Designating a GuardDuty delegated GuardDuty administrator account and managing members by using the API - Amazon GuardDuty
Step 1 – Designate a delegated GuardDuty administrator account for your Amazon organizationStep 2 - Configuring auto-enable preferences for the organizationStep 3 – Add accounts as members to your organization
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Designating a GuardDuty delegated GuardDuty administrator account and managing members by using the API

Step 1 – Designate a delegated GuardDuty administrator account for your Amazon organization

  1. Run enableOrganizationAdminAccount using the credentials of the Amazon Web Services account of the organization's management account.

    • Alternatively, you can use Amazon Command Line Interface to do this. The following Amazon CLI command designates a delegated GuardDuty administrator account for your current Region only. Run the following Amazon CLI command and make sure to replace 111111111111 with the Amazon Web Services account ID of the account you want to designate as a delegated GuardDuty administrator account:

      aws guardduty enable-organization-admin-account --admin-account-id 111111111111

      To designate the delegated GuardDuty administrator account for other Regions, specify the Region in the Amazon CLI command. The following example demonstrates how to enable a delegated GuardDuty administrator account in US West (Oregon). Make sure to replace us-west-2 with the Region for which you want to assign the GuardDuty delegated GuardDuty administrator account.

      aws guardduty enable-organization-admin-account --admin-account-id 111111111111 --region us-west-2

      For information about the Amazon Web Services Regions where GuardDuty is available, see Regions and endpoints.

    If GuardDuty is not enabled for your delegated GuardDuty administrator account, it won't be able to take any action. If not already done so, make sure to enable GuardDuty for the newly designated delegated GuardDuty administrator account.

  2. (Recommended) repeat the previous step to designate the delegated GuardDuty administrator account in each Amazon Web Services Region where you have GuardDuty enabled.

Step 2 - Configuring auto-enable preferences for the organization

    1. Run UpdateOrganizationConfiguration by using the credentials of the delegated GuardDuty administrator account, to automatically configure GuardDuty and optional protection plans in that Region for your organization

      To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

      Note

      For information about the various auto-enable configurations, see autoEnableOrganizationMembers.

    2. To set auto-enable preferences for any of the supported optional protection plans in your Region, follow the steps provided in the corresponding documentation sections of each protection plan.

    3. You can validate the preferences for your organization in the current Region. Run describeOrganizationConfiguration. Make sure to specify the detector ID of the delegated GuardDuty administrator account.

      Note

      It may take up to 24 hours to update the configuration for all the member accounts.

      1. Alternatively, run the following Amazon CLI command to set the preferences to automatically enable or disable GuardDuty in that Region for new accounts (NEW) that join the organization, all the accounts (ALL), or none of the accounts (NONE) in the organization. For more information, see autoEnableOrganizationMembers. Based on your preference, you may need to replace NEW with ALL or NONE. If you configure the protection plan with ALL, the protection plan will also be enabled for the delegated GuardDuty administrator account. Make sure to specify the detector ID of the delegated GuardDuty administrator account that manages the organization configuration.

        To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

        aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable-organization-members=NEW

      2. You can validate the preferences for your organization in the current Region. Run the following Amazon CLI command by using the detector ID of the delegated GuardDuty administrator account.

        aws guardduty describe-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0

  2. (Recommended) repeat the previous steps in each Region by using the delegated GuardDuty administrator account detector ID.

    Note

    When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (NEW) or all member accounts (ALL), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open Accounts in the GuardDuty console navigation pane or use the ListMembers API.

Step 3 – Add accounts as members to your organization

  • Run CreateMembers by using the credentials of the delegated GuardDuty administrator account designated in the previous step.

    You must specify the regional detector ID of the delegated GuardDuty administrator account and the account details (Amazon Web Services account IDs and corresponding email addresses) of the accounts that you want to add as GuardDuty members. You can create one or more members with this API operation.

    When you run CreateMembers in your organization, the auto-enable preferences for new members will apply as new member accounts join your organization. When you run CreateMembers with an existing member account, the organization configuration will also apply to the existing members. This might change the current configuration of the existing member accounts.

    Run ListAccounts in the Amazon Organizations API Reference, to view all the accounts in the Amazon organization.

    Important

    When you add an account as a GuardDuty member, it will automatically have GuardDuty enabled in that Region. There is an exception to the organization management account. Before the management account account gets added as a GuardDuty member, it must have GuardDuty enabled.

    • Alternatively, you can use Amazon Command Line Interface. Run the following Amazon CLI command and make sure to use your own valid detector ID, Amazon Web Services account ID, and the email address associated with the account ID.

      To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

      aws guardduty create-members --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-details AccountId=111122223333,Email=guardduty-member-name@amazon.com

      You can view a list of all organization members by running the following Amazon CLI command:

      aws organizations list-accounts

    After you add this account as a member, the auto-enable GuardDuty configuration will apply.