I am working on a project to centralize our AWS Security Logs. The issue that we are running into is that we have just enabled organization level logging. Previously, our we our security terraform to each individual aws account. Now we are following this practice. The problem with this situation is that we have multiple accounts with multiple s3 buckets, multiple cloudwatch logs, multiple cloudwatch alerts. It would be easier to centralize all of these into one single “security”/“organization” account.
Does it make sense to create a single aws account just for logging? If so, would it make sense to create security groups (Security Admin) and security roles (ops-sec-role) . For example, we could add security users (sec-op-1) to the group so that they can assume role into the security account. Reason being is to follow the philosophy of separation of roles.
Has this been done before?