# Multiple accounts in Amazon GuardDuty
<a name="guardduty_accounts"></a>

When your AWS environment has multiple accounts, you can manage them by designating one AWS account as the administrator account. You can then associate the multiple AWS accounts with this administrator account as its member accounts. With this configuration, a designated GuardDuty administrator account can assess and monitor the overall security of your organization. The administrator account can also perform account management tasks, such as reviewing all generated findings and configuring protection plans within GuardDuty. 

In GuardDuty, an organization consists of a delegated GuardDuty administrator account and one or more associated member accounts. You can associate the accounts in two ways – by integrating with AWS Organizations, or by using a legacy method of sending and accepting membership invitations in the GuardDuty console. GuardDuty recommends that you integrate with AWS Organizations. 

AWS Organizations is a global account management service that enables AWS administrators to consolidate and centrally manage multiple AWS accounts. It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It’s offered at no additional charge and it integrates with multiple AWS services, including Macie, AWS Security Hub CSPM, and Amazon GuardDuty. For more information, see the [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).

**Topics**
+ [Understanding the relationship between GuardDuty administrator account and member accounts](administrator_member_relationships.md)
+ [Managing GuardDuty accounts with AWS Organizations](guardduty_organizations.md)
+ [Managing GuardDuty accounts by invitation](guardduty_invitations.md)
+ [GuardDuty considerations for exporting member account details in CSV format](exporting-guardduty-accounts-data-to-csv.md)

# Understanding the relationship between GuardDuty administrator account and member accounts
<a name="administrator_member_relationships"></a>

When you use GuardDuty in a multiple-account environment, the administrator account can manage certain aspects of GuardDuty on behalf of the member accounts. An administrator account can perform the following primary functions:
+ **Add and remove associated member accounts** – The process by which an administrator account can do this differs based on how you manage the accounts – through AWS Organizations or by GuardDuty invitation method.

  GuardDuty recommends managing your member accounts through AWS Organizations.
+ **Delegated GuardDuty administrator account enabling GuardDuty in management account** – If the AWS Organizations management account ever disables GuardDuty, the delegated GuardDuty administrator account can enable GuardDuty in the management account. However, it is required that the management account must have not explicitly deleted the [Service-linked role permissions for GuardDuty](slr-permissions.md).
+ *Configure status of member accounts* – An administrator account can enable or disable the status of GuardDuty protection plans, and enable, suspend, or disable the status of GuardDuty on behalf of associated member accounts.

  Delegated GuardDuty administrator account managed with AWS Organizations can automatically enable GuardDuty when the AWS accounts are added as members.
+ **Customize when to generate findings** – An administrator account can customize findings within the GuardDuty network by creating and managing suppression rules, trusted IP lists, and threat lists. In a multiple-account environment, support to configure these features is available only to an delegated GuardDuty administrator account. A member account can't update this configuration.

The following table details the relationship between GuardDuty administrator account and member accounts.

**Key for the table**
+ **Self** – An account can perform the listed action only for their own account.
+ **Any** – An account can perform the listed action for any associated account.
+ **All** – An account can perform the listed action and it applies to all the associated accounts. Usually, the account taking this action is a designated GuardDuty administrator account
+ **Cells with dash (–)** – Table cells with dash (–) indicate that the account can't perform the listed action.


| 
| 
| **Action** | **Through AWS Organizations** | **By invitation** | 
| --- |--- |--- |
| **Delegated GuardDuty administrator account** | **Associated member account** | **GuardDuty administrator account** | **Associated member account** | 
| --- |--- |--- |--- |
| Enable GuardDuty | Any | – | Self | Self | 
| Enable GuardDuty automatically for the entire organization (ALL, NEW, NONE) | All | – | – | – | 
| View all Organizations member accounts regardless of GuardDuty status | Any | – | – | – | 
| Generate sample findings | Self | Self | Self | Self | 
| View all GuardDuty findings | Any | Self | Any | Self | 
| Archive GuardDuty findings | Any | – | Any | – | 
| Apply suppression rules | All | – | All | – | 
| Create trusted IP list or threat lists | All | – | All | – | 
| Update trusted IP list or threat lists | All | – | All | – | 
| Delete trusted IP list or threat lists | All | – | All | – | 
| Set EventBridge notification frequency | All | – | All | – | 
| Set Amazon S3 location for exporting findings | All | Self | Self | Self | 
|  Enable one or more optional protection plans for the entire organization (`ALL`, `NEW`, `NONE`) This doesn't include Malware Protection for S3.  | All | – | – | – | 
| Enable any GuardDuty protection plan for individual accounts This doesn't include Malware Protection for EC2 and Malware Protection for S3. | Any | – | Any | – | 
|  Malware Protection for EC2  | Any | – | Self | – | 
|  Malware Protection for EC2 – On-demand malware scan  | Any | Self | Self | Self | 
|  Malware Protection for S3  | – | Self | – | Self | 
| Disassociate a member account | Any\$1 | – | Any | – | 
| Disassociate from an administrator account | – | – | – | Self | 
| Delete a disassociated member account | Any | – | Any | – | 
| Suspend GuardDuty | Any\$1 | – | Any\$1 | – | 
| Disable GuardDuty | Any\$1 | – | Any\$1 | Self | 

\$1Indicates that the delegated GuardDuty administrator account can take this action only if they have not set up the auto-enable preferences to `ALL` the organization members.

\$1Indicates that a delegated GuardDuty administrator account can't disable GuardDuty in a member account directly. The delegated GuardDuty administrator account must first disassociate the member account, and then delete them. After this, each member account can disable GuardDuty in their own accounts. For more information about performing these tasks in your organization, see [Continually managing your member accounts within GuardDuty](maintaining-guardduty-organization-delegated-admin.md).

# Managing GuardDuty accounts with AWS Organizations
<a name="guardduty_organizations"></a>

In an AWS organization, the management account can designate any account within this organization as the delegated GuardDuty administrator account. For this administrator account, GuardDuty gets enabled automatically only in the current AWS Region. By default, the administrator account can enable and manage GuardDuty for all the member accounts in the organization within that Region. The administrator account can view and add members to this AWS organization.

The following sections will walk you through various tasks that you may perform as a delegated GuardDuty administrator account.

