Hello and welcome to this lecture, where I’ll explain how to link multiple AWS accounts to Amazon GuardDuty. 

Most AWS customers have more than one AWS account. If you have a multi-account strategy and you also use GuardDuty, you’ll end up with findings in multiple accounts. So what do you do when you want to understand all of your findings in all of your accounts? 

It’s probably unlikely that you’ll go into each account and look at each individual finding - especially if you have 10, 20, 30, or even more accounts. That would take a lot of time. Instead, you’ll most likely want to see a centralized view of all of your findings within all of your accounts. 

Fortunately, you can do this in Amazon GuardDuty. Here’s how it works: 

If you want this centralized view, you’ll need one of your accounts to act as the GuardDuty administrator account. All the other accounts you’d like to link would be referred to as “member accounts”. 

Then, all the findings from the member accounts are configured to send a copy of their results to the administrator account. You’ll be able to see all the findings in the administrator account, once the accounts are linked. This prevents you from having to look within each member account to see each set of findings. 

The administrator account helps manage the member accounts and can set up certain features of GuardDuty for those accounts. 

For example, an administrator account can enable or suspend GuardDuty for each member account. Administrator accounts can also create trusted IP lists, threat lists, and suppression rules that enable you to filter and suppress findings for member accounts. This is an important consideration because when you’re using a shared account environment, member accounts can’t actually enable these features themselves - they have to rely on the administrator account instead. 

To link accounts, administrator accounts must go through a process to add member accounts. There are two ways to add member accounts: through AWS Organizations or by sending invites through Amazon GuardDuty. 

The recommended method by AWS is through AWS Organizations. With AWS Organizations, the process to link accounts is as follows: 

You first specify a delegated administrator account. This should be different than the AWS Organizations management account. The delegated administrator account is the same thing as an administrator account and enables you to add, remove, and manage member accounts. 

You can then select which accounts in your Organization you’d like to add. Once they’re added, the accounts become member accounts and are linked to the delegated administrator account. 

The second method is through Amazon GuardDuty invitations. This comes in handy if you have an account outside of your organization that you’d like to become a member account. In that case, you can’t invite them through AWS Organizations - but you can use the invite method. You can also use this method if you’re not using AWS Organizations at all. 

To invite an account, you use the GuardDuty dashboard, enter in the account IDs you’d like to invite, and then send an e-mail notification to those accounts to invite them. Once they accept the invite, they’ll be linked to the administrator account. 

If you’d like to disable or suspend GuardDuty, you’d need to remove the member accounts from the administrator account. That brings us to the end of this video. I’ll see you in the next one.