Cross Account Amazon CloudWatch Metric Sharing
There are scenarios where we would like to share Amazon CloudWatch metrics with another AWS account and then retrieve the data programmatically. Read on!
Join the DZone community and get the full member experience.Join For Free
There are scenarios where we would like to share Amazon CloudWatch metrics with another AWS account and then retrieve the data programmatically. This article shows how it can be done.
We will use Boto3, which is an Amazon SDK for python, to retrieve the metrics data.
Enable Cross Account Sharing in CloudWatch
We will work with two AWS accounts Account A and Account B. Our requirement are:
- To share CloudWatch metrics data of Account A with Account B
- Retrieve the shared metrics data programmatically
For clarity purposes, we will make a few assumptions.
- Account A's account Id is 987654321987
- Account B's account Id is 123456789321
- Account B has an IAM user with a user name as an account-b-user.
We will provide Account A CloudWatch metrics access to this account-b-user
To share the CloudWatch metrics of Account A with Account B and retrieve it from Account B, the following things have to be done.
- Create a cross-account sharing stack in Account A
The steps to create a cross-account CloudWatch role are mentioned in this link.
When it asks to enter the account Id, enter the account Id of the account with which metrics data need to be shared. In our case, it is Account B's account Id 123456789321.
Continue with the steps until the stack is created. Next, we will make some changes to the IAM role as mentioned below.
2. Update the IAM role in Account A to give access to a specific IAM user in Account B
- Go to IAM console, roles section of Account A
- A new role "CloudWatch-CrossAccountSharingRole" would have been created
- This role needs to be edited to only give access to a specific IAM user in Account B otherwise all users in Account B can access the metrics from Account A
- Choose this role and go to the Trust relationships tab
- Edit trust relationship, and in the Policy Document, update the Principal with IAM user ARN of Account B. The User ARN will be available in IAM details for that user. User ARN for account-b-user is
With this done, account-b-user can access the metrics in Account A. Please copy the role ARN for "CloudWatch-CrossAccountSharingRole". We will need it to access it via the python program.
For our scenario, the role ARN is:
Retrieve the CloudWatch Metrics
Before writing the program to retrieve the metrics, we need to download and install AWS Command Line Interface or AWS CLI. It can be downloaded from here.
AWS CLI has to be configured with account-b-user credentials. User credentials are available for download as CSV file after an IAM user is created.
To configure AWS CLI with this user; open a command prompt or shell or terminal window and type
It will ask for:
- AWS Access Key ID — it will be there in the credential file
- AWS Secret Access Key — it will be there in the credential file
- Default region name — provide the region name
- Default output format — Enter "JSON" here
We will use the Boto3 python library to retrieve the metrics. It can be installed via the below command:
pip install boto3
Now, let's write the python program to retrieve the metrics data.
We will get an instance of a "sts" client which stands for Secure Token Service.
We will use this sts client to retrieve temporary credentials to assume the role of "CloudWatch-CrossAccountSharingRole" which was created in Account A. The temporary credentials default validity is one hour.
sts_client = boto3.client('sts')
sts_response = sts_client.assume_role(e(
# The below RoleArn will be the ARN value from the other account
# which has this role - CloudWatch-CrossAccountSharingRole
The sts_response object will contain the access key Id, secret access key, and session token. We need these details to connect to Account A.
Next, we will retrieve the list of EC2 instances in Account A, iterate over this list and get the metrics for each EC2 instance.
# Get the access_key_id, secret_access_key, session_token
access_key_id = sts_response["Credentials"]['AccessKeyId']
secret_access_key = sts_response["Credentials"]['SecretAccessKey']
session_token = sts_response["Credentials"].get('SessionToken', '')
if access_key_id != '':
# Get the list of EC2 instances
ec2_client = boto3.client('ec2',
ec2_description = ec2_client.describe_instances()
for reservation in ec2_description["Reservations"]:
for instance in reservation["Instances"]:
instance_id = instance['InstanceId']
cloudwatch = boto3.client('cloudwatch',
By default, AWS enables a certain set of metrics, and CPU Utilization is one of them. We will retrieve the CPU Utilization metrics in this example.
metrics_response = cloudwatch.get_metric_data(
"Value": instance_id # instance id of EC2
"Period": 3600, # Hourly metrics
"Stat": "Average", # Average utilization in an hour
# Date in format datetime(2020, 6, 16). Generate the date values dynamically
StartTime=datetime(2020, 6, 16),
EndTime=datetime(2020, 6, 17)
# Now you can work on this metrics response.
print(json.dumps(metrics_response, indent=2, default=str))
The sample response will look like below. It shows the hourly aggregate of CPU Utilization metrics.
"date": "Sun, 21 Jun 2020 12:15:25 GMT"
This is how we can share the metrics data across two AWS accounts and retrieve it.
The full code is available here.
Opinions expressed by DZone contributors are their own.
What to Pay Attention to as Automation Upends the Developer Experience
RAML vs. OAS: Which Is the Best API Specification for Your Project?
Database Integration Tests With Spring Boot and Testcontainers
Using OpenAI Embeddings Search With SingleStoreDB