Managing multiple accounts in Amazon GuardDuty - Amazon GuardDuty

Managing multiple accounts in Amazon GuardDuty

When your AWS environment has multiple accounts, you can manage them by designating one AWS account as your administrator account. You can then associate other AWS accounts with this administrator account as its member accounts. This designated GuardDuty administrator account can configure the protection plans Within GuardDuty there are two ways to associate accounts with a administrator account – create an organization by using AWS Organizations and both administrator account and one or more member accounts belong to this organization, or send an invitation to an AWS account through GuardDuty.

GuardDuty recommends using the AWS Organizations method. For more information about setting up an organization, see Creating an organization in the AWS Organizations User Guide.

Managing multiple accounts with AWS Organizations

If the account that you want to specify as the GuardDuty administrator account is part of an organization in AWS Organizations, then you can specify that account as the organization's delegated administrator for GuardDuty. The account that is registered as the delegated administrator automatically becomes the GuardDuty administrator account.

You can use this administrator account to enable and manage GuardDuty for any AWS account in the organization when you add that account as a member account.

If you already have a GuardDuty administrator account with associated member accounts by invitation, you can register that account as the GuardDuty delegated administrator for the organization. When you do, all currently associated member accounts remain members, allowing you to take full advantage of the added functionality of managing your GuardDuty accounts with AWS Organizations.

For more information about supporting multiple accounts in GuardDuty through an organization, see Managing GuardDuty accounts with AWS Organizations.

Managing multiple accounts by invitation

If the accounts that you want to associate are not a part of your organization, you can specify an administrator account in GuardDuty and then use the administrator account to invite other AWS accounts to become member accounts. When the invited account accepts the invitation, that account becomes a GuardDuty member account associated with the administrator account.

For more information about supporting multiple accounts by invitation in GuardDuty see Managing GuardDuty accounts by invitation.