**Topics**
+ [Considerations and recommendations for using GuardDuty with AWS Organizations](#delegated_admin_important)
+ [Permissions required to designate a delegated GuardDuty administrator account](organizations_permissions.md)
+ [Designating a delegated GuardDuty administrator account](delegated-admin-designate.md)
+ [Setting organization auto-enable preferences](set-guardduty-auto-enable-preferences.md)
+ [Adding members to the organization](add-member-accounts-guardduty-organization.md)
+ [(Optional) Enable protection plans for existing member accounts](guardduty_quick_protection_plan_config.md)
+ [Continually managing your member accounts within GuardDuty](maintaining-guardduty-organization-delegated-admin.md)
+ [Suspending GuardDuty for member account](suspending-guardduty-member-account-from-admin.md)
+ [Disassociating (removing) member account from administrator account](disassociate-remove-member-account-from-admin.md)
+ [Deleting member accounts from GuardDuty organization](delete-member-accounts-guardduty-organization.md)
+ [Changing the delegated GuardDuty administrator account](change-guardduty-delegated-admin.md)

## Considerations and recommendations for using GuardDuty with AWS Organizations
<a name="delegated_admin_important"></a>

The following considerations and recommendations can help you understand how a delegated GuardDuty administrator account operates in GuardDuty:

**A delegated GuardDuty administrator account can manage a maximum of 50,000 members.**  
There is a limit of 50,000 member accounts per delegated GuardDuty administrator account. This includes member accounts that are added through AWS Organizations or those who accepted the GuardDuty administrator account's invitation to join their organization. However, there could be more than 50,000 accounts in your AWS organization.  
If you exceed the 50,000 member accounts limit, you will receive a notification from CloudWatch, Health Dashboard, and an email to the designated delegated GuardDuty administrator account.

**A delegated GuardDuty administrator account is Regional.**  
Unlike AWS Organizations, GuardDuty is a Regional service. The delegated GuardDuty administrator accounts and their member accounts must be added through AWS Organizations in each desired Region where you have GuardDuty enabled. If the organization management account designates a delegated GuardDuty administrator account in only US East (N. Virginia), then delegated GuardDuty administrator account will only manage member accounts added to the organization in that Region. For more information about feature parity in Regions where GuardDuty is available, see [Regions and endpoints](guardduty_regions.md).

**Special cases for opt-in Regions**  
+ When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (`NEW`) or all member accounts (`ALL`), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open **Accounts** in the [GuardDuty console](https://console.aws.amazon.com/guardduty/) navigation pane or use the [ListMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) API.
+ When working with the GuardDuty auto-enable configuration set to `NEW`, ensure that the following sequence is met:

  1. The member accounts opt-in to an opt-in Region.

  1. Add the member accounts to your organization in AWS Organizations.

  If you change the order of these steps, the GuardDuty auto-enable setting with `NEW` **will not** work in the specific opt-in Region because the member account is no longer new to the organization. GuardDuty provides two alternate solutions: 
  + Set the GuardDuty auto-enable configuration to `ALL`, that includes new and existing members accounts. In this case, the order of these steps is not relevant.
  + If a member account is already a part of your organization, manage the GuardDuty configuration for this account individually in the specific opt-in Region by using the GuardDuty console or the API.

**Required for an AWS organization to have the same delegated GuardDuty administrator account across all the AWS Regions.**  
You must designate one member account as the delegated GuardDuty administrator account across all the AWS Regions where GuardDuty is enabled. For example, if you designate a member account *111122223333* in *Europe (Ireland)*, you can't designate another member account *555555555555* in *Canada (Central)*. It is required that you use the same account as delegated GuardDuty administrator account in all other Regions.  
You can designate a new delegated GuardDuty administrator account at any point in time. For more information about removing the existing delegated GuardDuty administrator account, see [Changing the delegated GuardDuty administrator account](change-guardduty-delegated-admin.md).

**Not recommended to set your organization's management account as the delegated GuardDuty administrator account.**  
Your organization's management account can be the delegated GuardDuty administrator account. However, the AWS security best practices follow the principle of least privilege and doesn't recommend this configuration.

**Changing a delegated GuardDuty administrator account does not disable GuardDuty for member accounts.**  
If you remove a delegated GuardDuty administrator account, GuardDuty removes all the member accounts associated with this delegated GuardDuty administrator account. GuardDuty still remains enabled for all these member accounts.

# Permissions required to designate a delegated GuardDuty administrator account
<a name="organizations_permissions"></a>

To start using Amazon GuardDuty with AWS Organizations, the AWS Organizations management account for the organization designates an account as the delegated GuardDuty administrator account. This enables GuardDuty as a trusted service in AWS Organizations. It also enables GuardDuty for the delegated GuardDuty administrator account and also allows the delegated administrator account to enable and manage GuardDuty for other accounts in the organization in the current Region. For information about how these permissions are granted, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html).

As the AWS Organizations management account, before you designate the delegated GuardDuty administrator account for your organization, verify that you can perform the following GuardDuty action: `guardduty:EnableOrganizationAdminAccount`. This action allows you to designate the delegated GuardDuty administrator account for your organization by using GuardDuty. You must also ensure that you are allowed to perform the AWS Organizations actions that help you retrieve information about your organization.

To grant these permissions, include the following statement in an AWS Identity and Access Management (IAM) policy for your account:

```
{
    "Sid": "PermissionsForGuardDutyAdmin",
    "Effect": "Allow",
    "Action": [
        "guardduty:EnableOrganizationAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:ListAccounts"
    ],
    "Resource": "*"
}
```

If you want to designate your AWS Organizations management account as the delegated GuardDuty administrator account, your account will also need the IAM action: `CreateServiceLinkedRole`. This action allows you to initialize GuardDuty for the management account. However, review [Considerations and recommendations for using GuardDuty with AWS Organizations](guardduty_organizations.md#delegated_admin_important) before you proceed to add the permissions. 

To continue with designating the management account as the delegated GuardDuty administrator account, add the following statement to the IAM policy and replace *111122223333* with the AWS account ID of your organization's management account:

```
{
	"Sid": "PermissionsToEnableGuardDuty"
	"Effect": "Allow",
	"Action": [
		"iam:CreateServiceLinkedRole"
	],
	"Resource": "arn:aws:iam::111122223333:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
	"Condition": {
		"StringLike": {
			"iam:AWSServiceName": "guardduty.amazonaws.com"
		}
	}
}
```

# Designating a delegated GuardDuty administrator account
<a name="delegated-admin-designate"></a>

This section provides steps to designate a delegated administrator in the GuardDuty organization. 

