Best practices to deploy GuardDuty, Macie, Sec Hub and Config in a Multi-account environment?

hi, I'd strongly recommend 2 AWS whitepapers exactly providing answers to your various questions:

1. AWS Security Reference Architecture: https://d1.awsstatic.com/APG/aws-security-reference-architecture.pdf
2. Organizing Your AWS Environment UsingMultiple Accounts: https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf#organizing-your-aws-environment

AWS released "Best practices for setting up your multi-account AWS environment." See: https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/ . In addition, AWS recently released (11/18/2021) nested organization units (making account implementation of security controls easier). See: https://aws.amazon.com/about-aws/whats-new/2021/11/aws-control-tower-supports-nested-organizational-units/

This blog post also may be useful - it covers some key best practices for enabling and managing (inc. the management of access to) Security Hub and how to integrate with other services such as Guard Duty: https://aws.amazon.com/blogs/security/nine-aws-security-hub-best-practices/

In addition to all of the other comments (which you should definitely refer to the security architecture), there's two common principles that are recommended for all organizations. (1) Enable AWS security services at the organization level. This allows the services to view findings new accounts as they are added to your organization. (2) Set a single security account as the delegated administrator for your security services. This allows your security team access to findings across your org from all of the security services outside without needing to use the management account.

There's a lot packed in that question. 

I would advise you to look into Control Tower to manage and govern your multi-account environment. 

https://aws.amazon.com/controltower 

To extend Control Tower with Pipelines, look at Customization for Control Tower. 

https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/ 

Between these two solutions, you have a powerful way of governing and securing your mult-account environment. 

With respect to GuardDuty, SecurityHub and Macie, enable them in Organization for all accounts. 

Organizations should be set up in your Management (formerly Master) account. 

Findings should be sent downstream to a SEIM solution. 

With respect to what roles are "optional", it all depends what you have in mind for those roles. In general, the goal should be to keep the grubby, human fingers out of the environment, which can be achieved using pipelines.