Skip to main content

GuardDuty Centrally Managed

Overview

This check verifies that Amazon GuardDuty is managed through centralized administration. GuardDuty is AWS's threat detection service that continuously monitors for malicious activity and unauthorized behavior. When you have multiple AWS accounts, each account could run GuardDuty independently, but this creates fragmented visibility. Centralized management means designating one account as the administrator that oversees GuardDuty across all your accounts.

Risk

Without centralized GuardDuty management, your security team lacks unified visibility into threats across your AWS environment:

  • Delayed incident response: Security teams must check each account separately, slowing down threat detection
  • Missed threats: Attackers can operate in accounts that are not being actively monitored
  • Inconsistent configurations: Different accounts may have different detection settings or disabled features
  • Audit gaps: No single view of security findings across the organization
  • Lateral movement blindness: Attackers moving between accounts go unnoticed when findings are isolated

Remediation Steps

Prerequisites

You need:

  • Access to your AWS Organizations management account (the root account of your organization)
  • Permissions to designate GuardDuty delegated administrators
  • GuardDuty must be enabled in the accounts you want to manage
Required IAM permissions (for administrators)

Your IAM user or role in the management account needs:

  • guardduty:EnableOrganizationAdminAccount
  • guardduty:ListOrganizationAdminAccounts
  • guardduty:DisableOrganizationAdminAccount
  • organizations:EnableAWSServiceAccess
  • organizations:ListDelegatedAdministrators
  • organizations:RegisterDelegatedAdministrator

Your IAM user or role in the delegated administrator account needs:

  • guardduty:CreateMembers
  • guardduty:ListMembers
  • guardduty:GetMembers
  • guardduty:UpdateOrganizationConfiguration
  • guardduty:ListDetectors
  • guardduty:CreateDetector

AWS Console Method

Step 1: Designate a Delegated Administrator (from Management Account)

  1. Sign in to the AWS Organizations management account

    • This is the root account of your AWS Organization

  2. Open the GuardDuty console

  3. Navigate to Settings

    • In the left sidebar, click Settings

  4. Delegate an administrator

    • Under Delegated administrator, click Delegate
    • Enter the 12-digit AWS account ID of the account you want to be the GuardDuty administrator
    • Click Delegate

  5. Confirm the delegation

    • The delegated administrator account now appears in the settings

Step 2: Add Member Accounts (from Delegated Administrator Account)

  1. Sign in to the delegated administrator account

  2. Open the GuardDuty console

  3. Add member accounts

    • In the left sidebar, click Accounts
    • Click Add accounts
    • Choose Add accounts from my organization to automatically add all accounts in your organization
    • Or choose Add accounts by invitation for accounts outside your organization

  4. Enable auto-enable for new accounts

    • Go to Settings in the left sidebar
    • Under Auto-enable, turn on auto-enable for new organization accounts
    • This ensures new accounts are automatically protected
AWS CLI (optional)

From the Management Account: Designate a Delegated Administrator

First, enable GuardDuty integration with AWS Organizations:

aws organizations enable-aws-service-access \
    --service-principal guardduty.amazonaws.com \
    --region us-east-1

Designate the delegated administrator account (replace <ADMIN_ACCOUNT_ID> with the 12-digit account ID):

aws guardduty enable-organization-admin-account \
    --admin-account-id <ADMIN_ACCOUNT_ID> \
    --region us-east-1

Verify the delegation:

aws guardduty list-organization-admin-accounts \
    --region us-east-1

From the Delegated Administrator Account: Configure Member Accounts

Get your detector ID:

DETECTOR_ID=$(aws guardduty list-detectors \
    --region us-east-1 \
    --query 'DetectorIds[0]' \
    --output text)
echo "Detector ID: $DETECTOR_ID"

Enable auto-enrollment for new organization accounts:

aws guardduty update-organization-configuration \
    --detector-id $DETECTOR_ID \
    --auto-enable \
    --region us-east-1

List current member accounts:

aws guardduty list-members \
    --detector-id $DETECTOR_ID \
    --region us-east-1
CloudFormation (optional)

Note: Designating a delegated administrator must be done from the management account. The CloudFormation stack below should be deployed in the management account.

AWSTemplateFormatVersion: '2010-09-09'
Description: Designate GuardDuty delegated administrator for AWS Organizations

Parameters:
  DelegatedAdminAccountId:
    Type: String
    Description: The 12-digit AWS account ID to designate as GuardDuty delegated administrator
    AllowedPattern: '^\d{12}$'
    ConstraintDescription: Must be a valid 12-digit AWS account ID

Resources:
  GuardDutyOrganizationAdminAccount:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true

  # Note: AWS::GuardDuty::Master resource is used by member accounts to accept invitations
  # For organization-based setup, the delegated admin is set via the console or CLI
  # as CloudFormation does not directly support AWS::GuardDuty::OrganizationAdminAccount

Outputs:
  DetectorId:
    Description: GuardDuty Detector ID in the management account
    Value: !Ref GuardDutyOrganizationAdminAccount

  DelegatedAdminNote:
    Description: Next step
    Value: !Sub "Use AWS CLI or Console to designate account ${DelegatedAdminAccountId} as GuardDuty delegated administrator"

Important: CloudFormation does not have a native resource type to designate a delegated administrator. After deploying this stack, run the following CLI command:

aws guardduty enable-organization-admin-account \
    --admin-account-id <ADMIN_ACCOUNT_ID> \
    --region us-east-1

For the delegated administrator account, deploy this stack to configure auto-enrollment:

AWSTemplateFormatVersion: '2010-09-09'
Description: GuardDuty configuration for delegated administrator account

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      FindingPublishingFrequency: FIFTEEN_MINUTES
      DataSources:
        S3Logs:
          Enable: true
        Kubernetes:
          AuditLogs:
            Enable: true
        MalwareProtection:
          ScanEc2InstanceWithFindings:
            EbsVolumes: true

Outputs:
  DetectorId:
    Description: GuardDuty Detector ID
    Value: !Ref GuardDutyDetector
    Export:
      Name: GuardDutyDetectorId

Deploy with:

aws cloudformation deploy \
    --template-file guardduty-admin.yaml \
    --stack-name guardduty-delegated-admin \
    --region us-east-1
Terraform (optional)

For the management account - designate delegated administrator:

# Provider configuration for management account
provider "aws" {
  region = "us-east-1"
  alias  = "management"
}

variable "delegated_admin_account_id" {
  description = "The 12-digit AWS account ID to designate as GuardDuty delegated administrator"
  type        = string
}

# Enable GuardDuty in the management account
resource "aws_guardduty_detector" "management" {
  provider = aws.management
  enable   = true
}

# Designate the delegated administrator
resource "aws_guardduty_organization_admin_account" "main" {
  provider         = aws.management
  admin_account_id = var.delegated_admin_account_id

  depends_on = [aws_guardduty_detector.management]
}

output "delegated_admin_account_id" {
  description = "GuardDuty delegated administrator account ID"
  value       = aws_guardduty_organization_admin_account.main.admin_account_id
}

For the delegated administrator account - configure organization settings:

# Provider configuration for delegated admin account
provider "aws" {
  region = "us-east-1"
}

# Enable GuardDuty detector
resource "aws_guardduty_detector" "admin" {
  enable                       = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }
}

# Configure organization settings to auto-enable for new accounts
resource "aws_guardduty_organization_configuration" "main" {
  auto_enable_organization_members = "ALL"
  detector_id                      = aws_guardduty_detector.admin.id

  datasources {
    s3_logs {
      auto_enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          auto_enable = true
        }
      }
    }
  }
}

output "detector_id" {
  description = "GuardDuty Detector ID"
  value       = aws_guardduty_detector.admin.id
}

Deploy with:

# In the management account directory
terraform init
terraform apply -var="delegated_admin_account_id=123456789012"

# In the delegated admin account directory
terraform init
terraform apply

Verification

After setting up centralized management, verify the configuration:

  1. In the AWS Console (delegated administrator account):

    • Go to GuardDuty > Accounts
    • Confirm all organization accounts appear as members
    • Check that the Status column shows Enabled for each account

  2. Check for findings:

    • Go to GuardDuty > Findings
    • You should see findings from all member accounts (if any exist)
    • The Account ID column shows which account generated each finding
CLI verification commands

From the management account - verify delegated administrator:

aws guardduty list-organization-admin-accounts \
    --region us-east-1

Expected output:

{
    "AdminAccounts": [
        {
            "AdminAccountId": "123456789012",
            "AdminStatus": "ENABLED"
        }
    ]
}

From the delegated administrator account - verify member accounts:

# Get detector ID
DETECTOR_ID=$(aws guardduty list-detectors \
    --region us-east-1 \
    --query 'DetectorIds[0]' \
    --output text)

# List members
aws guardduty list-members \
    --detector-id $DETECTOR_ID \
    --only-associated true \
    --region us-east-1

Expected output shows member accounts with RelationshipStatus of Enabled:

{
    "Members": [
        {
            "AccountId": "111122223333",
            "DetectorId": "abc123...",
            "RelationshipStatus": "Enabled",
            "Email": "member@example.com"
        }
    ]
}

Re-run the Prowler check:

prowler aws --checks guardduty_centrally_managed

Additional Resources

Notes

  • AWS Organizations required: Centralized management with auto-enrollment requires AWS Organizations. Without it, you must manually invite accounts.

  • Delegated administrator vs. management account: AWS recommends using a dedicated security account as the delegated administrator, not the management account. This follows the principle of least privilege.

  • Multi-region consideration: GuardDuty is regional. You need to set up centralized management in each region where you want protection. Consider using AWS CloudFormation StackSets or Terraform workspaces to deploy consistently across regions.

  • Existing detectors: If member accounts already have GuardDuty enabled, they will be associated with the administrator account. Their existing findings remain accessible.

  • Cost considerations: The delegated administrator account is billed for GuardDuty usage across all member accounts. Plan your cost allocation accordingly.

  • Feature configuration: After setting up centralized management, configure additional GuardDuty features (S3 protection, Kubernetes audit logs, Malware Protection) from the administrator account to apply them consistently across all members.