Is it good practice to use the Log Archive account as the Monitoring Account for a Cloudwatch cross-account monitoring setup

I am using AWS Control Tower, and I was wondering if it was good practice to use the organization shared Log Archive account as the monitoring account for Cloudwatch cross-account monitoring.

Are there any risks involved with a setup like this? Ideally I would be creating a role in this Log Archive account that would be assumable by users who need to browse said cloudwatch data.

Topics

Management & Governance Networking & Content Delivery

Tags

AWS Control Tower Amazon CloudWatch Monitoring

Language

English

George

asked 25 days ago126 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

Hello.

I guess it depends on the use case, but in my case I manage metrics separately from the log archive account.
Log archive accounts contain logs that are important from a security and governance perspective, such as "AWS CloudTrail," which retrieves AWS operation history, and "AWS Config," which retrieves change history of AWS resources.
In order to prevent such logs from being viewed by general users, I manage metrics using a different account.
To prevent issues such as logs being deleted when incorrect permissions are granted to a user, we limit the number of users who can access the log archive account as much as possible.
https://docs.aws.amazon.com/controltower/latest/userguide/logging-and-monitoring.html

EXPERT

Riku_Kobayashi

answered 25 days ago

EXPERT

Gary Mclean

reviewed 25 days ago

Relevant content

Is it a best practice to archive all active findings for Access Analyzer on a new Control Tower setup?
Ryan
asked 2 years ago
Issue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try again
Accepted Answer
Maycon Santos
asked 2 years ago
is it possible to deploy part of node_modules ? Or isn't good practice ?
rePost-User-9258623
asked a year ago
ELB logging/monitoring best practices
Accepted Answer
parasjain01
asked 4 years ago
Why is the EventBridge rule that was created using AWS CLI or AWS CloudFormation failing to invoke its target?
AWS OFFICIALUpdated a year ago
How do I gain access as an AWS account root user to accounts created by Account Factory or Account Vending Machine in AWS Control Tower?
AWS OFFICIALUpdated 25 days ago
How do I use the CloudWatch agent to monitor my Lightsail instance's disk and memory metrics?
AWS OFFICIALUpdated 6 months ago
What are some best practices for securing my AWS account and its resources?
AWS OFFICIALUpdated 2 years ago
AWS re:Post Live | Best Practices for Amazon CloudWatch Cross-account Observability - Live on July 22nd!
EXPERT
AWS rePost Live
published 3 days ago
Proactive Monitoring and Alerting for EKS AWS API Calls Using CloudWatch
EXPERT
Sherif
published a month ago