When you start creating a new dashboard in Cloudwatch, you will be prompted to add  a widget. The widget can contain pre-built metrics (e.g. CPU Utilization, VPN datain, dataout) or can be based on custom metrics that are built off log queries.

The actual log queries need a log group to work off of.

Which Log Groups are of interest?

The two most important log groups are FlowLogsGroup and aws-ControlTower/CloudTrailLogs

Control Tower Centralized Logging

Control tower provides ONE management account and upto two OUs (the Security OU and an optional Sandbox OU).

Under the Security OU is a centralized logging account. All the other accounts within the root OU will now be able to send logs to this single centralized account.

Sample Queries from ControlTower cloudtrail log group

Show All Exceptions from All Accounts

filter @message like /Exception/

Count All Exceptions from All Accounts in the last 3 days

filter @message like /Exception/ | stats count(*) as exceptionCount by bin(72h) | sort exceptionCount desc

Show All instances that were started and stopped in a particular region
filter (eventName="StartInstances" or eventName="StopInstances") and region="us-east-2"

Sample Queries from VPC Flow Logs log group

Show All VPC Flow Logs Packets (pick a different log group - the FlowLogsGroup)
stats sum(packets) as packetsTransferred by srcAddr, dstAddr | sort packetsTransferred desc | limit 15