As a management account of the AWS organization, make sure that you read through the [Considerations and recommendations](guardduty_organizations.md#delegated_admin_important) on how a delegated GuardDuty administrator account operates. Before proceeding, ensure that you have [Permissions required to designate a delegated GuardDuty administrator account](organizations_permissions.md).

Choose a preferred access method to designate a delegated GuardDuty administrator account for your organization. Only a management account can perform this step.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To sign in, use the management account credentials for your AWS Organizations organization.

1. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to designate the delegated GuardDuty administrator account for your organization.

1. Do one of the following, depending on whether GuardDuty is enabled for your management account in the current Region:
   + If GuardDuty is not enabled, select **Amazon GuardDuty - all features** and choose **Get started**. This action will take you to the **Welcome to GuardDuty** page.
   + If GuardDuty is enabled, choose **Settings** in the navigation pane.

1. Under **Delegated administrator**, enter the 12-digit AWS account ID of the account that you want to designate as the delegated GuardDuty administrator account for the organization.

   Make sure to enable GuardDuty for your newly designated delegated GuardDuty administrator account, otherwise it won't be able to take any action.

1. Choose **Delegate**.

1. (Recommended) Repeat the preceding steps to designate the delegated GuardDuty administrator account in each AWS Region where you have GuardDuty enabled.

------
#### [ API/CLI ]

1. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_EnableOrganizationAdminAccount.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_EnableOrganizationAdminAccount.html) using the credentials of the AWS account of the organization's management account.
   + Alternatively, you can use AWS Command Line Interface to do this. The following AWS CLI command designates a delegated GuardDuty administrator account for your current Region only. Run the following AWS CLI command and make sure to replace *111111111111* with the AWS account ID of the account you want to designate as a delegated GuardDuty administrator account:

     ```
     aws guardduty enable-organization-admin-account --admin-account-id 111111111111
     ```

     To designate the delegated GuardDuty administrator account for other Regions, specify the Region in the AWS CLI command. The following example demonstrates how to enable a delegated GuardDuty administrator account in US West (Oregon). Make sure to replace *us-west-2* with the Region for which you want to assign the delegated GuardDuty administrator account.

     ```
     aws guardduty enable-organization-admin-account --admin-account-id 111111111111 --region us-west-2
     ```

     For information about the AWS Regions where GuardDuty is available, see [Regions and endpoints](guardduty_regions.md).

   If GuardDuty is disabled for your delegated GuardDuty administrator account, it won't be able to take any action. If not already done so, make sure to enable GuardDuty for the newly designated delegated GuardDuty administrator account.

1. (Recommended) repeat the preceding steps to designate the delegated GuardDuty administrator account in each AWS Region where you have GuardDuty enabled.

------

# Setting organization auto-enable preferences
<a name="set-guardduty-auto-enable-preferences"></a>

The auto-enable organization feature in GuardDuty helps you set the same GuardDuty and protection plans status for `ALL` existing or `NEW` member accounts in your organization, in a single step. Similarly, you can also specify when you don't want to take any action on the member accounts, by choosing `NONE`. The following steps explain these settings and also indicate when you would want to use a specific setting.

**Note**  
You can set auto-enable preferences for all the protection plans except [Malware Protection for S3](gdu-malware-protection-s3.md).

Choose a preferred access method to update the auto-enable preferences for the organization.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To sign in, use the GuardDuty administrator account credentials.

1. In the navigation pane, choose **Accounts**.

   The **Accounts** page provides configuration options to the GuardDuty administrator account to **Auto-enable** GuardDuty and the optional protection plans on behalf of the member accounts that belong to the organization.

1. To update the existing auto-enable settings, choose **Edit**.  
![\[Selecting Edit to update auto-enable preferences on behalf of the member accounts in the organization.\]](http://docs.aws.amazon.com/guardduty/latest/ug/images/accounts-auto-enable-1-console.png)

   This support is available to configure GuardDuty and all of the supported optional protection plans in your AWS Region. You can select one of the following configuration options for GuardDuty on behalf of your member accounts:
   + **Enable for all accounts (`ALL`)** – Select to enable the corresponding option for all the accounts in an organization. This includes new accounts that join the organization and those accounts that may have been suspended or removed from the organization. This also includes the delegated GuardDuty administrator account.
**Note**  
It may take up to 24 hours to update the configuration for all member accounts.
   + **Auto-enable for new accounts (`NEW`)** – Select to enable GuardDuty or the optional protection plans for only new member accounts automatically when they join your organization.
   + **Do not enable (`NONE`)** – Select to prevent enabling the corresponding option for new accounts in your organization. In this case, the GuardDuty administrator account will manage each account individually. 

     When you update the auto-enable setting from `ALL` or `NEW` to `NONE`, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
**Note**  
When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (`NEW`) or all member accounts (`ALL`), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open **Accounts** in the [GuardDuty console](https://console.aws.amazon.com/guardduty/) navigation pane or use the [ListMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) API.

1. Choose **Save changes**.

1. (Optional) if you want to use the same preferences in each Region, update your preferences in each of the supported Regions separately.

   Some of the optional protection plans may not be available in all the AWS Regions where GuardDuty is available. For more information, see [Regions and endpoints](guardduty_regions.md).

------
#### [ API/CLI ]

1. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) by using the credentials of the delegated GuardDuty administrator account, to automatically configure GuardDuty and optional protection plans in that Region for your organization. For information about the various auto-enable configurations, see [autoEnableOrganizationMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html#guardduty-UpdateOrganizationConfiguration-request-autoEnableOrganizationMembers).

   To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

   To set auto-enable preferences for any of the supported optional protection plans in your Region, follow the steps provided in the corresponding documentation sections of each protection plan.

1. You can validate the preferences for your organization in the current Region. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html). Make sure to specify the detector ID of the delegated GuardDuty administrator account.
**Note**  
It may take up to 24 hours to update the configuration for all the member accounts. 

