In this video the comments about cloudtrail – around the 4-5minute mark.
What is the point of copying across logs to a bucket for another account and then not being able to read them?
Separation of duties, but more importantly the concept of least privileged access. You would replicate the bucket and have it restricted to read only by your security team folks to monitor and audit the logs but no one else for example.
basically, cloudtrail logs can contain sensitive information about your environment