All of the following options leak all your accounts CloudWatch data.
1. Sharing dashboards via AWS console
Warning All people who you share the dashboard with are granted the permissions listed in Permissions that are granted to people who you share the dashboard with for the account. If you share the dashboard publicly, then everyone who has the link to the dashboard has these permissions. The cloudwatch:GetMetricData and ec2:DescribeTags permissions cannot be scoped down to specific metrics or EC2 instances, so the people with access to the dashboard can query all CloudWatch metrics and the names and tags of all EC2 instances in the account.
Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html
2. Adding CloudWatch datasource to Grafana and permit user access to the dashboards in scope only
For example: In a Grafana instance with one data source, one dashboard, and one panel that has one query defined, you might assume that a Viewer can only see the result of the query defined in that panel. Actually, the Viewer has access to send any query to the data source. With a command-line tool like curl (there are lots of tools for this), the Viewer can make their own query to the data source and potentially access sensitive data.
Reference: https://grafana.com/docs/grafana/latest/administration/security/
3. Cross account sharing
Same problem arises that all accounts CloudWatch data is being shared. Reference: https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html
Cumbersome approach:
Build a backend service that fetches the dashboard relevant data and exposes it in a format that can be read by Grafana. Afterwards one still has to build a dashboard based on that data. Is there an easier way?
