I need to send log data from Amazon CloudWatch Logs to another AWS account’s Amazon Kinesis data stream in a different AWS Region.

To deliver CloudWatch log events to Kinesis Data Streams in different AWS accounts and AWS Regions, set up cross-account log data sharing with subscriptions and specify the AWS Region.

In this example use case, CloudWatch Logs in the AWS Region us-east-1 are delivered to another AWS user's Kinesis data stream in us-west-2.

1.    Create a destination data stream in Kinesis in the data recipient account with an AWS Identity and Access Management (IAM) role and trust policy.

Be sure to specify the --region when you use the create-stream command to create the data stream. For example, this command creates the data stream YourStreamName in the AWS Region us-west-2:

>aws kinesis create-stream --stream-name "YourStreamName" --shard-count 1 --region us-west-2

Be sure to specify the --region when you use the describe-stream command to check the StreamDescription.StreamStatus property. For example, this command checks the stream YourStreamName in the AWS Region us-west-2:

>aws kinesis describe-stream --stream-name "YourStreamName" --region us-west-2

Be sure to specify the --region for the --role-arn when you use the put-destination command to create the CloudWatch Logs destination. For example, this command creates the log destination in the recipient account (222222222222):

>aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:us-west-2:222222222222:stream/YourStreamName" \  
    --role-arn "arn:aws:iam::222222222222:role/YourIAMRoleName" --region us-east-1

2.    Create a subscription filter in your account.

3.    (Optional) Check that your data stream is working correctly by validating the flow of log events.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-10-26