Managing Amazon GuardDuty Security Findings Across Multiple Accounts

Home » AWS Cheat Sheets » AWS Security & Identity Services » Security Related Notes » Managing Amazon GuardDuty Security Findings Across Multiple Accounts

Managing Amazon GuardDuty Security Findings Across Multiple Accounts

Last updated on May 2, 2023

In our previous article, we discussed how GuardDuty can help organizations monitor their workloads and  AWS accounts from malicious activities and how to monitor findings with Amazon CloudWatch Events.

Imagine that your organization has multiple AWS accounts for different workloads, teams, and projects. With every account, you need to monitor GuardDuty findings individually. It will be quite difficult for your security team to monitor these findings with their constant switching between AWS accounts. 

Amazon GuardDuty supports the consolidation of these findings to one AWS account. For example, your organization has 10 AWS accounts. All you have to do is to create a “GuardDuty” AWS account with the sole purpose of ingesting all the findings from the 10 AWS accounts. With the help of this article, you should be able to aggregate your GuardDuty findings from multiple AWS accounts to a single AWS account.

In this scenario, we’ll be using two AWS accounts: first is the master account where all the findings will be sent to, and a secondary AWS account which will send its findings to the master account.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts

1.  To start, we need to “Enable GuardDuty” for both the master and secondary accounts.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts1

2.  Once enabled, you will be redirected to the GuardDuty console. Head over to the “Accounts” section and click
“Add accounts”. For multiple accounts, you can add accounts by using the “Upload List (.csv)”

Tutorials dojo strip

Managing Amazon GuardDuty Security Findings Across Multiple Accounts2

3.  Enter the 12-digit account number and the email address associated with the secondary account. Click “Add” then “Next”

Managing Amazon GuardDuty Security Findings Across Multiple Accounts3

4.  Once you have filled in the details of the secondary account, you should see it under the accounts tab. During this stage, the status of the account is “invite”. Click on invite and a pop up message will appear. 

  1. You can send an optional message to the receiver.
  2. Tick the “also send an email notification” to ensure that the associated email of the secondary account will receive the email. 
  3. Once done, click “Send Invitation”
  4. During the invitation process, AWS will check if the account ID and the email address associated with the account is valid. 

Managing Amazon GuardDuty Security Findings Across Multiple Accounts4

5.  You have two options to accept the invitation:

  • Head over to your secondary account’s GuardDuty and accept the invitation.
  • Click the URL sent by AWS over the email.
    **Note: Remember that you need to enable GuardDuty on the secondary account before accepting the invitation.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts5

Managing Amazon GuardDuty Security Findings Across Multiple Accounts6

6.  Once you have accepted the invitation, all of the findings in the secondary account will now be sent to the master account.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts7

7.  Once the secondary account has accepted the invitation, the status of it will now be “Enabled”

Managing Amazon GuardDuty Security Findings Across Multiple Accounts8

Summary

In this article, you have learned how to monitor multiple AWS accounts using one GuardDuty master account. GuardDuty is a powerful AWS service that makes it easier for security teams to monitor malicious activity on a single or multiple AWS accounts. 

Sources: 

https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Matt Hidalgo

Matt is a Solutions Architect for a managed services provider that specializes in AWS and Azure. After graduating from college with a degree in Geology, he decided to switch careers and self-taught himself with AWS and Azure. Matt specializes in the migration and deployment of workloads to AWS and Azure with 3 years of experience.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?