In the dedicated security account, create an Amazon S3 bucket with S3 Object Lock configured in compliance mode and set a retention period of 2 years. Adjust the bucket policy to permit the organization's management account to write logs to the S3 bucket.

In the dedicated security account, create an Amazon S3 bucket with S3 Object Lock configured in compliance mode and set a retention period of 2 years. Adjust the bucket policy to allow all member accounts within the organization to write logs to the S3 bucket.

In the dedicated security account, create an Amazon S3 bucket with an S3 Lifecycle configuration that expires objects after 2 years. Modify the bucket policy to allow all member accounts within the organization to write logs to the S3 bucket.

Set up an AWS CloudTrail trail for the entire organization, configuring it to deliver logs to an Amazon S3 bucket located in the dedicated security account.

Enable AWS CloudTrail logging in each individual account, directing the logs to an Amazon S3 bucket in the organization's management account. Use AWS Lambda and Amazon Kinesis Data Firehose to forward these logs to the S3 bucket in the dedicated security account.