1. Alternatively, run the following AWS CLI command to set the preferences to automatically enable or disable GuardDuty in that Region for new accounts (`NEW`) that join the organization, all the accounts (`ALL`), or none of the accounts (`NONE`) in the organization. For more information, see [autoEnableOrganizationMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html#guardduty-UpdateOrganizationConfiguration-request-autoEnableOrganizationMembers). Based on your preference, you may need to replace `NEW` with `ALL` or `NONE`. If you configure the protection plan with `ALL`, the protection plan will also be enabled for the delegated GuardDuty administrator account. Make sure to specify the detector ID of the delegated GuardDuty administrator account that manages the organization configuration.

   To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

   ```
   aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable-organization-members=NEW
   ```

1. You can validate the preferences for your organization in the current Region. Run the following AWS CLI command by using the detector ID of the delegated GuardDuty administrator account.

   ```
   aws guardduty describe-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0
   ```

(Recommended) repeat the previous steps in each Region by using the delegated GuardDuty administrator account detector ID.

**Note**  
When a delegated GuardDuty administrator account opts out of an opt-in Region, even if your organization has the GuardDuty auto-enable configuration set to either new member accounts only (`NEW`) or all member accounts (`ALL`), GuardDuty cannot be enabled for any member account in the organization that currently has GuardDuty disabled. For information about the configuration of your member accounts, open **Accounts** in the [GuardDuty console](https://console.aws.amazon.com/guardduty/) navigation pane or use the [ListMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) API.

------

# Adding members to the organization
<a name="add-member-accounts-guardduty-organization"></a>

As a delegated GuardDuty administrator account, you can add one or more AWS accounts to the GuardDuty organization. When you add an account as a GuardDuty member, it will automatically have GuardDuty enabled in that Region. There is an exception to the organization management account. Before the management account account gets added as a GuardDuty member, it must have GuardDuty enabled.

Choose a preferred method to add a member account to your GuardDuty organization.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To sign in, use the delegated GuardDuty administrator account credentials.

1. In the navigation pane, choose **Accounts**.

   The accounts table displays all the member accounts that are active (not suspended AWS accounts) and may be associated with the delegated GuardDuty administrator account. If the member account is associated with the organization's administrator account, then the **Type** will be one of the following: **Via Organizations** or **By invitation**. If a member account is not associated with the organization's GuardDuty administrator account, the **Type** of this member account is **Not a member**.

1. Select one or more account IDs that you want to add as members. These account IDs must have the **Type** as **Via Organizations**.

   Accounts that are added through invitation are not a part of your organization. You can manage such accounts individually. For more information, see [Managing accounts by invitation](guardduty_invitations.md).

1. Choose the **Actions** dropdown, and then choose **Add member**. After you add this account as a member, the auto-enable GuardDuty configuration will apply. Based on the settings in [Setting organization auto-enable preferences](set-guardduty-auto-enable-preferences.md), the GuardDuty configuration of these accounts may change. 

1. You can select the down arrow of the **Status** column to sort the accounts by the **Not a member** status and then choose each account that doesn't have GuardDuty enabled in the current Region.

   If none of the accounts listed in the accounts table have been added as a member yet, you can enable GuardDuty in the current Region for all organization accounts. Choose **Enable** in the banner at the top of the page. This action automatically turns on the **Auto-enable** GuardDuty configuration so that GuardDuty gets enabled for any new account that joins the organization.

1. Choose **Confirm** to add the accounts as members. This action also enables GuardDuty for all of the selected accounts. The **Status** for the accounts will change to **Enabled**.

1. (Recommended) Repeat these steps in each AWS Region. This ensures that the delegated GuardDuty administrator account can manage findings and other configurations for member accounts in all the Regions where you have GuardDuty enabled.

   The auto-enable feature enables GuardDuty for all future members of your organization. This allows your delegated GuardDuty administrator account to manage any new members that are created within or get added to the organization. When the number of member accounts reaches the limit of 50,000, the Auto-enable feature is automatically turned off. If you remove a member account and the total number of members decreases to fewer than 50,000, the Auto-enable feature turns back on. 

------
#### [ API/CLI ]
+ Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html) by using the credentials of the delegated GuardDuty administrator account.

  You must specify the regional detector ID of the delegated GuardDuty administrator account and the account details (AWS account IDs and corresponding email addresses) of the accounts that you want to add as GuardDuty members. You can create one or more members with this API operation.

  When you run CreateMembers in your organization, the auto-enable preferences for new members will apply as new member accounts join your organization. When you run CreateMembers with an existing member account, the organization configuration will also apply to the existing members. This might change the current configuration of the existing member accounts.

  Run [https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) in the *AWS Organizations API Reference*, to view all the accounts in the AWS organization.
  + Alternatively, you can use AWS Command Line Interface. Run the following AWS CLI command and make sure to use your own valid detector ID, AWS account ID, and the email address associated with the account ID. 

    To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

    ```
    aws guardduty create-members --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-details AccountId=111122223333,Email=guardduty-member-name@amazon.com         
    ```

    You can view a list of all organization members by running the following AWS CLI command:

    ```
    aws organizations list-accounts
    ```

  After you add this account as a member, the auto-enable GuardDuty configuration will apply.

------

# (Optional) Enable protection plans for existing member accounts
<a name="guardduty_quick_protection_plan_config"></a>

The following procedure includes steps to enable protection plans for existing member accounts by using the **Accounts** page. For steps to do this by using API or AWS CLI, see documents related to the specific protection plan.

You can enable protection plans for individual accounts through the **Accounts** page.

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Use the delegated GuardDuty administrator account credentials.

1. In the navigation pane, choose **Accounts**.

1. Select one or more accounts for which you want to configure a protection plan. Repeat the following steps for each protection plan that you want to configure:

   1. Choose **Edit Protection Plans**. 

   1. From the list of protection plans, choose one protection plan that you want to configure.

   1. Choose one of the actions that you want to perform for this protection plan, and then choose **Confirm**.

   1. For the selected account, the column corresponding to the configured protection plan will show the updated configuration as **Enabled** or **Not enabled**.

