I do not have any specific perspective on how this is best done. I believe being able to run inside a closed environment might be preferable, logs do contain pretty sensitive stuff. Perhaps a container that pulls from CloudWatch might be an option?