35.7 CloudWatch Dashboards: Visualizing Metrics Across Accounts and Regions
Right, so you’ve got alarms screaming and logs streaming. Fantastic. But staring at a single metric in a single account is like trying to understand a symphony by listening to one violin. It’s time to conduct the whole orchestra. Enter CloudWatch Dashboards: your single pane of (sometimes frustratingly) glass for visualizing the glorious chaos of your multi-account, multi-region infrastructure.
The promise is simple: a customizable homepage for your operational sanity. The reality is a powerful tool with some quirks you need to understand, lest you build a beautiful, auto-refreshing monument to a lie.
The Absolute Basics: Widgets, Not Magic
A dashboard is just a collection of widgets. Don’t let the fancy name fool you; a widget is a thing that shows data. The most important one, the workhorse, is the Line widget for metrics. You’ll also use Number widgets for a quick status check, Logs Table widgets for live log tailing, and Text widgets to label things because apparently, your future self won’t remember why you called a graph “spicy-memory-leak-prod”.
You create them via the console’s clicky-draggy interface, which is fine for a quick hack. But you and I are not animals. We define our infrastructure as code. Which brings us to the first “questionable choice”.
IaC or Bust: CDK to the Rescue
The AWS console dashboard builder feels like it was designed by a different, less competent team than the one that built the rest of CloudWatch. Editing complex dashboards in the UI is a special kind of torture. The only sane way to manage them is with infrastructure-as-code. Here’s how you do it properly with CDK (in TypeScript).
import * as cdk from 'aws-cdk-lib';
import * as cloudwatch from 'aws-cdk-lib/aws-cloudwatch';
import * as cloudwatch_actions from 'aws-cdk-lib/aws-cloudwatch-actions';
import * as sns from 'aws-cdk-lib/aws-sns';
export class DashboardStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a dashboard object
const dashboard = new cloudwatch.Dashboard(this, 'SpicyDashboard', {
dashboardName: 'My-Super-Serious-Dashboard',
});
// Let's create a widget for the CPU utilization of a hypothetical EC2 instance
// This is where the cross-account/region magic happens in the ARN
const cpuMetric = new cloudwatch.Metric({
namespace: 'AWS/EC2',
metricName: 'CPUUtilization',
dimensionsMap: { InstanceId: 'i-1234567890abcdef0' },
// The critical part: specifying region and account
region: 'us-west-2', // This instance is in a different region!
account: '123456789012', // This instance is in a different account!
});
const cpuWidget = new cloudwatch.GraphWidget({
title: 'CPU Usage of West-Coast Instance (Account: 123...)',
left: [cpuMetric],
width: 12, // 24 is full-width, 12 is half. They use a grid system.
});
// Add the widget to the dashboard
dashboard.addWidgets(cpuWidget);
}
}
See that? The Metric object takes region and account properties. This is the secret sauce. As long as your dashboard’s account has been granted permissions via IAM to read metrics from that other account (usually via a resource-based policy on the other account’s CloudWatch), it will just work. No need for clunky VPC peering or gateway endpoints. It’s one of the things AWS actually got right.
The IAM Permissions You’ll Forget
Ah, I mentioned IAM. Here’s your first pitfall. Creating a dashboard in Account A that shows metrics from Account B doesn’t just happen. Account A’s role needs cloudwatch:GetMetricData. But more importantly, Account B needs to allow Account A to read its metrics. You do this with a policy on Account B’s CloudWatch namespace. This catches everyone out.
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::DASHBOARD_ACCOUNT_ID:root" // Or a specific role
},
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
Without this, your dashboard will be a sad collection of “No data” messages, and you’ll waste an hour questioning your life choices. Trust me.
Best Practices: Less Art, More Science
A dashboard isn’t a portfolio piece. Its only job is to convey critical information at a glance.
- Group by Service or Failure Domain: Don’t mix your RDS graphs with your Lambda graphs. Group all related widgets for a single service or application together.
- Use Annotations: That giant CPU spike? Was it a deployment? A holiday sale? Use the
cloudwatch.Alarmconstruct in CDK to add alarms directly to your graphs as annotations. It provides crucial context. - Beware of Pricing: This is the big one. Dashboards themselves are free. Refreshing them is not. Each widget that renders metrics incurs a GetMetricData charge. A complex dashboard on a 1-minute refresh interval can easily cost you hundreds of dollars a month. Set a sane auto-refresh interval (5 minutes is often plenty) or just refresh manually.
- Log Insights Integration: This is a killer feature. You can embed a Log Insights query right into a widget, giving you a live-updating table of log events next to your metrics. It’s invaluable for correlating that API latency spike with a burst of ERROR messages in your application logs.
// Adding a Log Insights widget to the dashboard
const logsWidget = new cloudwatch.LogQueryWidget({
title: 'Recent Errors in MyAppLogs',
logGroupNames: ['/aws/lambda/my-function'], // Can cross accounts/regions too!
queryString: 'fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20',
width: 24, // Full width
});
dashboard.addWidgets(logsWidget);
So, build your dashboards with code, get your IAM right, mind the refresh rate, and use them to tell a story. When done right, they’re the closest thing you get to a unified view of your system. Just don’t expect the UI to be your friend.