Managing GuardDuty accounts with Amazon Organizations - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing GuardDuty accounts with Amazon Organizations

When you use GuardDuty with an Amazon organization, the management account of that organization can designate any account within the organization as the delegated GuardDuty administrator account. For this administrator account, GuardDuty gets enabled automatically only in the designated Amazon Web Services Region. This account also has the permission to enable and manage GuardDuty for all of the accounts in the organization within that Region. The administrator account can view the members of and add members to this Amazon organization.

If you have already set up a GuardDuty administrator account with associated member accounts by invitation and the member accounts are part of the same organization, their Type changes from By Invitation to Via Organizations when you set a delegated GuardDuty administrator account for your organization. If a delegated GuardDuty administrator account previously added members by invitation that are not part of the same organization, their Type remains By Invitation. In both the cases, the previously added accounts are member accounts that are associated with the organization's delegated GuardDuty administrator account.

You can continue to add accounts as members even if they are outside of your organization. For more information, see Adding and managing accounts by invitations or Designating a delegated GuardDuty administrator account and managing members by using the GuardDuty console.

Considerations and recommendations when designating a GuardDuty delegated GuardDuty administrator account

The following considerations and recommendations can help you understand how a delegated GuardDuty administrator account operates in GuardDuty:

A delegated GuardDuty administrator account can manage a maximum of 50,000 members.

There is a limit of 50,000 member accounts per delegated GuardDuty administrator account. This includes member accounts that are added through Amazon Organizations or those who accepted the GuardDuty administrator account's invitation to join their organization. However, there could be more than 50,000 accounts in your Amazon organization.

If you exceed the 50,000 member accounts limit, you will receive a notification from CloudWatch, Amazon Health Dashboard, and an email to the designated delegated GuardDuty administrator account.

A delegated GuardDuty administrator account is Regional.

Unlike Amazon Organizations, GuardDuty is a Regional service. The delegated GuardDuty administrator accounts and their member accounts must be added through Amazon Organizations in each desired Region where you have GuardDuty enabled. If the organization management account designates a delegated GuardDuty administrator account in only US East (N. Virginia), then delegated GuardDuty administrator account will only manage member accounts added to the organization in that Region. For more information about feature parity in Regions where GuardDuty is available, see Regions and endpoints.

Note

When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (NEW) or all member accounts (ALL), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open Accounts in the GuardDuty console navigation pane or use the ListMembers API.

Recommended for an Amazon organization to have the same delegated GuardDuty administrator account across all the Amazon Web Services Regions.

We recommend you designate the same delegated GuardDuty administrator account to your organization across all the Amazon Web Services Regions where you have enabled GuardDuty. If you designate an account as a delegated GuardDuty administrator account in one Region, it is recommended that you use the same account as delegated GuardDuty administrator account in all other Regions.

You can designate a new delegated GuardDuty administrator account at any point in time. For more information about removing the existing delegated GuardDuty administrator account, see Changing the delegated GuardDuty administrator account.

Not recommended to set your organization's management account as the delegated GuardDuty administrator account.

Your organization's management account can be the delegated GuardDuty administrator account. However, the Amazon security best practices follow the principle of least privilege and doesn't recommend this configuration.

Changing a delegated GuardDuty administrator account does not disable GuardDuty for member accounts.

If you remove a delegated GuardDuty administrator account, GuardDuty removes all the member accounts associated with this delegated GuardDuty administrator account. GuardDuty still remains enabled for all these member accounts.