What is a recommended pattern for sharing services (like identity and logging) across accounts while maintaining strong isolation?

Sharing services across multiple AWS accounts while keeping strong isolation is best achieved by hosting those services in a dedicated Shared Services account and connecting the consumer accounts to that hub in a controlled way. Put identity services and logging infrastructure in this central account, then enable access from the other accounts through a hub-and-spoke network pattern. Use mechanisms like VPC endpoints, PrivateLink, or a Transit Gateway to privately reach the shared services without opening broad network access. Access should be granted via tightly scoped IAM roles and resource policies, following least privilege and cross-account trust, so each account can assume just the permissions needed to use the shared services. This setup provides centralized governance and consistent policy application, easy auditing, and a clear separation of responsibility, while still enabling efficient sharing of identity and logging. In contrast, putting all services in a single master account concentrates risk and makes policy enforcement harder and less scalable; granting full administrative rights across every account defeats isolation and increases the blast radius; deploying shared services separately in every account leads to duplication, inconsistency, and higher maintenance overhead.