Understanding the relationship between GuardDuty administrator account and member accounts
When you use GuardDuty in a multiple-account environment, the administrator account can manage certain aspects of GuardDuty on behalf of the member accounts. The primary functions the administrator account can perform are the following:
-
Add and remove associated member accounts. The process by which this is done differs based on whether the accounts are associated through organizations or by invitation.
-
Manage the status of GuardDuty within associated member accounts, including enabling and suspending GuardDuty.
Note
Delegated administrator accounts managed with Amazon Organizations automatically enable GuardDuty in accounts added as members.
-
Customize findings within the GuardDuty network through the creation and management of suppression rules, trusted IP lists, and threat lists. Member accounts lose access to these features in a multiple-account environment.
The following table details the relationship between GuardDuty administrator account and member accounts.
In this table:
Self – An account can perform the listed action only for their own account.
Any – An account can perform the listed action for any associated account.
All – An account can perform the listed action and it applies to all the associated accounts. Usually, the account taking this action is a designated GuardDuty administrator account
Table cells with dash (—) indicate that the account can't perform the listed action.
Action | Through Amazon Organizations | By invitation | ||
---|---|---|---|---|
Delegated GuardDuty administrator account | Associated member account | Delegated GuardDuty administrator account | Associated member account | |
Enable GuardDuty | Any | – | Self | Self |
Enable GuardDuty automatically for the entire organization (ALL , NEW , NONE ) |
All | – | – | – |
View all Organizations member accounts regardless of GuardDuty status | Any | – | – | – |
Generate sample findings | Self | Self | Self | Self |
View all GuardDuty findings | Any | Self | Any | Self |
Archive GuardDuty findings | Any | – | Any | – |
Apply suppression rules | All | – | All | – |
Create trusted IP list or threat lists | All | – | All | – |
Update trusted IP list or threat lists | All | – | All | – |
Delete trusted IP list or threat lists | All | – | All | – |
Set EventBridge notification frequency | All | – | All | Self |
Set Amazon S3 location for exporting findings | All | – | All | Self |
Enable one or more optional protection plans for the entire organization (ALL , NEW , NONE ) |
All | – | – | – |
Enable any GuardDuty protection plan for individual accounts | Any | – | Any | Self |
Disassociate a member account | Any | – | Any | – |
Disassociate from an administrator account account | – | Self# | – | Self |
Delete a disassociated member account | Any | – | Any | – |
Suspend GuardDuty | Any* | – | Any* | – |
Disable GuardDuty | Any* | – | Any* | – |
# Indicates that the account can take this action only if the delegated GuardDuty administrator account has not set up the auto-enable preference to
ALL
the organization members.* Indicates that this action must be taken for all associated accounts before being taken for this account. After you disassociate these accounts, you must delete them. For more information about performing these tasks in your organization, see Maintaining your organization within GuardDuty.