In this video, I’ll be showing you how to delegate an administrator account and add a member account using AWS organizations. 

As you can see, I’ve already created an AWS organization for this account and I just have one account in it. So, the first thing I’ll do is go to the GuardDuty dashboard and click on settings. Under delegated administrator, I’m going to put in an account number for the account that I want to manage my GuardDuty findings. I’m going to make the administrator account the account I’m currently using and then click delegate. 

Note that I’m using this account for demo purposes, but in the real world, you would not want to make your AWS Organizations management account the same as your GuardDuty delegated administrator account. 

Moving on - here, it lets me know I’ve authorized this account to be the administrator, and can remove those privileges any time I’d like. Now we’ll go to the AWS organizations console and I’ll go ahead and add an AWS account to my organization. I’ll do this by adding an existing account, 

I’ll put in the email address for the account owner - in this case, my email alana.layton@cloudacademy.com. Then I’ll click send invitation.  

Then I’ll get an email and in that email, it will look like this, where it’s saying I’ve been invited to a very exclusive club. Normally, you can just press accept invitation and be good to go. 

However, I have a couple different accounts open, so I’m going to copy this link and paste it in my incognito browser, where I’m logged into my secondary AWS account. 

Once I do that, it’s asking me to accept the invitation, which I will. All right, so now if I go to my AWS organizations page here from my delegated administrator account and refresh the page - you can see I now have two accounts here. 

Now if we go back to the GuardDuty console and click accounts - we can see that I now have an account listed here. It has a type of via organizations and a status of not a member. 

Now to add this account as a member, I can check the box here and then click actions and add member and then add member.  

The last feature to talk about here is the auto-enable feature for Organizations. If I click auto-enable, I can either enable Amazon GuardDuty for either all existing and new accounts, or for just any new accounts that join the organization. I can additionally enable any or all protection plans for all accounts or new accounts. 

By turning this on, it allows the delegated administrator to manage any new members' accounts. If you have greater than 5000 member accounts, this feature will turn off automatically. However, if an account is removed, and you have less than 5000 accounts once again, the feature will turn back on.

This is a helpful feature as you don’t have to enable GuardDuty for each account, which automates part of the process for you. With this feature, you can also control which protection plans you’d like to enable automatically for new and existing accounts. 

All right - that’s all for this one - see you next time!