Central cloudwatch logs group for vpc flowlogs from multiple accounts

Have you taken a look at this blog - https://aws.amazon.com/blogs/architecture/stream-amazon-cloudwatch-logs-to-a-centralized-account-for-audit-and-analysis/

As you know VPC FlowLogs can publish to Amazon S3 or Amazon Cloudwatch.

Publishing flow-logs directly to a log group in another account is not possible, because the VPC Flow-log executes as a service role that you specify with a trust relationship to vpc-flow-logs.amazonaws.com. This service role must exist inside the account that the flow logs reside, it is not possible to assume a role in another account. This process is outlined here.

If you try you will receive the following error: An error occurred (InvalidParameter) when calling the CreateFlowLogs operation: LogDestination must belong to the same account as the API caller.

If VPC Flow-logs pushes logs to an S3 bucket in another account, the the bucket policy grants permission which means that the flow-log uses a service role in the source account, and the bucket policy allows the write from the service role in the source account.

However, if you must publish to a CloudWatch group in another account, you could publish to the CloudWatch group locally in the same account, and the use CloudWatch subscriptions to push the log to Amazon Kinesis streams, Amazon Kinesis Firehose, or to AWS Lambda, which can then publish to CloudWatch log groups in a different account.

Without understanding your use-case, I would suggest sharing the data centrally using Amazon S3 as you do today. When the log lands in the central S3 bucket you could use a Lambda trigger add it to CloudWatch if you must. Something to note, publishing to a CloudWatch log group costs $0.50 per GB in us-east-1, and storing it costs $0.03 per GB. Publishing to S3, will use Kinesis Firehose and Amazon S3: Kinesis Firehose will cost $0.029 per GB and then storage in Amazon S3 would be $0.023 per GB .