Skip to main content

CloudWatch Cross-Account Sharing Disabled

Overview

This check verifies that Amazon CloudWatch cross-account sharing is disabled. Cross-account sharing is enabled when the CloudWatch-CrossAccountSharingRole IAM role exists in your account, which allows other AWS accounts to view your CloudWatch metrics, dashboards, and alarms.

Risk

When cross-account sharing is enabled, external AWS accounts can view your observability data. This creates security risks:

  • Confidentiality breach: Other accounts can see your metrics, potentially revealing application architecture and workload patterns
  • Reconnaissance enablement: Adversaries or compromised partner accounts could map your infrastructure and identify monitoring gaps
  • Lateral movement facilitation: Information about your resources can help attackers plan further attacks
  • Evasion opportunities: Knowing which metrics you monitor helps bad actors avoid detection

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to delete IAM roles or CloudFormation stacks
  • Knowledge of whether the role was created manually or via CloudFormation
Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

  • iam:GetRole
  • iam:DeleteRole
  • iam:DeleteRolePolicy
  • iam:ListRolePolicies
  • iam:ListAttachedRolePolicies
  • iam:DetachRolePolicy
  • cloudformation:DeleteStack (if the role was created via CloudFormation)

AWS Console Method

Option A: Delete via IAM (if role was created manually)

  1. Open IAM in the AWS Console

  2. Find the role

    • Click Roles in the left sidebar
    • Search for CloudWatch-CrossAccountSharingRole

  3. Delete the role

    • Click on the role name to open it
    • Click the Delete button
    • Type the role name to confirm deletion
    • Click Delete

Option B: Delete via CloudFormation (if role was created via AWS wizard)

If you enabled cross-account sharing using the CloudWatch console wizard, the role was likely created as a CloudFormation stack.

  1. Open CloudFormation in the AWS Console

  2. Find the stack

    • Look for a stack named CloudWatch-CrossAccountSharingRole

  3. Delete the stack

    • Select the stack
    • Click Delete
    • Confirm deletion
AWS CLI (optional)

Check if the role exists

aws iam get-role \
    --role-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1

If this returns an error, the role does not exist and no action is needed.

If the role was created via the CloudWatch console wizard:

aws cloudformation delete-stack \
    --stack-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1

Wait for the stack to be deleted:

aws cloudformation wait stack-delete-complete \
    --stack-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1

Option B: Delete the IAM role directly

If you need to delete the role manually (not created via CloudFormation):

First, list and delete any inline policies:

aws iam list-role-policies \
    --role-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1

For each policy listed, delete it:

aws iam delete-role-policy \
    --role-name CloudWatch-CrossAccountSharingRole \
    --policy-name <policy-name>

List and detach any managed policies:

aws iam list-attached-role-policies \
    --role-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1

For each attached policy, detach it:

aws iam detach-role-policy \
    --role-name CloudWatch-CrossAccountSharingRole \
    --policy-arn <policy-arn>

Finally, delete the role:

aws iam delete-role \
    --role-name CloudWatch-CrossAccountSharingRole
CloudFormation (optional)

If you want to ensure the role does not exist, you can use a CloudFormation stack that explicitly deletes it or prevents its creation. However, for this check, the remediation is simply to delete the existing CloudFormation stack:

aws cloudformation delete-stack \
    --stack-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1

If you need a preventive control, consider using AWS Organizations Service Control Policies (SCPs) to deny creation of roles with this specific name.

Terraform (optional)

If you manage infrastructure with Terraform and want to ensure this role does not exist, you should:

  1. Remove any Terraform resources that create the CloudWatch-CrossAccountSharingRole
  2. Run terraform apply to delete the role

If the role was created outside of Terraform, you can import and delete it:

# Import the existing role (run once)
# terraform import aws_iam_role.cross_account_sharing CloudWatch-CrossAccountSharingRole

# Then remove this resource block and apply to delete
resource "aws_iam_role" "cross_account_sharing" {
  name = "CloudWatch-CrossAccountSharingRole"

  # This is a placeholder - the actual policy will be imported
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = []
  })
}

After importing, remove the resource block from your configuration and run:

terraform apply

This will delete the role.

Verification

After making changes, verify the role no longer exists:

  1. In the AWS Console:

    • Go to IAM > Roles
    • Search for CloudWatch-CrossAccountSharingRole
    • Confirm no results are returned

  2. In CloudFormation (if applicable):

    • Go to CloudFormation > Stacks
    • Confirm the CloudWatch-CrossAccountSharingRole stack is deleted or does not exist
CLI verification commands

Check if the role exists:

aws iam get-role \
    --role-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1 2>&1

Expected output when properly remediated:

An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name CloudWatch-CrossAccountSharingRole cannot be found.

Check if the CloudFormation stack exists:

aws cloudformation describe-stacks \
    --stack-name CloudWatch-CrossAccountSharingRole \
    --region us-east-1 2>&1

Expected output when properly remediated:

An error occurred (ValidationError) when calling the DescribeStacks operation: Stack with id CloudWatch-CrossAccountSharingRole does not exist

Additional Resources

Notes

  • Business justification: Before disabling cross-account sharing, verify that no legitimate business process depends on it. Some organizations use centralized monitoring accounts that require this access.
  • Alternative approach: If you need cross-account visibility, consider using a dedicated monitoring account with restricted access rather than the default cross-account sharing role.
  • Trust relationships: If you decide to keep cross-account sharing, review the role's trust policy to ensure only specific, trusted accounts can assume it.
  • Audit regularly: Periodically check for the presence of this role, as it may be recreated through the CloudWatch console wizard.
  • Service Control Policies: For organizations, consider using SCPs to prevent creation of this role across all accounts.