Understanding the relationship between GuardDuty administrator account and member accounts - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Understanding the relationship between GuardDuty administrator account and member accounts

When you use GuardDuty in a multiple-account environment, the administrator account can manage certain aspects of GuardDuty on behalf of the member accounts. The primary functions the administrator account can perform are the following:

  • Add and remove associated member accounts. The process by which this is done differs based on whether the accounts are associated through organizations or by invitation.

  • Manage the status of GuardDuty within associated member accounts, including enabling and suspending GuardDuty.

    Note

    Delegated administrator accounts managed with Amazon Organizations automatically enable GuardDuty in accounts added as members.

  • Customize findings within the GuardDuty network through the creation and management of suppression rules, trusted IP lists, and threat lists. Member accounts lose access to these features in a multiple-account environment.

The following table details the relationship between GuardDuty administrator account and member accounts.

In this table:

  • Self – An account can perform the listed action only for their own account.

  • Any – An account can perform the listed action for any associated account.

  • All – An account can perform the listed action and it applies to all the associated accounts. Usually, the account taking this action is a designated GuardDuty administrator account

Table cells with dash (—) indicate that the account can't perform the listed action.

Action Through Amazon Organizations By invitation
Delegated GuardDuty administrator account Associated member account Delegated GuardDuty administrator account Associated member account
Enable GuardDuty Any Self Self
Enable GuardDuty automatically for the entire organization (ALL, NEW, NONE) All
View all Organizations member accounts regardless of GuardDuty status Any
Generate sample findings Self Self Self Self
View all GuardDuty findings Any Self Any Self
Archive GuardDuty findings Any Any
Apply suppression rules All All
Create trusted IP list or threat lists All All
Update trusted IP list or threat lists All All
Delete trusted IP list or threat lists All All
Set EventBridge notification frequency All All Self
Set Amazon S3 location for exporting findings All All Self
Enable one or more optional protection plans for the entire organization (ALL, NEW, NONE) All
Enable any GuardDuty protection plan for individual accounts Any Any Self
Disassociate a member account Any Any
Disassociate from an administrator account account Self# Self
Delete a disassociated member account Any Any
Suspend GuardDuty Any* Any*
Disable GuardDuty Any* Any*

  • # Indicates that the account can take this action only if the delegated GuardDuty administrator account has not set up the auto-enable preference to ALL the organization members.

  • * Indicates that this action must be taken for all associated accounts before being taken for this account. After you disassociate these accounts, you must delete them. For more information about performing these tasks in your organization, see Maintaining your organization within GuardDuty.