CloudWatch Observability Admin Service

2025/09/15 - CloudWatch Observability Admin Service - 5 new api methods

Changes  CloudWatch Observability Admin adds the ability to enable telemetry centralization in customers' Organizations. The release introduces new APIs to manage centralization rules, which define settings to replicate telemetry data to a central destination in the customers' Organization.

ListCentralizationRulesForOrganization (new) Link ¶

Lists all centralization rules in your organization. This operation can only be called by the organization's management account or a delegated administrator account.

See also: AWS API Documentation

Request Syntax

client.list_centralization_rules_for_organization(
    RuleNamePrefix='string',
    AllRegions=True|False,
    MaxResults=123,
    NextToken='string'
)
type RuleNamePrefix:

string

param RuleNamePrefix:

A string to filter organization centralization rules whose names begin with the specified prefix.

type AllRegions:

boolean

param AllRegions:

A flag determining whether to return organization centralization rules from all regions or only the current region.

type MaxResults:

integer

param MaxResults:

The maximum number of organization centralization rules to return in a single call.

type NextToken:

string

param NextToken:

The token for the next set of results. A previous call generates this token.

rtype:

dict

returns:

Response Syntax

{
    'CentralizationRuleSummaries': [
        {
            'RuleName': 'string',
            'RuleArn': 'string',
            'CreatorAccountId': 'string',
            'CreatedTimeStamp': 123,
            'CreatedRegion': 'string',
            'LastUpdateTimeStamp': 123,
            'RuleHealth': 'Healthy'|'Unhealthy'|'Provisioning',
            'FailureReason': 'TRUSTED_ACCESS_NOT_ENABLED'|'DESTINATION_ACCOUNT_NOT_IN_ORGANIZATION'|'INTERNAL_SERVER_ERROR',
            'DestinationAccountId': 'string',
            'DestinationRegion': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • CentralizationRuleSummaries (list) --

      A list of centralization rule summaries.

      • (dict) --

        A summary of a centralization rule's key properties and status.

        • RuleName (string) --

          The name of the organization centralization rule.

        • RuleArn (string) --

          The Amazon Resource Name (ARN) of the organization centralization rule.

        • CreatorAccountId (string) --

          The Amazon Web Services Account that created the organization centralization rule.

        • CreatedTimeStamp (integer) --

          The timestamp when the organization centralization rule was created.

        • CreatedRegion (string) --

          The Amazon Web Services region where the organization centralization rule was created.

        • LastUpdateTimeStamp (integer) --

          The timestamp when the organization centralization rule was last updated.

        • RuleHealth (string) --

          The health status of the organization centralization rule.

        • FailureReason (string) --

          The reason why an organization centralization rule is marked UNHEALTHY.

        • DestinationAccountId (string) --

          The primary destination account of the organization centralization rule.

        • DestinationRegion (string) --

          The primary destination region of the organization centralization rule.

    • NextToken (string) --

      A token to resume pagination of results.

CreateCentralizationRuleForOrganization (new) Link ¶

Creates a centralization rule that applies across an Amazon Web Services Organization. This operation can only be called by the organization's management account or a delegated administrator account.

See also: AWS API Documentation

Request Syntax

client.create_centralization_rule_for_organization(
    RuleName='string',
    Rule={
        'Source': {
            'Regions': [
                'string',
            ],
            'Scope': 'string',
            'SourceLogsConfiguration': {
                'LogGroupSelectionCriteria': 'string',
                'EncryptedLogGroupStrategy': 'ALLOW'|'SKIP'
            }
        },
        'Destination': {
            'Region': 'string',
            'Account': 'string',
            'DestinationLogsConfiguration': {
                'LogsEncryptionConfiguration': {
                    'EncryptionStrategy': 'CUSTOMER_MANAGED'|'AWS_OWNED',
                    'KmsKeyArn': 'string',
                    'EncryptionConflictResolutionStrategy': 'ALLOW'|'SKIP'
                },
                'BackupConfiguration': {
                    'Region': 'string',
                    'KmsKeyArn': 'string'
                }
            }
        }
    },
    Tags={
        'string': 'string'
    }
)
type RuleName:

string

param RuleName:

[REQUIRED]

A unique name for the organization-wide centralization rule being created.

type Rule:

dict

param Rule:

[REQUIRED]

The configuration details for the organization-wide centralization rule, including the source configuration and the destination configuration to centralize telemetry data across the organization.

  • Source (dict) -- [REQUIRED]

    Configuration determining the source of the telemetry data to be centralized.

    • Regions (list) -- [REQUIRED]

      The list of source regions from which telemetry data should be centralized.

      • (string) --

    • Scope (string) --

      The organizational scope from which telemetry data should be centralized, specified using organization id, accounts or organizational unit ids.

    • SourceLogsConfiguration (dict) --

      Log specific configuration for centralization source log groups.

      • LogGroupSelectionCriteria (string) -- [REQUIRED]

        The selection criteria that specifies which source log groups to centralize. The selection criteria uses the same format as OAM link filters.

      • EncryptedLogGroupStrategy (string) -- [REQUIRED]

        A strategy determining whether to centralize source log groups that are encrypted with customer managed KMS keys (CMK). ALLOW will consider CMK encrypted source log groups for centralization while SKIP will skip CMK encrypted source log groups from centralization.

  • Destination (dict) -- [REQUIRED]

    Configuration determining where the telemetry data should be centralized, backed up, as well as encryption configuration for the primary and backup destinations.

    • Region (string) -- [REQUIRED]

      The primary destination region to which telemetry data should be centralized.

    • Account (string) --

      The destination account (within the organization) to which the telemetry data should be centralized.

    • DestinationLogsConfiguration (dict) --

      Log specific configuration for centralization destination log groups.

      • LogsEncryptionConfiguration (dict) --

        The encryption configuration for centralization destination log groups.

        • EncryptionStrategy (string) -- [REQUIRED]

          Configuration that determines the encryption strategy of the destination log groups. CUSTOMER_MANAGED uses the configured KmsKeyArn to encrypt newly created destination log groups.

        • KmsKeyArn (string) --

          KMS Key arn belonging to the primary destination account and region, to encrypt newly created central log groups in the primary destination.

        • EncryptionConflictResolutionStrategy (string) --

          Conflict resolution strategy for centralization if the encryption strategy is set to CUSTOMER_MANAGED and the destination log group is encrypted with an AWS_OWNED KMS Key. ALLOW lets centralization go through while SKIP prevents centralization into the destination log group.

      • BackupConfiguration (dict) --

        Configuration defining the backup region and an optional KMS key for the backup destination.

        • Region (string) -- [REQUIRED]

          Logs specific backup destination region within the primary destination account to which log data should be centralized.

        • KmsKeyArn (string) --

          KMS Key arn belonging to the primary destination account and backup region, to encrypt newly created central log groups in the backup destination.

type Tags:

dict

param Tags:

The key-value pairs to associate with the organization telemetry rule resource for categorization and management purposes.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'RuleArn': 'string'
}

Response Structure

  • (dict) --

    • RuleArn (string) --

      The Amazon Resource Name (ARN) of the created organization centralization rule.

UpdateCentralizationRuleForOrganization (new) Link ¶

Updates an existing centralization rule that applies across an Amazon Web Services Organization. This operation can only be called by the organization's management account or a delegated administrator account.

See also: AWS API Documentation

Request Syntax

client.update_centralization_rule_for_organization(
    RuleIdentifier='string',
    Rule={
        'Source': {
            'Regions': [
                'string',
            ],
            'Scope': 'string',
            'SourceLogsConfiguration': {
                'LogGroupSelectionCriteria': 'string',
                'EncryptedLogGroupStrategy': 'ALLOW'|'SKIP'
            }
        },
        'Destination': {
            'Region': 'string',
            'Account': 'string',
            'DestinationLogsConfiguration': {
                'LogsEncryptionConfiguration': {
                    'EncryptionStrategy': 'CUSTOMER_MANAGED'|'AWS_OWNED',
                    'KmsKeyArn': 'string',
                    'EncryptionConflictResolutionStrategy': 'ALLOW'|'SKIP'
                },
                'BackupConfiguration': {
                    'Region': 'string',
                    'KmsKeyArn': 'string'
                }
            }
        }
    }
)
type RuleIdentifier:

string

param RuleIdentifier:

[REQUIRED]

The identifier (name or ARN) of the organization centralization rule to update.

type Rule:

dict

param Rule:

[REQUIRED]

The configuration details for the organization-wide centralization rule, including the source configuration and the destination configuration to centralize telemetry data across the organization.

