Best multi-account architecture for AWS Security Hub consolidation

A few questions to ponder upon while I am looking at our current Cloud Security Posture.

  1. What would be the best multi-account architecture for Security Hub where we want to consolidate all our SH security findings in our Security account, with most of our member accounts needing aggregation from eu-west-1 and us-east-1 into eu-west-2, but selected member accounts also needing aggregation from other regions?

  2. Our current architecture deploys SH in member accounts for eu-west-2 and eu-west-1 by inviting them from SH in our Security account in each region using Terraform. How should we migrate from our current architecture to a best practice architecture (whatever we have as a result of question 1)?

Your thoughts on this?

Previously I also built complex multi region cross account automations to perform the create and invite &join process. If I did it again, I would just create SH in the security account for each region and then automate security hub to enable all accounts in the organisation from the security account. Do that for each region of interest

Then consolidate all regions into your region of choice (recent feature announcement)