I am working on a project to centralize our AWS Security Logs. The issue that we are running into is that we have just enabled organization level logging. Previously, our we our security terraform to each individual aws account. Now we are following this practice. The problem with this situation is that we have multiple accounts with multiple s3 buckets, multiple cloudwatch logs, multiple cloudwatch alerts. It would be easier to centralize all of these into one single "security"/"organization" account.
Does it make sense to create a single aws account just for logging? If so, would it make sense to create security groups (Security Admin) and security roles (ops-sec-role) . For example, we could add security users (sec-op-1) to the group so that they can assume role into the security account. Reason being is to follow the philosophy of separation of roles.
I am looking into potential solutions with CloudFormation, but it would be preferable to implement this with terraform.
Has this been done before?
Yes it absolutely makes sense to have a centralized logging account. If you are rolling this out across an organization I would recommend that this would actually be the perfect time to use CloudFormation Stack Sets.
You could do the same kind of thing in Terraform but you will have to write your own automation to apply it to many accounts and also have to remember or automate running for new organization accounts. I usually prefer Terraform for IaC but this is one of the few cases where CloudFormation really shines. A hybrid approach could also work, using CloudFormation for the standard things like CloudTrail and IAM and custom Terraform for accounts with their own specific requirements.
You may also want to take a look at the AWS Control Tower service which can automate some of this for you along with applying some other security best practices.
Source: I am a certified AWS Solutions Architect Professional and DevOps Engineer Professional.