Changing the delegated GuardDuty administrator account - Amazon GuardDuty
Removing existing delegated GuardDuty administrator accountDesignating a new delegated GuardDuty administrator account in each Region
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Changing the delegated GuardDuty administrator account

You can change the delegated GuardDuty administrator account for your organization in each Region and then delegate a new administrator in each Region. To maintain a security posture for your organization's member accounts in a Region, you must have a delegated GuardDuty administrator account in that Region.

Removing existing delegated GuardDuty administrator account

Step 1 - To remove existing delegated GuardDuty administrator account in each Region

  1. As the existing delegated GuardDuty administrator account, list all the member accounts associated with your administrator account. Run ListMembers with OnlyAssociated=false.

  2. If the auto-enable preference for GuardDuty or any of the optional protection plans is set to ALL, then run UpdateOrganizationConfiguration to update the organization configuration to either NEW or NONE. This action will prevent an error when you disassociate all the member accounts in the next step.

  3. Run DisassociateMembers to disassociate all the member accounts that are associated with the administrator account.

  4. Run DeleteMembers to delete the associations between the administrator account and member accounts.

  5. As the organization management account, run DisableOrganizationAdminAccount to remove the existing delegated GuardDuty administrator account.

  6. Repeat these steps in each Amazon Web Services Region where you have this delegated GuardDuty administrator account.

Step 2 - To de-register existing delegated GuardDuty administrator account in Amazon Organizations (One-time global action)

  • Run DeregisterDelegatedAdministrator in the Amazon Organizations API Reference, to de-register the existing delegated GuardDuty administrator account in Amazon Organizations.

    Alternatively, you can run the following Amazon CLI command:

    aws organizations deregister-delegated-administrator --account-id 111122223333 --service-principal guardduty.amazonaws.com

    Make sure to replace 111122223333 with the existing delegated GuardDuty administrator account.

    After you de-register the old delegated GuardDuty administrator account, you can add it as a member account to the new delegated GuardDuty administrator account.

Designating a new delegated GuardDuty administrator account in each Region

  1. Designate a new delegated GuardDuty administrator account in each Region by using one of the following access methods:

  2. Run DescribeOrganizationConfiguration to view the current auto-enable configuration for your organization.

    Important

    Before you add any members to the new delegated GuardDuty administrator account, you must verify the auto-enable configuration for your organization. This configuration is specific to the new delegated GuardDuty administrator account and the selected Region, and doesn't relate to Amazon Organizations. When you add (a new or an existing) organization member account under the new delegated GuardDuty administrator account, the auto-enable configuration of the new delegated GuardDuty administrator account will apply at the time of enabling GuardDuty or any of its optional protection plans.

    To change this organization configuration for the new delegated GuardDuty administrator account, use one of the following access methods: