Start course

In this lesson, we look at how to configure Amazon GuardDuty to work across multiple AWS accounts as well as the different permissions required and used when working with Amazon GuardDuty. 

Learning Objectives

By the end of this lesson, you will have a greater understanding of Amazon GuardDuty, including:

  • The terminology for using a multi-account strategy with Amazon GuardDuty
  • How to connect multiple AWS accounts to centralize findings 
  • How to ensure you have the correct permissions in place to work with Amazon GuardDuty successfully

Intended Audience

  • Individuals working as security consultants or specialists, security analysts, security auditors, Cloud architects, or Cloud operational support analysts
  • Anyone looking to learn more about AWS Security and threat detection within AWS


  • Have a basic understanding of the fundamentals of AWS
  • An awareness of different security measures and mechanisms offered by different AWS services, such as IAM resources, specifically IAM Policies and IAM roles
  • Understand AWS Organizations at a fundamental level and have a basic understanding of Amazon GuardDuty
  • If you’d like more information on some of these features, check out the following courses titled: 



Hello and welcome to the final lecture, where I’ll briefly summarize some of the core points of the course. 

In this course, we discussed accounts and permissions in Amazon GuardDuty, including understanding the difference between the administrator and member accounts, how to connect multiple AWS accounts to centralize your GuardDuty findings, and how to ensure you have the correct permissions in place to successfully work with Amazon GuardDuty. 

To recap, when linking accounts together in GuardDuty, one of your accounts acts as the GuardDuty administrator account. All the other accounts you’d like to link would be referred to as “member accounts”.

Then, all the findings from the member accounts are configured to send a copy of their results to the administrator account. You’ll be able to see all the findings in the administrator account, once the accounts are linked. This prevents you from having to look within each member account to see each set of findings.

This administrator account helps manage your member accounts, by managing the status of the service, and through creating trusted IP and threat lists.   

You can add member accounts in two main ways: by using AWS Organizations or through the GuardDuty invitation method. 

AWS Organizations is the recommended method, as it provides helpful features such as auto-enable that automatically enables GuardDuty for your accounts and pick which protection plans are enabled for those accounts by default. 

However, if you aren’t using AWS Organizations or if you have an account outside of your Organization that you’d like to manage, you can use the GuardDuty invitation method to add member accounts. 

You’ll also need the necessary permissions to work with GuardDuty, which not only includes GuardDuty-specific actions but also IAM privileges, to create service-linked roles and trusted IP and threat lists. 

All right - that brings us to the end of this video. Once again, my name is Alana Layton and I hope you’ve enjoyed our time together. If you have any feedback, positive or negative, please contact us at Your feedback is greatly appreciated. Thank you and till next time! 

About the Author
Learning Paths

Alana Layton is an experienced technical trainer, technical content developer, and cloud engineer living out of Seattle, Washington. Her career has included teaching about AWS all over the world, creating AWS content that is fun, and working in consulting. She currently holds six AWS certifications. Outside of Cloud Academy, you can find her testing her knowledge in bar trivia, reading, or training for a marathon.