Managing GuardDuty accounts with AWS Organizations - Amazon GuardDuty

Managing GuardDuty accounts with AWS Organizations

When you use GuardDuty with an AWS organization, the management account of that organization can designate any account within the organization as the delegated GuardDuty administrator account. For this administrator account, GuardDuty gets enabled automatically only in the designated AWS Region. This account also has the permission to enable and manage GuardDuty for all of the accounts in the organization within that Region. The administrator account can view the members of and add members to this AWS organization.

If you have already set up a GuardDuty administrator account with associated member accounts by invitation and the member accounts are part of the same organization, their Type changes from By Invitation to Via Organizations when you set a delegated GuardDuty administrator account for your organization. If a delegated GuardDuty administrator account previously added members by invitation that are not part of the same organization, their Type remains By Invitation. In both the cases, the previously added accounts are member accounts that are associated with the organization's delegated GuardDuty administrator account.

You can continue to add accounts as members even if they are outside of your organization. For more information, see Adding and managing accounts by invitations or Designating a delegated GuardDuty administrator account and managing members by using the GuardDuty console.

Considerations and recommendations when designating a delegated GuardDuty administrator account

The following considerations and recommendations can help you understand how a delegated GuardDuty administrator account operates in GuardDuty:

A delegated GuardDuty administrator account can manage a maximum of 50,000 members.

There is a limit of 50,000 member accounts per delegated GuardDuty administrator account. This includes member accounts that are added through AWS Organizations or those who accepted the GuardDuty administrator account's invitation to join their organization. However, there could be more than 50,000 accounts in your AWS organization.

If you exceed the 50,000 member accounts limit, you will receive a notification from CloudWatch, AWS Health Dashboard, and an email to the designated delegated GuardDuty administrator account.

A delegated GuardDuty administrator account is Regional.

Unlike AWS Organizations, GuardDuty is a Regional service. The delegated GuardDuty administrator accounts and their member accounts must be added through AWS Organizations in each desired Region where you have GuardDuty enabled. If the organization management account designates a delegated GuardDuty administrator account in only US East (N. Virginia), then delegated GuardDuty administrator account will only manage member accounts added to the organization in that Region. For more information about feature parity in Regions where GuardDuty is available, see Regions and endpoints.

Special cases for opt-in Regions
  • When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (NEW) or all member accounts (ALL), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open Accounts in the GuardDuty console navigation pane or use the ListMembers API.

  • When working with the GuardDuty auto-enable configuration set to NEW, ensure that the following sequence is met:

    1. The member accounts opt-in to an opt-in Region.

    2. Add the member accounts to your organization in AWS Organizations.

    If you change the order of these steps, the GuardDuty auto-enable setting with NEW will not work in the specific opt-in Region because the member account is no longer new to the organization. GuardDuty provides two alternate solutions:

    • Set the GuardDuty auto-enable configuration to ALL, that includes new and existing members accounts. In this case, the order of these steps is not relevant.

    • If a member account is already a part of your organization, manage the GuardDuty configuration for this account individually in the specific opt-in Region by using the GuardDuty console or the API.

Required for an AWS organization to have the same delegated GuardDuty administrator account across all the AWS Regions.

You must designate one member account as the delegated GuardDuty administrator account across all the AWS Regions where GuardDuty is enabled. For example, if you designate a member account 111122223333 in Europe (Ireland), you can't another member account 555555555555 in Canada (Central). It is required that you use the same account as delegated GuardDuty administrator account in all other Regions.

You can designate a new delegated GuardDuty administrator account at any point in time. For more information about removing the existing delegated GuardDuty administrator account, see Changing the delegated GuardDuty administrator account.

Not recommended to set your organization's management account as the delegated GuardDuty administrator account.

Your organization's management account can be the delegated GuardDuty administrator account. However, the AWS security best practices follow the principle of least privilege and doesn't recommend this configuration.

Changing a delegated GuardDuty administrator account does not disable GuardDuty for member accounts.

If you remove a delegated GuardDuty administrator account, GuardDuty removes all the member accounts associated with this delegated GuardDuty administrator account. GuardDuty still remains enabled for all these member accounts.