Confuse about guardduty feature at organization level

Hi everybody,

My goal is to enable GuardDuty protections for many accounts at Org level (the single place)

When I work with GuardDuty in AWS console

  • From the master account, I delegated GuardDuty to an account called “DevOps”
  • Then, In this “DevOps” account, I just go to GuardDuty, click on tab “Accounts” (in the left menu → click on the button “Edit Protection Plans” → then select protections for each (or many) AWS accounts

That’s work and very clear.

Now I would do the same with terraform (skipping the part of account delegation) and found that the resource “aws_guardduty_organization_configuration_feature” seems the same task

But in some example I read, for example How To Implement AWS SSB Controls in Terraform - Part 2 or terraform-aws-mcaf-landing-zone/guardduty.tf at master · schubergphilis/terraform-aws-mcaf-landing-zone · GitHub , we need to run the resource “aws_guardduty_organization_configuration_feature” in the account that we want to enable, not the GuardDuty management account (in my case, “DevOps” account).

So this really confuses me. Anyone could help to clarify if my understanding is right or wrong ?
Is there any way to enable GuardDuty protections for many accounts at Org level (the single place) using terraform ?

Thank you so much.

Best Regards,

You might have resolved the issue by now, but a response is better late than never :slight_smile:

If you refer to the org example I gave in How To Implement AWS SSB Controls in Terraform - Part 2, you will notice that it is a multi-provider configuration. The aws_guardduty_organization_configuration resource is actually run on the delegated administrator account as specified in the provider argument. In my case it’s called audit because that’s typically the account created by AWS Control Tower used for security uses. In your case, I assume that it would be your “DevOps” account

The aws_guardduty_organization_configuration_feature resource is also associated to the delegated administrator account/provider to specify the GuardDuty features you want to enable via organization configuration.

Hope this helps.

I ended up writing a blog post on this topics. Feel free to check it out for a detailed explanation and potential issues.

@acwwat Hi, ya I have resolved it but thank you so much for your reply :slight_smile: