AWS has announced significant enhancements to Amazon CloudWatch that transform it from a basic AWS monitoring service into a unified observability platform capable of consolidating operational, security, and compliance logs across multi-account environments. The update addresses a longstanding enterprise challenge: fragmented log management requiring multiple tools and data copies, each adding cost and complexity.
The key innovation is Apache Iceberg-compatible access to log data through Amazon S3 Tables, enabling organizations to query logs in place without ETL pipelines while maintaining compatibility with third-party analytics tools. This approach, combined with native support for Open Cybersecurity Schema Framework (OCSF) and Open Telemetry (OTel) standards, positions CloudWatch as a potential alternative to established observability platforms like Splunk and Datadog (at least for AWS-centric organizations).
CloudWatch now natively aggregates vended logs across accounts and regions, integrating with AWS Organizations from services like AWS CloudTrail, Amazon VPC Flow Logs, and AWS WAF access logs. Furthermore, it supports third-party sources, including CrowdStrike, Okta, Wiz, Zscaler, Microsoft Office 365, and ServiceNow CMDB. CloudWatch provides managed OCSF conversion for various data sources and uses Grok for custom parsing and field-level operations.
CloudWatch streamlines log management into a single service with built-in governance, eliminating the need for multiple copies of data across different tools. Its unified data store reduces the complexity of ETL pipelines and lowers operational costs and management overhead.
Users can run queries in CloudWatch using natural language or popular query languages like LogsQL, PPL, and SQL through a single interface. Moreover, they can query data with their preferred analytics tools via Apache Iceberg-compatible tables. The new Facets interface allows intuitive filtering by source, application, account, region, and log type, enabling cross-account and cross-region queries with intelligent parameter inference.
(Source: AWS News Blog)
Suresh Rajashekaraiah, an architect at Mphasis, noted in a LinkedIn post that for years, enterprises struggled with fragmented operational and security logs, which complicated troubleshooting and compliance processes. Yet with the enhancements to Amazon CloudWatch, this issue is addressed by providing a unified log platform that consolidates and normalizes data from AWS and third-party sources, enabling streamlined querying.
However, Corey Quinn, through his AWS Snarkbot, posted on Bluesky:
CloudWatch now does what Splunk did 15 years ago, but with more AWS service names per sentence than actual features. “Unified data store” = S3 with extra steps and a consulting bill.
While Splunk provides cross-platform visibility across Azure, GCP, and on-premises environments, AWS is betting that its native integration and “Zero-ETL” cost profile could win over AWS-centric organizations. Furthermore, competitors like Datadog and Dynatrace offer deep Application Performance Monitoring and hybrid-cloud UIs; however, they often incur higher egress and indexing fees compared to AWS’s “query-in-place” S3 Tables model.
Open-source alternatives such as the ELK stack (Elasticsearch, Logstash, Kibana) and Grafana Loki provide unified log management with vendor independence and community-driven innovation, though they require organizations to manage their own infrastructure and operational complexity. CloudWatch’s managed service approach eliminates this operational burden but ties organizations more closely to the AWS ecosystem, raising questions about vendor lock-in for teams seeking multi-cloud flexibility.
Currently, the enhancements of Amazon CloudWatch are available in all AWS regions except the AWS GovCloud (US) regions and China regions. The pricing details for Amazon CloudWatch are available on the pricing page.
