How would you design a secure, cross-account access strategy for a centralized logging service in AWS?