amazon-cloudwatch-agent icon indicating copy to clipboard operation
amazon-cloudwatch-agent copied to clipboard
verified publisher icon aws

Feature Request: role_arn per log group

Open dnx-seek opened this issue 4 years ago • 2 comments

Currently there is a role_arn which allows all logs to be sent to another account. This operates (afaict) on a global level - either all metrics & logs, or all logs or all metrics.

In the nature of our distributed accounts this is unworkable for us - teams want their logs in their account while a security team wants specific logs forwarded to their audit account.

Having role_arn at an individual collect_list item level would be ideal.

dnx-seek avatar Feb 22 '22 03:02 dnx-seek

Do log subscription filters meet your needs? https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

You would still publish your logs to the same account, but then set up subscription filters from specific log groups to replicate the data to its destination in another account. That would be simpler than trying to have the agent juggle multiple credentials to authenticate for the different destination log groups.

SaxyPandaBear avatar Aug 01 '22 12:08 SaxyPandaBear

Cross account subscriptions doesnt support cross regions subscriptions.

kashishshah881 avatar Jan 05 '24 01:01 kashishshah881