Which network design pattern is recommended for sharing services like identity and logging across accounts while maintaining isolation?

• A. Deploy shared services in every account and allow unrestricted access
• B. Use a single central service in the management account and grant broad cross-account access
• C. Create dedicated shared services accounts and connect them via VPC endpoints or Transit Gateway, with controlled access via IAM roles and resource policies
• D. Expose all services publicly to the Internet

Answer: (C)

Sharing services across multiple AWS accounts while keeping them isolated is best achieved by a dedicated shared services model. Put the identity and logging services in a separate shared services account (or accounts) and connect the member accounts to this central place using private networking options like VPC endpoints or a Transit Gateway. Access to the shared services is granted through cross-account IAM roles and resource policies, so each account can assume roles in the shared services account with the exact permissions it needs. This setup preserves isolation between workloads in different accounts, while giving you centralized control, auditing, and governance over who can access identity and logging data. It also keeps traffic private within the AWS network, rather than exposing services publicly or duplicating them across every account. The other options either duplicate services with weaker controls, grant broad access that undermines isolation, or expose services publicly, which isn’t suitable for secure cross-account sharing.