Best practices to deploy GuardDuty, Macie, Sec Hub and Config in a Multi-account environment?


In a multi-account environment w/ AWS Organizations enabled - what are the best practices for deploying/enabling GD, Macie, Sec Hub?

  • how to enable the services (stacksets, pipeline, orgs)
  • what roles/SRLs are optional (comply w/ least privilege)
  • how to handle finding aggregation
  • recommendations for upkeep of services
  • gotcha's to look out for
5 Answers

hi, I'd strongly recommend 2 AWS whitepapers exactly providing answers to your various questions:

  1. AWS Security Reference Architecture:
  2. Organizing Your AWS Environment UsingMultiple Accounts:
profile pictureAWS
answered 2 years ago

AWS released "Best practices for setting up your multi-account AWS environment." See: . In addition, AWS recently released (11/18/2021) nested organization units (making account implementation of security controls easier). See:

answered 2 years ago
  • Nested OUs were released for environments governed by AWS Control Tower in 11/2021, they have previously been available natively for all organizations.


This blog post also may be useful - it covers some key best practices for enabling and managing (inc. the management of access to) Security Hub and how to integrate with other services such as Guard Duty:

answered 2 years ago

In addition to all of the other comments (which you should definitely refer to the security architecture), there's two common principles that are recommended for all organizations. (1) Enable AWS security services at the organization level. This allows the services to view findings new accounts as they are added to your organization. (2) Set a single security account as the delegated administrator for your security services. This allows your security team access to findings across your org from all of the security services outside without needing to use the management account.

answered 2 years ago

There's a lot packed in that question. 

I would advise you to look into Control Tower to manage and govern your multi-account environment. 

To extend Control Tower with Pipelines, look at Customization for Control Tower. 

Between these two solutions, you have a powerful way of governing and securing your mult-account environment. 

With respect to GuardDuty, SecurityHub and Macie, enable them in Organization for all accounts. 

Organizations should be set up in your Management (formerly Master) account. 

Findings should be sent downstream to a SEIM solution. 

With respect to what roles are "optional", it all depends what you have in mind for those roles. In general, the goal should be to keep the grubby, human fingers out of the environment, which can be achieved using pipelines.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions