Managing multiple accounts in Amazon GuardDuty - Amazon GuardDuty

Managing multiple accounts in Amazon GuardDuty

To manage multiple accounts in Amazon GuardDuty, you must choose a single AWS account to be the administrator account for GuardDuty. You can then associate other AWS accounts with the administrator account as member accounts. There are two ways to associate accounts with a GuardDuty administrator account: either through an AWS Organizations organization that both accounts are members of, or by sending an invitation through GuardDuty.

GuardDuty recommends using the AWS Organizations method. For more information about setting up an organization, see Creating an organization in the AWS Organizations User Guide.

Managing multiple accounts with AWS Organizations

If the account that you want to specify as the GuardDuty administrator account is part of an organization in AWS Organizations, then you can specify that account as the organization's delegated administrator for GuardDuty. The account that is registered as the delegated administrator automatically becomes the GuardDuty administrator account.

You can use this administrator account to enable and manage GuardDuty for any account in the organization when you add that account as a member account.

If you already have a GuardDuty administrator account with associated member accounts by invitation, you can register that account as the GuardDuty delegated administrator for the organization. When you do, all currently associated member accounts remain members, allowing you to take full advantage of the added functionality of managing your GuardDuty accounts with AWS Organizations.

For more information about supporting multiple accounts in GuardDuty through an organization see Managing GuardDuty accounts with AWS Organizations.

Managing multiple accounts by invitation

If the accounts you want to associate are not part of your AWS Organizations organization, you can specify a administrator account in GuardDuty and then use the administrator account to invite other AWS accounts to become member accounts. When the invited account accepts the invitation, that account becomes a GuardDuty member account associated with the administrator account.

For more information about supporting multiple accounts by Invitation in GuardDuty see Managing GuardDuty accounts by invitation.

Understanding the relationship between GuardDuty administrator and member accounts

When you use GuardDuty in a multiple-account environment, the administrator account can manage certain aspects of GuardDuty on behalf of the member accounts. The primary functions the administrator account can perform are the following:

  • Add and remove associated member accounts. The process by which this is done differs based on whether the accounts are associated through organizations or by invitation.

  • Manage the status of GuardDuty within associated member accounts, including enabling and suspending GuardDuty.

    Note

    Delegated administrator accounts managed with AWS Organizations automatically enable GuardDuty in accounts added as members.

  • Customize findings within the GuardDuty network through the creation and management of suppression rules, trusted IP lists, and threat lists. Member accounts lose access to these features in a multiple-account environment.

The following table details the relationship between GuardDuty administrator and member accounts.

Account designations listed as Self can take the listed action only in their own accounts. A designation of Any indicates that account can perform the described action for any associated account, and All denotes actions that are applied to all associated accounts when taken by the designated account. Table cells with dashes (–) indicate that an account of that designation cannot preform the listed action.

Action Designation
administrator administrator Member
(organizations)‌ (by invitation)
View accounts from your AWS Organizations organization Any
Automatically Enable S3 Threat Detection for New Accounts All
Enable GuardDuty Any Self
View GuardDuty findings Any Any Self
Archive findings Any Any
Apply suppression rules All All
Generate sample findings Self Self Self
Create trusted IP or threat lists All All
Update trusted IP or threat lists All All
Delete trusted IP or threat lists All All
Set CloudWatch Events notification frequency All All
Set Amazon S3 location for exporting findings All All
Suspend GuardDuty Any* Any*

* Indicates this action must be taken for all associated accounts before being taken in the designated account.