Account, the CloudWatch cross-account observability Sink is created using a CloudFormation template. If needed, the oam:ResourceTypes can be expanded; currently, only "AWS::CloudWatch::Metric" and "AWS::Logs::LogGroup" are authorized.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a Sink and attach a Policy for CloudWatch cross-account observability

Parameters:
  PrincipalOrgID:
    Type: String
    Description: 'The AWS Organization ID for which the policy will allow access'

Resources:
  ObservabilitySink:
    Type: 'AWS::Oam::Sink'
    Properties:
      Name: 'observabilitySink'
      Policy:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal: "*"
          Resource: "*"
          Action:
          - "oam:CreateLink"
          - "oam:UpdateLink"
          Condition:
            StringEquals:
              aws:PrincipalOrgID: !Ref PrincipalOrgID
            ForAllValues:StringEquals:
              oam:ResourceTypes:
                - "AWS::CloudWatch::Metric"
                - "AWS::Logs::LogGroup"

Outputs:
  SinkIdentifier:
    Description: 'The Sink identifier of the created sink'
    Value: !GetAtt 
      - ObservabilitySink
      - Arn

2. Create CloudWatch cross-account observability Link

In all accounts where Grafana needs to access CloudWatch LogGroups and metrics, the CloudWatch cross-account observability Link must be created using a CloudFormation template. This template can easily be rolled out as a StackSet across all desired accounts.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  MonitoringAccountID:
    Type: String
    Description: AccountID from Monitoring Account

  SinkIdentifier:
    Type: String
    Description: SinkIdentifier for OAM-Link

Conditions:
  SkipMonitoringAccount: !Not
    - !Equals
      - !Ref AWS::AccountId
      - !Ref MonitoringAccountID

Resources:
  Link:
    Type: AWS::Oam::Link
    Condition: SkipMonitoringAccount
    Properties:
      LabelTemplate: "$AccountName"
      ResourceTypes: 
        - "AWS::CloudWatch::Metric"
        - "AWS::Logs::LogGroup"
      SinkIdentifier: !Ref SinkIdentifier

3. Create IAM Role for Grafana

In the Monitoring Account, the following IAM Role must be created, which can be assumed by Grafana with the CloudWatchReadOnlyAccess policy.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: 2010-09-09
Description: Set up an IAM Role for Grafana in the Monitoring Accounts so it can access CloudWatch Metrics and Log Groups

Parameters:
  MonitoringAccountID:
    Type: String
    Description: The AWS Account ID of the monitoring account (e.g., Grafana account)

Resources:
  CloudWatchGrafanaRole:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: CloudWatchGrafanaRole
      AssumeRolePolicyDocument: 
        Version: '2012-10-17'
        Statement: 
          - Effect: 'Allow'
            Principal: 
              AWS: !Sub 'arn:aws:iam::${MonitoringAccountID}:root'
            Action: 'sts:AssumeRole'
            Condition: 
              StringEquals: 
                'sts:ExternalId': 'grafana'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess

4. Create AWS Managed Grafana

In the Monitoring Account, Grafana can now be created. There are various options that can be chosen, such as PluginAdminEnabled or AuthenticationProviders. Below is a CloudFormation template that works for the solution I have described and uses AWS Identity Center as the Authentication Provider.

At the location Resources -> AmazonGrafanaWorkspaceIAMRole -> Properties -> Policies -> PolicyDocument -> Statement -> Resource ->, all ARNs of the IAM roles created in Step 3 must be inserted.

yaml
Code Copied!copy-button
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an Amazon Managed Grafana workspace for Monitoring

Resources:
  AmazonGrafanaWorkspaceIAMRole:
    Type: 'AWS::IAM::Role'
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonGrafanaCloudWatchAccess'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - grafana.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: AllowSTSforCloudWatch
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 'sts:AssumeRole'
                Resource:
                  - 'arn:aws:iam::1234567890:role/CloudWatchGrafanaRole'

  GrafanaWorkspace:
    Type: AWS::Grafana::Workspace
    Properties: 
      AccountAccessType: CURRENT_ACCOUNT
      AuthenticationProviders: 
        - AWS_SSO
      DataSources: 
        - CLOUDWATCH
      Description: "Monitoring for all CloudWatch Log Groups and Metrics solution"
      Name: Monitoring-CloudWatch-Solution
      PermissionType: SERVICE_MANAGED
      PluginAdminEnabled: true
      GrafanaVersion: 10.4
      RoleArn: !GetAtt 
        - AmazonGrafanaWorkspaceIAMRole
        - Arn


Note: Steps 1-3 must be performed in each AWS organization that needs to be linked to Grafana!


Using the Solution

You can now add yourself as an admin through the Amazon Managed Grafana Service.

image-34e589259ad8

Afterwards, you need to connect the data sources. To do this, simply enter the IAM roles of the individual AWS Organizations and click "Save & Test".

image-a2596abe2aed

In this case, I have set up two data sources: one for the Prod AWS Organization and one for the Test AWS Organization.

image-bf28c03a8c57

Finally, you can now build dashboards as you like, accessing all CloudWatch Log Groups and metrics from all connected accounts.

image-5074be82e447

Costs of the solution

Cross-account observability in CloudWatch comes with no extra cost for logs and metrics.

The Amazon Managed Grafana Service is priced based on active users, which provides an even more cost-effective solution. Here's how it works:

  • Admin/Editor User: $9 USD per active user per month
  • Viewer User: $5 USD per active user per month

Importantly, billing is based on active users, not the total number of users with access. For example:

If you've granted access to 100 Editors and 100 Viewers, but in a given month only 20 Editors and 30 Viewers actually log in to the workspace, you'll only be billed for those active users: 20 Editors and 30 Viewers.

This solution offers great value for your money. It lets you monitor multiple AWS Organizations from one place at a low cost per user. It's especially useful for companies with many AWS accounts that need to keep an eye on everything at once.

Final Words

This AWS Managed Grafana solution for monitoring multiple AWS Organizations showcases the power of cloud-native tools in simplifying complex monitoring tasks. It offers a centralized, cost-effective, and scalable approach to overseeing diverse AWS environments.

Key benefits include:

  • Simplified monitoring across multiple AWS Organizations
  • Cost-effectiveness with active user-based pricing
  • Easy scalability as your infrastructure grows
  • Secure monitoring using AWS's built-in features
  • Customizable dashboards for specific needs

I hope you found this article helpful and informative. Implementing this solution can greatly enhance your AWS monitoring capabilities, but we understand that every organization has unique needs and challenges.

If you need assistance in setting up this solution, customizing it for your specific requirements, or have any questions about AWS monitoring and management, please don't hesitate to reach out to our team at PCG.

Check out our AWS Landing Zone & Monitoring!

Feel free to share your feedback and thoughts on the topic!


Services Used

Continue Reading

Article
Automation
Automated Control Rollout in AWS Control Tower

Control Tower Controls help you to set up guardrails making your environment more secure and helping you ensuring governance across all OUs and accounts.

Learn more
News
Above the Clouds: PCG's Stellar Performance at the AWS LeadMaster Challenge 2024

Wow, what a triumph! Public Cloud Group has just swept the AWS Summit 2024 Lead Master Challenge.

Learn more
Article
AWS Events 2025: The Future is Cloud

As a leading AWS Premier Partner, we're thrilled to present the exciting lineup of AWS events for 2025.

Learn more
Article
Protecting Lambda URLs with Cognito, IAM, Lambda@Edge and CDK

In this article, we’ll look at how to secure Lambda URLs using IAM access control. With complete code to try yourself!

Learn more
See all

Let's work together

United Kingdom
Arrow Down