  • Source (dict) -- [REQUIRED]

    Configuration determining the source of the telemetry data to be centralized.

    • Regions (list) -- [REQUIRED]

      The list of source regions from which telemetry data should be centralized.

      • (string) --

    • Scope (string) --

      The organizational scope from which telemetry data should be centralized, specified using organization id, accounts or organizational unit ids.

    • SourceLogsConfiguration (dict) --

      Log specific configuration for centralization source log groups.

      • LogGroupSelectionCriteria (string) -- [REQUIRED]

        The selection criteria that specifies which source log groups to centralize. The selection criteria uses the same format as OAM link filters.

      • EncryptedLogGroupStrategy (string) -- [REQUIRED]

        A strategy determining whether to centralize source log groups that are encrypted with customer managed KMS keys (CMK). ALLOW will consider CMK encrypted source log groups for centralization while SKIP will skip CMK encrypted source log groups from centralization.

  • Destination (dict) -- [REQUIRED]

    Configuration determining where the telemetry data should be centralized, backed up, as well as encryption configuration for the primary and backup destinations.

    • Region (string) -- [REQUIRED]

      The primary destination region to which telemetry data should be centralized.

    • Account (string) --

      The destination account (within the organization) to which the telemetry data should be centralized.

    • DestinationLogsConfiguration (dict) --

      Log specific configuration for centralization destination log groups.

      • LogsEncryptionConfiguration (dict) --

        The encryption configuration for centralization destination log groups.

        • EncryptionStrategy (string) -- [REQUIRED]

          Configuration that determines the encryption strategy of the destination log groups. CUSTOMER_MANAGED uses the configured KmsKeyArn to encrypt newly created destination log groups.

        • KmsKeyArn (string) --

          KMS Key arn belonging to the primary destination account and region, to encrypt newly created central log groups in the primary destination.

        • EncryptionConflictResolutionStrategy (string) --

          Conflict resolution strategy for centralization if the encryption strategy is set to CUSTOMER_MANAGED and the destination log group is encrypted with an AWS_OWNED KMS Key. ALLOW lets centralization go through while SKIP prevents centralization into the destination log group.

      • BackupConfiguration (dict) --

        Configuration defining the backup region and an optional KMS key for the backup destination.

        • Region (string) -- [REQUIRED]

          Logs specific backup destination region within the primary destination account to which log data should be centralized.

        • KmsKeyArn (string) --

          KMS Key arn belonging to the primary destination account and backup region, to encrypt newly created central log groups in the backup destination.

rtype:

dict

returns:

Response Syntax

{
    'RuleArn': 'string'
}

Response Structure

  • (dict) --

    • RuleArn (string) --

      The Amazon Resource Name (ARN) of the updated organization centralization rule.

GetCentralizationRuleForOrganization (new) Link ¶

Retrieves the details of a specific organization centralization rule. This operation can only be called by the organization's management account or a delegated administrator account.

See also: AWS API Documentation

Request Syntax

client.get_centralization_rule_for_organization(
    RuleIdentifier='string'
)
type RuleIdentifier:

string

param RuleIdentifier:

[REQUIRED]

The identifier (name or ARN) of the organization centralization rule to retrieve.

rtype:

dict

returns:

Response Syntax

{
    'RuleName': 'string',
    'RuleArn': 'string',
    'CreatorAccountId': 'string',
    'CreatedTimeStamp': 123,
    'CreatedRegion': 'string',
    'LastUpdateTimeStamp': 123,
    'RuleHealth': 'Healthy'|'Unhealthy'|'Provisioning',
    'FailureReason': 'TRUSTED_ACCESS_NOT_ENABLED'|'DESTINATION_ACCOUNT_NOT_IN_ORGANIZATION'|'INTERNAL_SERVER_ERROR',
    'CentralizationRule': {
        'Source': {
            'Regions': [
                'string',
            ],
            'Scope': 'string',
            'SourceLogsConfiguration': {
                'LogGroupSelectionCriteria': 'string',
                'EncryptedLogGroupStrategy': 'ALLOW'|'SKIP'
            }
        },
        'Destination': {
            'Region': 'string',
            'Account': 'string',
            'DestinationLogsConfiguration': {
                'LogsEncryptionConfiguration': {
                    'EncryptionStrategy': 'CUSTOMER_MANAGED'|'AWS_OWNED',
                    'KmsKeyArn': 'string',
                    'EncryptionConflictResolutionStrategy': 'ALLOW'|'SKIP'
                },
                'BackupConfiguration': {
                    'Region': 'string',
                    'KmsKeyArn': 'string'
                }
            }
        }
    }
}