# Continually managing your member accounts within GuardDuty
<a name="maintaining-guardduty-organization-delegated-admin"></a>

As a delegated GuardDuty administrator account, you are responsible for maintaining the configuration of GuardDuty and its optional protection plans for all the accounts in your organization in each supported AWS Region. The following sections provide the options about maintaining the configuration status of GuardDuty or any of its optional protection plans:

**To maintain the configuration status of your entire organization in each Region**
+ **Set auto-enable preferences for the entire organization by using GuardDuty console** – You can enable GuardDuty automatically for either all (`ALL`) the members in the organization or new (`NEW`) members joining the organization, or choose not to (`NONE`) auto-enable it any of the members in the organization.

  You can also configure the same or different settings for any of the protection plans within GuardDuty.

  It might take up to 24 hours to update the configuration for all member accounts in the organization.
+ **Update auto-enable preferences by using API** – Run [UpdateOrganizationConfiguration](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) to automatically configure GuardDuty and its optional protection plans for the organization. When you run [CreateMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html) to add new member accounts in your organization, the configured settings will apply automatically. When you run CreateMembers with an existing member account, the organization configuration will also apply to the existing members. This might change the current configuration of the existing member accounts.

  To view all the accounts in your organization, run [ListAccounts](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) in the *AWS Organizations API Reference*.

**To maintain the configuration status for member accounts individually in each Region**
+ To view all the accounts in your organization, run [ListAccounts](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) in the *AWS Organizations API Reference*.
+ When you want selective member accounts to have a different configuration status, run [UpdateMemberDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) for each member account individually.

  You can use GuardDuty console to perform the same task by navigating to the **Accounts** page in the GuardDuty console.

  For information about enabling protection plans for individual accounts by using either console or API, see the configuring page for the corresponding protection plan.

# Suspending GuardDuty for member account
<a name="suspending-guardduty-member-account-from-admin"></a>

As a delegated GuardDuty administrator account, you can suspend the GuardDuty service for a member account in your organization. If you do this, the member account stills stays in your GuardDuty organization. You can also re-enable GuardDuty for these member accounts at a later time. However, if you eventually want to disassociate (remove) this member account, then **after** following the steps in this section, you must follow the steps in [Disassociating (removing) member account from administrator account](disassociate-remove-member-account-from-admin.md).

When you suspend GuardDuty in a member account, you can expect the following changes:
+ GuardDuty no longer monitors the security of the AWS environment, or generates new findings.
+ The existing findings in the member account remain intact.
+ A GuardDuty suspended member account does't incur any charges for GuardDuty.

  If the member account has enabled Malware Protection for S3 for one or more buckets in their account, then suspending GuardDuty doesn't impact the configuration of Malware Protection for S3. The member account will continue incurring the usage cost for Malware Protection for S3. For the member account to stop using Malware Protection for S3, they must disable this feature for the protected buckets. For more information, see [Disabling Malware Protection for S3 for a protected bucket](disable-malware-s3-protected-bucket.md).

Choose a preferred method to suspend GuardDuty for a member account in your organization.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To sign in, use the credentials of the delegated GuardDuty administrator account.

1. In the navigation pane, choose **Accounts**.

1. In the Accounts page, select one or more accounts for which you want to suspend GuardDuty.

1. Choose the **Actions** dropdown menu and then, choose **Suspend GuardDuty**.

1. Choose **Suspend GuardDuty** to confirm the selection.

   This will change the **Status** of the member account to **Disabled (suspended)**.

   Repeat the preceding steps in each additional Region where you want to disassociate or remove the member account.

------
#### [ API ]

1. To retrieve the member account account ID for which you want to suspend GuardDuty, use the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) API. Include the `OnlyAssociated` parameter in your request. If you set this parameter's value to `true`, GuardDuty returns a `members` array that provides details about only those accounts that are currently GuardDuty members.

   Alternatively, you can use AWS Command Line Interface (AWS CLI) to run the following command:

   ```
   aws guardduty list-members --only-associated true --region us-east-1
   ```

   Replace *us-east-1* by the Region where you want to suspend GuardDuty for this account.

1. To suspend one or more GuardDuty member accounts, run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html) to suspend GuardDuty for a member account.

   Alternatively, you can use AWS CLI to run the following command:

   ```
   aws guardduty stop-monitoring-members --detector-id 12abc34d567e8fa901bc2d34EXAMPLE --account-ids 111122223333 --region us-east-1
   ```

   Replace *us-east-1* by the Region where you want to suspend this account. If you have a list of account IDs that you want to remove, separate them by a space character.

------

If you further want to disassociate (remove) this member account, then follow the steps in [Disassociating (removing) member account from administrator account](disassociate-remove-member-account-from-admin.md).

# Disassociating (removing) member account from administrator account
<a name="disassociate-remove-member-account-from-admin"></a>

When you want to stop configuring the GuardDuty settings and accessing the data from a member account, remove that account as a GuardDuty member account. You can do it by disassociating (removing) that account from the GuardDuty administrator account. 

When you disassociate a GuardDuty member account, the following happens:
+ GuardDuty remains enabled for the account in the current AWS Region, but the account becomes disassociated from the delegated GuardDuty administrator account.
+ The disassociated account continues to show in the account inventory.
+ The GuardDuty administrator account no longer has access to this standalone account's findings.
+ The account owner is not notified of the disassociation.

You can add the disassociated account to your organization again at a later time.

Choose a preferred method to disassociate (remove) a member account from your organization.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To sign in, use the credentials of the delegated GuardDuty administrator account.

1. In the navigation pane, choose **Accounts**.

1. In the **Accounts** table, you can remove an account that has **Type** as **Via Organizations** and **Status** as **Enabled**.

   Select one or more accounts with the same **Type** and **Status**.

1. From the **Actions** dropdown menu, choose **Disassociate account**.

1. Choose **Disassociate account** to confirm your selection.

1. The **Status** value for the selected accounts will change to **Not a member**. The **Via Organizations (Active/All)** count at the top right corner of the Accounts page will change to reflect the update.

   Repeat the preceding steps in each additional Region where you want to disassociate the member account.

------
#### [ API ]

1. To retrieve the account ID for the member account that you want to remove, use the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) API. Include the `OnlyAssociated` parameter in your request. If you set this parameter's value to `true`, GuardDuty returns a `members` array that provides details about only those accounts that are currently GuardDuty members.

