Enabling GuardDuty Malware across all Organization accounts errors out

0

I'm using our Management account to do this. The main GuardDuty service is enabled on a vast majority of our Organization accounts already. I do not need to enable GuardDuty itself, just turn on the new Malware protection.

Enter image description here

However, I keep getting this nondescript error. It's been happening for a week now.

Enter image description here

There is a note under GuardDuty > Accounts that says:

For member accounts, managed by invitation, please follow the instructions here to enable GuardDuty Malware Protection.

This doesn't make a lot of sense, though, because those instructions are for enabling the core GuardDuty service en masse. We've already done that.

What am I missing?

1 Answer
0

In a multi-account environment, only GuardDuty administrator accounts can configure malware protection. GuardDuty administrator accounts can enable or disable the use of Malware Protection for their member accounts. Once the administrator configures GuardDuty Malware Protection for a member account, the member account will follow the administrator account settings and be unable to modify these settings through the console. If the GuardDuty delegated administrator is not the same as management account in the AWS Organization, the management account must first enable malware protection feature for their Organization in GuardDuty. This way, the delegated administrator can get permissions to create the service-linked role (SLR) for GuardDuty Malware Protection in member accounts that are managed through AWS Organizations.

https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html#configure-malware-protection-multi-account

AWS
Rumaisa
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions