To meet the requirements of securing access management and implementing a centralized logging solution, the most secure solution would be to:
Install a bastion host in the management account.
Reconfigure all SSH and RDP to allow access only from the bastion host.
Install AWS Systems Manager Agent (SSM Agent) on the bastion host.
Attach the AmazonSSMManagedlnstanceCore role to the bastion host.
Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data
This solution provides the following security benefits:
It uses AWS Systems Manager Session Manager instead of traditional SSH and RDP protocols, which provides a secure method for accessing EC2 instances without requiring inbound firewall rules or open ports.
It provides audit trails by configuring Session Manager logging to Amazon CloudWatch Logs and creating a separate logging account to audit the log data.
It uses the AWS Systems Manager Agent to automate common administrative tasks and improve the security posture of the instances.
The separate logging account with cross-account permissions provides better data separation and improves security posture.
https://aws.amazon.com/solutions/implementations/centralized-logging/
