Documentation about how to deal with central logging-accounts and encrypted cloudtrail logging in AWS
Add a description on how to rollout Sophos Optix in a AWS environment in which an AWS central logging account is used. Meaning that all other AWS Account send their cloutrail logging to a S3 bucket which is owned by the AWS logging account. Furthermore it's a best practice that cloudtrail logging is encrypted. The customer needs to change the access policy of the KMS encryption key manually in order to allow the Cloud-Optix IAM role to use it for encryption/decryption. This is something that cannot be done automatically by the Cloudformation stack.
Thanks for the comment, Kees. Does this help?