ClickOps #20 - Centralized CloudWatch Observability

On September 17, 2025, Amazon Web Services (AWS) released one of my favorite new features of the year, CloudWatch Logs Centralization.

The first copy of centralized logs comes with no additional ingestion charges or cross-region data transfer costs, with customers paying standard CloudWatch storage costs and feature pricing.

Dramatically reducing the complexity for security monitoring and alerting by having a single pane of glass. I was also able to reduce my CloudWatch Alarms to an organization-level view instead of per-function, since I can now quickly find the lambda in an error state. Also, reducing my top monthly spend significantly.

In the management account, I first needed to enable trusted access for CloudWatch.

I next need to register the delegated administrator for CloudWatch.

Now I can switch to the new CloudWatch account to configure it as the monitoring account. Since the first copy is free, I select all the data sources for the organization identifier.

Then I need to link all the accounts using Organization StackSets. These need to be deployed per region and have unique identifiers. I also enable CloudWatch Telemetry Configuration for each region I use.

Next, I configure the centralization rule to consolidate all CloudWatch data into the central USE2 region within the CloudWatch account.

Finally, I enable resource tags on telemetry to unlock advanced CloudWatch capabilities for each region I use.

My initial use case is a CloudWatch Alarm that monitors all Lambda error metrics in the active regions, triggering an SNS Topic that sends an email alert. The code is available in my cloudwatch repository.