- Enables real-time streaming of log events to destinations in a different AWS account.
- Common for centralized logging architectures where multiple accounts send logs to one account for analysis or storage.
- Supported destinations:
- Amazon Kinesis Data Streams (KDS)
- Amazon Kinesis Data Firehose (KDF)
Example Architecture
Account A – Sender (111111111111)
- Contains the CloudWatch Logs source.
- Uses a Subscription Filter to select which events to forward.
Account B – Recipient (999999999999)
- Hosts the destination (e.g., Kinesis Data Stream
RecipientStream).
- Configures a Subscription Destination that points to the stream.
Required Permissions
- IAM Role in Sender Account:
- Assumed by CloudWatch Logs.
- Must have permission to call
PutRecordon the destination.
- Destination Access Policy in Recipient Account:
- Grants the sender account permission to put data into the stream.