[igotroot]

I totally agree with you. A part of my duties is setting up logging from AWS to Splunk and there's so many gotchas and stumbling blocks that's it's infuriating to even attempt and follow best practices.

A great example is Cloudtrail. The best practice is to send your OrgTrail (an org-wide Cloudtrail) to a separate account for security reasons. Cool. Okay, sounds easy enough. The Splunk docs are useless for AWS, so consulting with YouTube, Reddit, etc is the go-to for this.

It's so much easier to just leave the OrgTrail logging into the management account it's not even funny.