This repo provides a code-less solution to aggregating AWS CloudWatch log subscriptions across multiple AWS accounts and regions. It uses Kinesis Firehose (for aggregation and forwarding), EventBridge (for notifications about new log group creation) and Step Functions (for assuming roles cross-account and calling the AWS SDK).

First, you can create a Kinesis Firehose delivery stream (an example is available in firehose.yml) or a Kinesis data stream - this will be the destination that all your logs are forwarded to. You only need to deploy one of these, there doesn't have to be one in each region.

Next, you deploy resources into your logs collection AWS account. This is the logs-account.yml template. You should deploy a stack from this template into every AWS region that you want to collect logs from. It has a few parameters: OrganizationId is the string you get by running aws organizations describe-organization --query 'Organization.Id' and FirehoseArn should be the ARN of the Firehose delivery stream deployed earlier.

Finally, you deploy the every-account.yml template into all the AWS accounts and regions that you want to collect logs from. This stack has a parameter CentralBusAccountId, which is the account ID of the logs collection account hosting the stacks deployed in the previous step.