   Alternatively, you can use AWS Command Line Interface (AWS CLI) to run the following command:

   ```
   aws guardduty list-members --only-associated true --region us-east-1
   ```

   Replace *us-east-1* by the Region where you want to remove this account.

1. To remove one or more GuardDuty member accounts, run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html) to remove the member account that is associated with the administrator account.

   Alternatively, you can use AWS CLI to run the following command:

   ```
   aws guardduty disassociate-members --detector-id 12abc34d567e8fa901bc2d34EXAMPLE --account-ids 111122223333 --region us-east-1
   ```

   Replace *us-east-1* by the Region where you want to remove this account. If you have a list of account IDs that you want to remove, separate them by a space character.

------

# Deleting member accounts from GuardDuty organization
<a name="delete-member-accounts-guardduty-organization"></a>

As a delegated GuardDuty administrator account, after you have disassociated a member account and you no longer want to keep that member account in the GuardDuty organization, you can delete that member account from your GuardDuty organization. This member account will no longer appear in your account inventory. However, if GuardDuty was not suspended in this member account, the configuration of GuardDuty and dedicated protection plans remains the same. This account will now become a standalone account and can [disable GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html) themselves. 

This step will not delete the member account from your AWS organization.

Choose a preferred method to delete a member account from your GuardDuty organization.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To sign in, use the credentials of the delegated GuardDuty administrator account.

1. In the navigation pane, choose **Accounts**.

1. In the **Accounts** table, you can remove an account that has **Type** as **Via Organizations** and **Status** as **Removed (disassociated)**.

   Select one or more accounts with the same **Type** and **Status**.

1. From the **Actions** dropdown menu, choose **Delete account**.

1. Choose **Delete accounts** to confirm your selection. The selected account member will no longer appear in your Accounts table.

   Repeat the preceding steps in each additional Region where you want to delete this member account.

------
#### [ API/CLI ]

1. To retrieve the account ID for the member account that you want to delete, use the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) API. Include the `OnlyAssociated` parameter in your request. If you set this parameter's value to `false`, GuardDuty returns a `members` array that provides details about only those accounts that are currently disassociated GuardDuty members.

   Alternatively, you can use AWS Command Line Interface (AWS CLI) to run the following command:

   ```
   aws guardduty list-members --detector-id 12abc34d567e8fa901bc2d34EXAMPLE --only-associated="false" --region us-east-1
   ```

   Replace *12abc34d567e8fa901bc2d34EXAMPLE* with the delegated GuardDuty administrator account detector ID and *us-east-1* with the Region where you want to remove this account.

1. To delete one or more GuardDuty member accounts, run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html) to delete the member account from the GuardDuty organization.

   Alternatively, you can use AWS CLI to run the following command:

   ```
   aws guardduty delete-members --detector-id 12abc34d567e8fa901bc2d34EXAMPLE --account-ids 111122223333 --region us-east-1
   ```

   Replace *12abc34d567e8fa901bc2d34EXAMPLE* with the delegated GuardDuty administrator account detector ID and *us-east-1* by the Region where you want to remove this account. If you have a list of account IDs that you want to remove, separate them by a space character.

------

# Changing the delegated GuardDuty administrator account
<a name="change-guardduty-delegated-admin"></a>

You can remove the delegated GuardDuty administrator account for your organization in each Region and then delegate a new administrator in each Region. To maintain the security posture for your organization's member accounts in a Region, you must have a delegated GuardDuty administrator account in that Region.

**Note**  
Before you remove a delegated GuardDuty administrator account, you must disassociate all the member accounts associated with the delegated GuardDuty administrator account, and then delete them from the GuardDuty organization. For more information about these steps, see the following documents:  
[Disassociating (removing) member account from administrator account](disassociate-remove-member-account-from-admin.md)
[Deleting member accounts from GuardDuty organization](delete-member-accounts-guardduty-organization.md)

## Removing existing delegated GuardDuty administrator account
<a name="remove-existing-guardduty-delegated-admin"></a>

**Step 1 - To remove existing delegated GuardDuty administrator account in each Region**

1. As the existing delegated GuardDuty administrator account, list all the member accounts associated with your administrator account. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMembers.html) with `OnlyAssociated=false`.

1. If the auto-enable preference for GuardDuty or any of the optional protection plans is set to `ALL`, then run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) to update the organization configuration to either `NEW` or `NONE`. This action will prevent an error when you disassociate all the member accounts in the next step.

1. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html) to disassociate all the member accounts that are associated with the administrator account.

1. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html) to delete the associations between the administrator account and member accounts.

1. As the organization management account, run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisableOrganizationAdminAccount.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisableOrganizationAdminAccount.html) to remove the existing delegated GuardDuty administrator account.

1. Repeat these steps in each AWS Region where you have this delegated GuardDuty administrator account.

**Step 2 - To de-register existing delegated GuardDuty administrator account in AWS Organizations (One-time global action)**
+ Run [DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*, to de-register the existing delegated GuardDuty administrator account in AWS Organizations. 

  Alternatively, you can run the following AWS CLI command:

  ```
  aws organizations deregister-delegated-administrator --account-id 111122223333 --service-principal guardduty.amazonaws.com
  ```

  Make sure to replace *111122223333* with the existing delegated GuardDuty administrator account.

  After you de-register the old delegated GuardDuty administrator account, you can add it as a member account to the new delegated GuardDuty administrator account.

## Designating a new delegated GuardDuty administrator account in each Region
<a name="designate-new-guardduty-delegated-admin"></a>

1. Designate a new delegated GuardDuty administrator account in each Region by using your preferred access method - GuardDuty console, or API or AWS CLI. For more information, see [Designating a delegated GuardDuty administrator account](delegated-admin-designate.md).

1. Run [DescribeOrganizationConfiguration](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html) to view the current auto-enable configuration for your organization.
**Important**  
Before you add any members to the new delegated GuardDuty administrator account, you must verify the auto-enable configuration for your organization. This configuration is specific to the new delegated GuardDuty administrator account and the selected Region, and doesn't relate to AWS Organizations. When you add (a new or an existing) organization member account under the new delegated GuardDuty administrator account, the auto-enable configuration of the new delegated GuardDuty administrator account will apply at the time of enabling GuardDuty or any of its optional protection plans.

