How to use CloudWatch after Control Tower version 3.0 update

Question

We have a multi-account setup where we deployed an organizational-level CloudTrail in our root account's Control Tower.

For the newest version of the Control Tower (3.0), AWS introduced Organizational-level CloudTrail, this service deploys a baseline CloudTrail in each of our respective accounts and provides them the ability to send logs to a central CloudWatch location in our Root account and to a central S3 location in our logging account.

We have concerns regarding providing access to the root account just to be able to view the centralized CloudWatch logs.

I have tried setting up Athena in our Logging account so that our team can view the logs in our logging bucket, but that feels like I'm taking an unnecessary detour.

What is the best way to still be able to access the root account's CloudWatch logs without having to be in the root account?

Any advice would be appreciated!

Thanks in advance!

Answer 1

The need to grant cross-account iam access to the management account is definitely an issue holding back companies from adopting an organization cloud trail. The access risk is worse for larger companies that may have many OU's (Business Units) with thousands of accounts.

One option is to maintain your existing CloudTrail architecture. As part of the 3.0 Upgrade, organization trails are optional, but it automatically deletes CloudTrail in each account regardless of whether you use an organization trail. You would need to manually remake the CloudTrail in each account after the upgrade.

Here's an article and github repo that would help automate the process: https://www.linkedin.com/pulse/control-tower-30-upgrade-louis-to/?trackingId=nlbRRqoxSsuwBGl2nvLxxg%3D%3D