Which network design pattern is recommended for sharing services like identity and logging across accounts while maintaining isolation?

Sharing services across multiple AWS accounts while keeping them isolated is best achieved by a dedicated shared services model. Put the identity and logging services in a separate shared services account (or accounts) and connect the member accounts to this central place using private networking options like VPC endpoints or a Transit Gateway. Access to the shared services is granted through cross-account IAM roles and resource policies, so each account can assume roles in the shared services account with the exact permissions it needs. This setup preserves isolation between workloads in different accounts, while giving you centralized control, auditing, and governance over who can access identity and logging data. It also keeps traffic private within the AWS network, rather than exposing services publicly or duplicating them across every account. The other options either duplicate services with weaker controls, grant broad access that undermines isolation, or expose services publicly, which isn’t suitable for secure cross-account sharing.