   Change the organization configuration for the new delegated GuardDuty administrator account by using your preferred access method - GuardDuty console, or API or AWS CLI. For more information, see [Setting organization auto-enable preferences](set-guardduty-auto-enable-preferences.md).

# Managing GuardDuty accounts by invitation
<a name="guardduty_invitations"></a>

To manage accounts outside of your organization, you can use the legacy invitation method. When you use this method, your account is designated as a administrator account when another account accepts your invitation to become a member account. 

**Note**  
GuardDuty recommends using AWS Organizations instead of GuardDuty invitations, to manage your member accounts. For more information, see [Managing accounts with AWS Organizations](guardduty_organizations.md).

If your account is not an administrator account, you can accept an invitation from another account. When you accept, your account becomes a member account. An AWS account cannot be a GuardDuty administrator account and member account at the same time.

When you accept an invitation from one account, you can't accept an invitation from another account. To accept an invitation from another account, you will first need to disassociate your account from the existing administrator account. Alternatively, the administrator account can also disassociate and remove your account from their organization.

Accounts associated by invitation have the similar overall administrator account-to-member relationship as accounts associated by AWS Organizations, as described in [Understanding the relationship between GuardDuty administrator account and member accounts](administrator_member_relationships.md). However, invitation administrator account users cannot enable GuardDuty on behalf of associated member accounts or view other non-member accounts within their AWS Organizations organization.

**Important**  
Cross-regional data transfer may occur when GuardDuty creates member accounts using this method. In order to verify member accounts' email addresses, GuardDuty uses an email verification service that operates only in the US East (N. Virginia) Region.

**Topics**
+ [Adding accounts by invitation](guardduty_become_console.md)
+ [Consolidating GuardDuty administrator accounts under a single organization](consolidate-orgs.md)

# Adding accounts by invitation
<a name="guardduty_become_console"></a>

As an administrator account that already has GuardDuty enabled, you can add members to start using GuardDuty. After adding the members, you can invite them to join GuardDuty, and they can choose to respond to your invitation.

**Note**  
GuardDuty recommends using AWS Organizations instead of GuardDuty invitations, to manage your member accounts. For more information, see [Managing accounts with AWS Organizations](guardduty_organizations.md).

Choose a preferred access method to add GuardDuty member accounts as a GuardDuty administrator account. 

------
#### [ Console ]

**Step 1 - Add an account**

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, choose **Accounts**. 

1. Choose **Add accounts by invitation** in the top pane.

1. On the **Add member accounts** page, under **Enter account details**, enter the AWS account ID and email address associated with the account that you want to add. 

1. To add another row to enter account details one at a time, choose **Add another account**. You can also choose **Upload .csv file with account details** to add accounts in bulk.
**Important**  
The first line of your csv file must contain the header, as depicted in the following example – `Account ID,Email`. Each subsequent line must contain a single valid AWS account ID and its associated email address. The format of a row is valid if it contains only one AWS account ID and the associated email address separated by a comma.   

   ```
   Account ID,Email
                                   555555555555,user@example.com
   ```

1. After you have added all the accounts' details, choose **Next**. You can view the newly-added accounts in the Accounts table. The **Status** of these accounts will be **Invite not sent**. For information about sending an invite to one or more added accounts, see [Step 2 - Invite an account](#guardduty_invite_member_proc).

**Step 2 - Invite an account**

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, choose **Accounts**. 

1. Select one or more accounts that you want to invite to Amazon GuardDuty. 

1. Choose **Actions** dropdown menu and then choose **Invite**.

1. In the **Invitation to GuardDuty** dialog box, enter an (optional) invitation message.

   If the invited account does not have access to email, select the checkbox **Also send an email notification to the root user on the invitee's AWS account and generate an alert in the invitee's AWS Health Dashboard**.

1. Choose **Send invitation**. If the invitees have access to the specified email address they can view the invite by opening the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. When an invitee accepts the invite, the value in the **Status** column changes to **Invited**. For information about accepting an invite, see [Step 3 - Accept an invitation](#guardduty_accept_invite_proc).

**Step 3 - Accept an invitation**

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
**Important**  
You must enable GuardDuty before you can view or accept a membership invitation.

1. Do the following only if you haven't enabled GuardDuty yet; otherwise, you can skip this step and continue with the next step.

   If you haven't yet enabled GuardDuty, choose **Get Started** on the Amazon GuardDuty page. 

   On the **Welcome to GuardDuty** page, choose **Enable GuardDuty**.

1. After you enable GuardDuty for your account, use the following steps to accept the membership invitation: 

   1. In the navigation pane, choose **Settings**.

   1. Choose **Accounts**.

   1. On the **Accounts**, ensure to verify the owner of the account from which you accept the invitation. Turn on **Accept** to accept the membership invite. 

1. After you accept the invite, your account becomes a GuardDuty member account. The account whose owner sent the invitation becomes the GuardDuty administrator account. The administrator account will know that you have accepted the invitation. The **Accounts** table in their GuardDuty account will get updated. The value in the **Status** column corresponding to your member account ID will change to **Enabled**. The administrator account owner can now view and manage GuardDuty and protection plan configurations on behalf of your account. The administrator account can also view and manage GuardDuty findings generated for your member account.

------
#### [ API/CLI ]

You can designate a GuardDuty administrator account, and create or add GuardDuty member accounts by invitation through the API operations. Run the following GuardDuty API operations in order to designate administrator account and member accounts in GuardDuty.

Complete the following procedure using the credentials of the AWS account that you want to designate as the GuardDuty administrator account.

**Creating or adding member accounts**

1. Run the [CreateMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html) API operation using the credentials of the AWS account that has GuardDuty enabled. This is the account that you want to be the administrator account GuardDuty account.

   You must specify the detector ID of the current AWS account and the account ID and email address of the accounts that you want to become GuardDuty members. You can create one or more members with this API operation.

   You can also use AWS Command Line Tools to designate a administrator account by running the following CLI command. Make sure to use your own valid detector ID, account ID, and email.

   To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

   ```
   aws guardduty create-members --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-details AccountId=111122223333,Email=guardduty-member@organization.com
   ```

1. Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_InviteMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_InviteMembers.html) by using the credentials of the AWS account that has GuardDuty enabled. This is the account that you want to be the administrator account GuardDuty account.

