Splunk has multiple methods in regards to Getting Data In (GDI). One very popular method is the Http Event Collector (HEC). The use of the HEC allows data ingestion into Splunk via HTTP POST messages. Two popular methods that send POST messages out of AWS into Splunk are the AWS services: Lambda and Firehose.
Explore scenarios where multiple AWS accounts are configured to log Cloudtrail and Config into a consolidated S3 bucket.
Having the ability to mount S3 storage for some customers will allow for a tiered approach to storage.