Designating a delegated GuardDuty administrator account and managing members by using the GuardDuty console

Step 1 – Designate a delegated GuardDuty administrator account for your organization

1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

   To log in, use the management account credentials for your AWS Organizations organization.

2. If you have already enabled GuardDuty for the management account, skip this step and follow the next step.

   If you haven't enabled GuardDuty yet, select Get Started, and then designate a delegated GuardDuty administrator account on the Welcome to GuardDuty page.

   Note

   The management account must have the GuardDuty service-linked role (SLR) so that the delegated GuardDuty administrator account can enable and manage GuardDuty in that account. Once you enable GuardDuty in a Region for the management account, this SLR gets created automatically.

3. Do this step after you have enabled GuardDuty for the management account. In the navigation pane of the GuardDuty console, choose Settings. On the Settings page, enter the 12-digit AWS account ID of the account that you want to designate as the delegated GuardDuty administrator account for the organization.

   Make sure to enable GuardDuty for your newly designated delegated GuardDuty administrator account, otherwise it won't be able to take any action.

4. Choose Delegate.

5. (Recommended) Repeat the previous step to designate the delegated GuardDuty administrator account in each AWS Region where you have GuardDuty enabled.

Step 2 – Configuring auto-enable preferences for your organization

1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

   To sign in, use the GuardDuty administrator account credentials.

2. In the navigation pane, choose Accounts.

   The Accounts page provides configuration options to the GuardDuty administrator account to Auto-enable GuardDuty and the optional protection plans on behalf of the member accounts that belong to the organization.

3. To update the existing auto-enable settings, choose Edit.

   

   This support is available to configure GuardDuty and all of the supported optional protection plans in your AWS Region. You can select one of the following configuration options for GuardDuty on behalf of your member accounts:

   • Enable for all accounts (ALL) – Select to enable the corresponding option for all the accounts in an organization. This includes new accounts that join the organization and those accounts that may have been suspended or removed from the organization. This also includes the delegated GuardDuty administrator account.

     Note

     It may take up to 24 hours to update the configuration for all member accounts.

   • Auto-enable for new accounts (NEW) – Select to enable GuardDuty or the optional protection plans for only new member accounts automatically when they join your organization.

   • Do not enable (NONE) – Select to prevent enabling the corresponding option for new accounts in your organization. In this case, the GuardDuty administrator account will manage each account individually.

     When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.

   Note

   When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (NEW) or all member accounts (ALL), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open Accounts in the GuardDuty console navigation pane or use the ListMembers API.

4. Choose Save changes.

5. (Optional) if you want to use the same preferences in each Region, update your preferences in each of the supported Regions separately.

   Some of the optional protection plans may not be available in all the AWS Regions where GuardDuty is available. For more information, see Regions and endpoints.

Step 3 – Add accounts as members to your organization

1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

   To log in, use the delegated GuardDuty administrator account credentials.

2. In the navigation pane, choose Accounts.

   The accounts table displays all of the accounts that are added either Via Organizations (AWS Organizations) or By Invitation. If a member account is not associated with the organization's GuardDuty administrator account, the Status of this member account is Not a member.

3. Select one or multiple account IDs that you want to add as members. These account IDs must have the Type as Via Organizations.

   Accounts that are added through invitation are not a part of your organization. You can manage such accounts individually. For more information, see Managing accounts by invitation.

4. Choose the Actions dropdown and then choose Add member. After you add this account as a member, the auto-enable GuardDuty configuration will apply. Based on the settings in Step 1 – Designate a delegated GuardDuty administrator account for your organization, the GuardDuty configuration of these accounts may change.

5. You can select the down arrow of the Status column to sort the accounts by the Not a member status and then choose each account that doesn't have GuardDuty enabled in the current Region.

   If none of the accounts listed in the accounts table have been added as a member yet, you can enable GuardDuty in the current Region for all organization accounts. Choose Enable in the banner at the top of the page. This action automatically turns on the Auto-enable GuardDuty configuration so that GuardDuty gets enabled for any new account that joins the organization.

6. Choose Confirm to add the accounts as members. This action also enables GuardDuty for all of the selected accounts. The Status for the accounts will change to Enabled.

7. (Recommended) Repeat these steps in each AWS Region. This ensures that the delegated GuardDuty administrator account can manage findings and other configurations for member accounts in all the Regions where you have GuardDuty enabled.

   The auto-enable feature enables GuardDuty for all future members of your organization. This allows your delegated GuardDuty administrator account to manage any new members that are created within or get added to the organization. When the number of member accounts reaches the limit of 50,000, the Auto-enable feature is automatically turned off. If you remove a member account and the total number of members decreases to fewer than 50,000, the Auto-enable feature turns back on.

(Optional) step 4 – Configure protection plans for individual accounts

You can configure protection plans for individual accounts through the Accounts page.

1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

   Use the delegated GuardDuty administrator account credentials.

2. In the navigation pane, choose Accounts.

3. Select one or more accounts for which you want to configure a protection plan. Repeat the following steps for each protection plan that you want to configure:

   1. Choose Edit Protection Plans.

   2. From the list of protection plans, choose one protection plan that you want to configure.

   3. Choose one of the actions that you want to perform for this protection plan, and then choose Confirm.

   4. For the selected account, the column corresponding to the configured protection plan will show the updated configuration as Enabled or Not enabled.