    You must specify the detector ID of the current AWS account and the account IDs of the accounts that you want to become GuardDuty members. You can invite one or more members with this API operation.
**Note**  
You can also specify an optional invitation message by using the `message` request parameter.

   You can also use AWS Command Line Interface to designate member accounts by running the following command. Make sure to use your own valid detector ID and valid account IDs for the accounts you want to invite. 

   To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

   ```
   aws guardduty invite-members --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333
   ```

**Accepting invitations**

Complete the following procedure using the credentials of each AWS account that you want to designate as a GuardDuty member account.

1. Run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateDetector.html) API operation for each AWS account that was invited to become a GuardDuty member account and that you want to accept an invitation. 

   You must specify if the detector resource is to be enabled using the GuardDuty service. A detector must be created and enabled in order for GuardDuty to become operational. You must first enable GuardDuty before accepting an invitation.

   You can also do this by using AWS Command Line Tools using the following CLI command.

   ```
   aws guardduty create-detector --enable
   ```

1. Run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AcceptAdministratorInvitation.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AcceptAdministratorInvitation.html) API operation for each AWS account that you want to accept the membership invitation, using that account's credentials. 

   You must specify the detector ID of this AWS account for the member account, the account ID of the administrator account that sent the invitation, and the invitation ID of the invitation that you are accepting. You can find the account ID of the administrator account in the invitation email or by using the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListInvitations.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListInvitations.html) operation of the API.

   You can also accept an invitation using AWS Command Line Tools by running the following CLI command. Make sure to use a valid detector ID, administrator account ID, and an invitation ID.

   To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

   ```
   aws guardduty accept-invitation --detector-id 12abc34d567e8fa901bc2d34e56789f0 --administrator-id 444455556666 --invitation-id 84b097800250d17d1872b34c4daadcf5
   ```

------

# Consolidating GuardDuty administrator accounts under a single organization
<a name="consolidate-orgs"></a>

GuardDuty recommends using association through AWS Organizations to manage member accounts under a delegated GuardDuty administrator account. You can use the example process outlined below to consolidate administrator account and member associated by invitation in an organization under a single GuardDuty delegated GuardDuty administrator account.

**Note**  
GuardDuty recommends using AWS Organizations instead of GuardDuty invitations, to manage your member accounts. For more information, see [Managing accounts with AWS Organizations](guardduty_organizations.md).

Accounts that are already being managed by a delegated GuardDuty administrator account, or active member accounts that are associated with delegated GuardDuty administrator account can't be added to a different delegated GuardDuty administrator account. Each organization can have only one delegated GuardDuty administrator account per Region, and each member account can have only one delegated GuardDuty administrator account.

Choose a preferred access method to consolidate GuardDuty administrator accounts under a single delegated GuardDuty administrator account.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To log in, use the credentials of the management account of the organization.

1. All the accounts for which you want to manage GuardDuty must be a part of your organization. For information about adding an account to your organization, see [Inviting an AWS account to join your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html). 

1. Make sure all the member accounts are associated with the account that you want to designate as the single delegated GuardDuty administrator account. Disassociate any member account that is still associated with the pre-existing administrator accounts.

   The following steps will help you disassociate member accounts from the pre-existing administrator account:

   1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   1. To log in, use the credentials of the pre-existing administrator account.

   1. In the navigation pane, choose **Accounts**.

   1. On the **Accounts** page, select one or more accounts that you want to disassociate from the administrator account.

   1. Choose **Actions** and then choose **Disassociate account**.

   1. Choose **Confirm** to finalize the step.

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To log in, use the management account credentials.

1. In the navigation pane, choose **Settings**. On the **Settings** page, designate the delegated GuardDuty administrator account for the organization.

1. Log in to the designated delegated GuardDuty administrator account.

1. Add members from the organization. For more information, see [Managing GuardDuty accounts with AWS Organizations](guardduty_organizations.md).

------
#### [ API/CLI ]

1. All the accounts for which you want to manage GuardDuty must be a part of your organization. For information about adding an account to your organization, see [Inviting an AWS account to join your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html). 

1. Make sure all the member accounts are associated with the account that you want to designate as the single delegated GuardDuty administrator account. 

   1. Run [DisassociateMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html) to disassociate any member account that is still associated with the pre-existing administrator accounts.

   1. Alternatively, you can use AWS Command Line Interface to run the following command and replace *777777777777* with the detector ID of the pre-existing administrator account from which you want to disassociate the member account. Replace *666666666666* with the AWS account ID of the member account that you want to disassociate. 

      ```
      aws guardduty disassociate-members --detector-id 777777777777 --account-ids 666666666666    
      ```

1. Run [EnableOrganizationAdminAccount](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_EnableOrganizationAdminAccount.html) to delegate an AWS account as the delegated GuardDuty administrator account.

   Alternatively, you can use AWS Command Line Interface to run the following command to delegate a delegated GuardDuty administrator account:

   ```
   aws guardduty enable-organization-admin-account --admin-account-id 777777777777
   ```

1. Add members from the organization. For more information, see [Create or add member member accounts using API](guardduty_become_console.md#guardduty_become_api).

------

**Important**  
To maximize the effectiveness of GuardDuty, a regional service, we recommend that you designate your delegated GuardDuty administrator account and add all your member accounts in every Region.

# GuardDuty considerations for exporting member account details in CSV format
<a name="exporting-guardduty-accounts-data-to-csv"></a>

As a GuardDuty administrator account, you can export the member account details in a CSV format. These details include the member account ID, name, type (added by AWS Organizations or through invitation), and configuration status of GuardDuty and dedicated protection plans.

The **Export CSV** option is displayed on the GuardDuty **Accounts** page based on how you manage the multiple member accounts. By using the **Export CSV** option, you can identify which member accounts have a specific protection plan enabled. 

The following list provides the criteria whether or not the **Export CSV** will be available on your GuardDuty **Accounts** page:
+ You use only AWS Organizations to manage multiple member accounts and the total number of member accounts in your GuardDuty organization are up to 5,000.
+ You use both AWS Organizations and invitations method, and the total number of member accounts in your GuardDuty organization are up to 5,000.

  In this scenario, the exported CSV will include whether a member account was added through AWS Organizations or by using invitation-based method.
+ When you use only the invitation-based method to manage multiple member accounts, there is no **Export CSV** option.