KubeNine
All case studies

Security

Standing up org-wide threat detection across a 5-account AWS org

Rolling out Amazon GuardDuty across a cross-border payments company's entire AWS Organization — one security account, one pane of glass, centralized findings, real-time alerting.

5 (auto-enroll ALL)
Accounts covered
6
Protection features
Every 15 min
Finding publishing

// the challenge

A cross-border payments company ran five AWS accounts and an EKS platform with no centralized threat detection. It needed GuardDuty enabled org-wide, with findings in one place, durable storage, and real-time alerts — configured once, not account by account.

// our approach

  • Had the management account delegate GuardDuty administration to a dedicated security account, so all org configuration lives there with no per-member Terraform.
  • Managed everything in Terraform (>=1.3, AWS provider >=5.42) split into management/ and delegated-admin/ workspaces, with org auto-enable set to ALL so current and future member accounts are covered automatically.
  • Exported findings (published every 15 minutes) to a KMS-encrypted, versioned, TLS-enforced, public-access-blocked S3 bucket, with key rotation on and a 7-day deletion window.
  • Enabled S3 Data Events and EKS Audit Logs org-wide with EKS Runtime Monitoring, RDS Login Events, Lambda Network Logs, and Malware Protection staged, and wired EventBridge on severity >=7 to SNS email with a readable transform.

// the outcome

The organization now has org-wide threat-detection coverage across all five accounts from a single security account — four member accounts auto-enrolled, six protection features in place, and HIGH (severity >=7) and CRITICAL (>=9) findings routed to the team in near real time through a phased, per-region rollout.

Have a similar challenge?

Book a 15-minute call and we'll show you where we can help — no pitch, no obligation.