Security
Standing up org-wide threat detection across a 5-account AWS org
Rolling out Amazon GuardDuty across a cross-border payments company's entire AWS Organization — one security account, one pane of glass, centralized findings, real-time alerting.
- 5 (auto-enroll ALL)
- Accounts covered
- 6
- Protection features
- Every 15 min
- Finding publishing
// the challenge
A cross-border payments company ran five AWS accounts and an EKS platform with no centralized threat detection. It needed GuardDuty enabled org-wide, with findings in one place, durable storage, and real-time alerts — configured once, not account by account.
// our approach
- Had the management account delegate GuardDuty administration to a dedicated security account, so all org configuration lives there with no per-member Terraform.
- Managed everything in Terraform (>=1.3, AWS provider >=5.42) split into management/ and delegated-admin/ workspaces, with org auto-enable set to ALL so current and future member accounts are covered automatically.
- Exported findings (published every 15 minutes) to a KMS-encrypted, versioned, TLS-enforced, public-access-blocked S3 bucket, with key rotation on and a 7-day deletion window.
- Enabled S3 Data Events and EKS Audit Logs org-wide with EKS Runtime Monitoring, RDS Login Events, Lambda Network Logs, and Malware Protection staged, and wired EventBridge on severity >=7 to SNS email with a readable transform.
// the outcome
The organization now has org-wide threat-detection coverage across all five accounts from a single security account — four member accounts auto-enrolled, six protection features in place, and HIGH (severity >=7) and CRITICAL (>=9) findings routed to the team in near real time through a phased, per-region rollout.
Have a similar challenge?
Book a 15-minute call and we'll show you where we can help — no pitch, no obligation.