Response Structure

  • (dict) --

    • RuleName (string) --

      The name of the organization centralization rule.

    • RuleArn (string) --

      The Amazon Resource Name (ARN) of the organization centralization rule.

    • CreatorAccountId (string) --

      The Amazon Web Services Account that created the organization centralization rule.

    • CreatedTimeStamp (integer) --

      The timestamp when the organization centralization rule was created.

    • CreatedRegion (string) --

      The Amazon Web Services region where the organization centralization rule was created.

    • LastUpdateTimeStamp (integer) --

      The timestamp when the organization centralization rule was last updated.

    • RuleHealth (string) --

      The health status of the organization centralization rule.

    • FailureReason (string) --

      The reason why an organization centralization rule is marked UNHEALTHY.

    • CentralizationRule (dict) --

      The configuration details for the organization centralization rule.

      • Source (dict) --

        Configuration determining the source of the telemetry data to be centralized.

        • Regions (list) --

          The list of source regions from which telemetry data should be centralized.

          • (string) --

        • Scope (string) --

          The organizational scope from which telemetry data should be centralized, specified using organization id, accounts or organizational unit ids.

        • SourceLogsConfiguration (dict) --

          Log specific configuration for centralization source log groups.

          • LogGroupSelectionCriteria (string) --

            The selection criteria that specifies which source log groups to centralize. The selection criteria uses the same format as OAM link filters.

          • EncryptedLogGroupStrategy (string) --

            A strategy determining whether to centralize source log groups that are encrypted with customer managed KMS keys (CMK). ALLOW will consider CMK encrypted source log groups for centralization while SKIP will skip CMK encrypted source log groups from centralization.

      • Destination (dict) --

        Configuration determining where the telemetry data should be centralized, backed up, as well as encryption configuration for the primary and backup destinations.

        • Region (string) --

          The primary destination region to which telemetry data should be centralized.

        • Account (string) --

          The destination account (within the organization) to which the telemetry data should be centralized.

        • DestinationLogsConfiguration (dict) --

          Log specific configuration for centralization destination log groups.

          • LogsEncryptionConfiguration (dict) --

            The encryption configuration for centralization destination log groups.

            • EncryptionStrategy (string) --

              Configuration that determines the encryption strategy of the destination log groups. CUSTOMER_MANAGED uses the configured KmsKeyArn to encrypt newly created destination log groups.

            • KmsKeyArn (string) --

              KMS Key arn belonging to the primary destination account and region, to encrypt newly created central log groups in the primary destination.

            • EncryptionConflictResolutionStrategy (string) --

              Conflict resolution strategy for centralization if the encryption strategy is set to CUSTOMER_MANAGED and the destination log group is encrypted with an AWS_OWNED KMS Key. ALLOW lets centralization go through while SKIP prevents centralization into the destination log group.

          • BackupConfiguration (dict) --

            Configuration defining the backup region and an optional KMS key for the backup destination.

            • Region (string) --

              Logs specific backup destination region within the primary destination account to which log data should be centralized.

            • KmsKeyArn (string) --

              KMS Key arn belonging to the primary destination account and backup region, to encrypt newly created central log groups in the backup destination.

DeleteCentralizationRuleForOrganization (new) Link ¶

Deletes an organization-wide centralization rule. This operation can only be called by the organization's management account or a delegated administrator account.

See also: AWS API Documentation

Request Syntax

client.delete_centralization_rule_for_organization(
    RuleIdentifier='string'
)
type RuleIdentifier:

string

param RuleIdentifier:

[REQUIRED]

The identifier (name or ARN) of the organization centralization rule to delete.

returns:

None