Managing multiple accounts with AWS Organizations Managing multiple accounts by invitation GuardDuty administrator and member account relationships

Managing multiple accounts in Amazon GuardDuty

To manage multiple accounts in Amazon GuardDuty, you must choose a single AWS account to be the administrator account for GuardDuty. You can then associate other AWS accounts with the administrator account as member accounts. There are two ways to associate accounts with a GuardDuty administrator account: either through an AWS Organizations organization that both accounts are members of, or by sending an invitation through GuardDuty.

GuardDuty recommends using the AWS Organizations method. For more information about setting up an organization, see Creating an organization in the AWS Organizations User Guide.

Managing multiple accounts with AWS Organizations

If the account that you want to specify as the GuardDuty administrator account is part of an organization in AWS Organizations, then you can specify that account as the organization's delegated administrator for GuardDuty. The account that is registered as the delegated administrator automatically becomes the GuardDuty administrator account.

You can use this administrator account to enable and manage GuardDuty for any account in the organization when you add that account as a member account.

If you already have a GuardDuty administrator account with associated member accounts by invitation, you can register that account as the GuardDuty delegated administrator for the organization. When you do, all currently associated member accounts remain members, allowing you to take full advantage of the added functionality of managing your GuardDuty accounts with AWS Organizations.

For more information about supporting multiple accounts in GuardDuty through an organization see Managing GuardDuty accounts with AWS Organizations.

Managing multiple accounts by invitation

If the accounts you want to associate are not part of your AWS Organizations organization, you can specify a administrator account in GuardDuty and then use the administrator account to invite other AWS accounts to become member accounts. When the invited account accepts the invitation, that account becomes a GuardDuty member account associated with the administrator account.

For more information about supporting multiple accounts by Invitation in GuardDuty see Managing GuardDuty accounts by invitation.

Understanding the relationship between GuardDuty administrator and member accounts

When you use GuardDuty in a multiple-account environment, the administrator account can manage certain aspects of GuardDuty on behalf of the member accounts. The primary functions the administrator account can perform are the following:

Add and remove associated member accounts. The process by which this is done differs based on whether the accounts are associated through organizations or by invitation.
Manage the status of GuardDuty within associated member accounts, including enabling and suspending GuardDuty.

Note
Delegated administrator accounts managed with AWS Organizations automatically enable GuardDuty in accounts added as members.
Customize findings within the GuardDuty network through the creation and management of suppression rules, trusted IP lists, and threat lists. Member accounts lose access to these features in a multiple-account environment.

The following table details the relationship between GuardDuty administrator and member accounts.

Account designations listed as Self can take the listed action only in their own accounts. A designation of Any indicates that account can perform the described action for any associated account, and All denotes actions that are applied to all associated accounts when taken by the designated account. Table cells with dashes (–) indicate that an account of that designation cannot perform the listed action.

Action	Designation
	administrator	administrator	Member
	(organizations)‌	(by invitation)	Member
View all AWS Organizations member accounts regardless of GuardDuty status	Any	—	—
Automatically enable S3 Protection for new accounts	All
Automatically enable EKS Protection for new accounts	All
Automatically enable Malware Protection for new accounts	All
Enable GuardDuty	Any	Self	—
View GuardDuty findings	Any	Any	Self
Archive findings	Any	Any	—
Apply suppression rules	All	All	—
Generate sample findings	Self	Self	Self
Create trusted or threat IP lists	All	All	—
Update trusted or threat IP lists	All	All	—
Delete trusted or threat IP lists	All	All	—
Set EventBridge notification frequency	All	All	Self
Set Amazon S3 location for exporting findings	All	All	Self
Suspend GuardDuty	Any*	Any*	—

* Indicates this action must be taken for all associated accounts before being taken in the designated account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Remediating a compromised database

Managing accounts with AWS Organizations