Guided Walkthroughs

Configuration Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides


Guided Walkthroughs

Delegated Security Account


  • This guide configures delegation for the main AWS security services to create a dedicated security account. The security account aggregates all findings and alerts from the various services to allow for centralized monitoring and response.
  • The guide creates two CLI scripts to be applied in the organization Management Account and the member account designated as the central Security Account. The following services are included in this guide: 
    • GuardDuty: Signature and anomaly-based security detection in the account to alert on suspicious activity
    • Security Hub: Aggregates findings from various security services and enables compliance monitoring according to standards such as CIS, PCI DSS, and AWS best practices
    • Access Analyzer: Identifies resources in the organization that are shared with external entities
    • Inspector: Software vulnerability scanning for EC2 instances and ECR repositories
    • Macie: Automates the discovery of sensitive data on Amazon S3 buckets
  • Important: This guide requires a recent scan of your organization management AWS account to ensure an up-to-date view of the AWS environment, configuration, and resources

A premium subscription is required for this content


Account Summary

Select AWS account and region to display account summary
Hide Info

AWS Account/Regions

Management AWS Account

Select the organization management account which is used to delegate management of security services to the dedicated security account.

Security Account

Enter the account id for the AWS account that will be designated as the central security account. This account will be delegated the permissions to manage security services on behalf of the organization and aggregate findings across all member accounts.

AWS Regions

AWS services operate independently in each region, and so it is required that you select each region you want to enable delegation for (It is recommended to enable this in all active regions in your organization).


Organization Management Account AWS Shell
Run the following commands in the organization management account to delegate the management of the selected security services


aws --region "us-east-1" guardduty enable-organization-admin-account --admin-account-id "" 

aws --region "us-east-1" securityhub enable-organization-admin-account --admin-account-id "" 

aws --region "us-east-1" organizations register-delegated-administrator --account-id "" --service-principal ""

aws --region "us-east-1" inspector2 enable-delegated-admin-account --delegated-admin-account-id "" 

Dedicated Security Account AWS Shell
Run the following commands in the organization designated security account to update the settings for the delegated security services


gdDetectorId=$(aws --region "us-east-1" guardduty list-detectors --query "DetectorIds[0]" --output=text)
aws --region "us-east-1" guardduty update-organization-configuration --detector-id $gdDetectorId --auto-enable 
aws --region "us-east-1" guardduty create-members --detector-id $gdDetectorId --account-details AccountId=,Email=

aws --region "us-east-1" securityhub update-organization-configuration --auto-enable
aws --region "us-east-1" securityhub create-members --account-details AccountId=,Email=

aws --region "us-east-1" inspector2 enable --resource-types EC2 ECR
aws --region "us-east-1" inspector2 associate-member --account-id 
aws --region "us-east-1" inspector2 update-organization-configuration --auto-enable ec2=true,ecr=true
aws --region "us-east-1" inspector2 enable --account-ids  --resource-types EC2 ECR