Building a Multi-Account AWS Security Architecture: Centralized Monitoring with GuardDuty, Security Hub & More
By oculus
•
November 2, 2025
Building a Multi-Account AWS Security Architecture: Centralized Monitoring with GuardDuty, Security Hub & More
Modern enterprises rarely run workloads in a single AWS account. They adopt multi-account structures for isolation, compliance boundaries, billing clarity, and least-privilege governance.However, once your environment grows beyond a few accounts, centralized security visibility becomes essential — you need one place to view findings from all workloads.
This guide explains how to design and implement a centralized AWS security monitoring architecture using AWS Organizations, GuardDuty, Security Hub, and complementary services such as AWS Config, CloudTrail, and CloudWatch — all aggregated under a dedicated security account.
1. Core Principle — Separate "Security" as a First-Class Account
Create a Security Tooling Account whose sole purpose is to:
- Own and aggregate all security findings.
- Host cross-account roles for analysts, SIEM pipelines, and automation.
- Contain no workloads or customer data.
This account becomes the single pane of glass for your enterprise security team.
2. Organize with AWS Organizations
- Enable AWS Organizations and designate a Management Account (previously "Master").
- Structure Organizational Units (OUs) such as:
- Security OU – Security account + logging account
- Infrastructure OU – Shared services
- Sandbox OU – Dev/Test
- Production OU – Business workloads
- Service Control Policies (SCPs): enforce guardrails like "deny disablement of GuardDuty," "deny leaving Organization," or "deny S3 public buckets."
- Enable Trusted Access for GuardDuty, Security Hub, Config, and Detective so they can integrate across all member accounts.
3. Centralize Threat Detection with GuardDuty
GuardDuty detects anomalies from VPC flow logs, DNS logs, and CloudTrail.
Step-by-step
- In the Security Account, designate it as the GuardDuty Administrator:
aws guardduty enable-organization-admin-account --admin-account-id <security-account-id> - In all member accounts, enable GuardDuty via Organizations or StackSets.
- Findings from every account automatically appear in the Security Account's console.
- Automate response with EventBridge rules that forward GuardDuty findings to:
- A centralized Security Hub,
- A Lambda remediation function,
- Or an external SIEM (e.g., Splunk, QRadar, ELK) through Kinesis Firehose.
Tip: integrate with AWS Detective for visual graph investigation of GuardDuty alerts.
4. Aggregate Findings with Security Hub
Security Hub consolidates GuardDuty, Inspector, Macie, IAM Access Analyzer, and third-party partner findings under one normalized format (ASFF — AWS Security Finding Format).
Setup flow
- In the Security Account:
aws securityhub enable-organization-admin-account --admin-account-id <security-account-id> - Automatically enable Security Hub across the Org:
aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:::product/aws/guardduty - Configure standards (e.g., CIS AWS Foundations Benchmark 1.2, NIST 800-53 Rev 5) Org-wide.
- Findings from all accounts aggregate into the Security Account dashboard and can be exported via EventBridge → S3/SIEM.
Best practice: tag findings with AccountId, Region, and ResourceType so analytics tools can slice by OU or environment.
5. Complementary Services for Depth
Service | Role in Security Architecture | Centralization Method |
AWS Config | Tracks resource configuration, compliance against rules | Aggregator in Security Account |
AWS CloudTrail | Records all API activity | Central log bucket in Logging Account (encrypted, immutable) |
Amazon Macie | Scans S3 for PII, integrates with Security Hub | Security Account as admin |
Amazon Inspector | Vulnerability management for EC2/ECR/Lambda | Central admin in Security Account |
AWS Detective | Investigation and root-cause analysis | Delegated admin in Security Account |
AWS CloudWatch / EventBridge | Alert routing and automation | Cross-account event bus |
AWS Control Tower (optional) | Automates baseline setup | Creates Security, Logging, and Audit accounts by default |
6. Logging & Observability Architecture
- Central Logging Account
- Aggregates CloudTrail logs from all accounts.
- Enforce immutable S3 bucket (Object Lock + SSE-KMS).
- Enable organization-wide AWS Config delivery channel.
- Security Account subscribes to CloudWatch metrics, EventBridge events, and GuardDuty/Security Hub findings for correlation.
- Stream selected logs to your SIEM via Kinesis Firehose or OpenSearch Service.
7. Automating Onboarding of New Accounts
When new accounts join the Organization:
- Auto-enable GuardDuty & Security Hub through delegated admin API or Control Tower Lifecycle Events.
- Enforce baseline SCPs and Config rules.
- Push CloudTrail and Config delivery channels to the Logging Account automatically (StackSets or Control Tower Customizations).
Sample automation Lambda (pseudocode):
def handler(event, context):
account_id = event['detail']['serviceEventDetails']['createAccountStatus']['accountId']
enable_guardduty_for(account_id)
enable_securityhub_for(account_id)
attach_scp(account_id, 'DenyDisableSecurityServices')
8. Cross-Account Access and Least Privilege
- Use IAM Roles with externalId for analysts:Example — SecurityAuditRole trusted by the Security Account only.
- Disable root user access in member accounts.
- Grant read-only CloudWatch and Security Hub permissions via AWS-managed SecurityAudit policy.
9. Alerting and Automation
- EventBridge Rules trigger on Security Hub findings → route to SNS or Slack via Lambda.
- Automatic remediation examples:
- Public S3 bucket → auto-remove public ACLs.
- Exposed EC2 port 22 → apply stricter security group.
- High-severity GuardDuty alert → isolate instance with SSM automation doc.
10. Reporting & Continuous Improvement
- Export aggregated findings daily to S3 → Athena for dashboards (query by OU, severity, control ID).
- Integrate with AWS QuickSight or external BI tool.
- Run monthly governance reviews: verify all accounts remain enrolled and compliant.
- Periodically review AWS Security Hub standards (CIS, NIST, PCI-DSS) and enable new controls.
11. Summary — A Layered, Governed Approach
Layer | Purpose | Tooling |
Governance | Multi-account OU design, SCP guardrails | AWS Organizations, Control Tower |
Detection | Continuous threat detection | GuardDuty, Inspector, Macie |
Aggregation | Unified findings & compliance | Security Hub |
Investigation | Root-cause & graph analysis | Detective |
Response | Automated remediation | EventBridge, Lambda |
Visibility | Central dashboards | QuickSight, SIEM |
12. Final Thoughts
A centralized monitoring design does more than simplify dashboards—it standardizes your organization's security posture and enables rapid, automated response across dozens or hundreds of AWS accounts.
Think of your Security Account as your mission-control center:GuardDuty detects, Security Hub aggregates, Config audits, and CloudTrail proves what happened.When combined with solid automation and governance, this architecture delivers the holy grail of cloud security: visibility, speed, and control at scale.
Author's note:This approach aligns with AWS best practices described in the AWS Security Reference Architecture (SRA). For production, always enable Organization-wide delegated admin for GuardDuty, Security Hub, Config, Detective, and Macie, and maintain separate Logging and Security accounts under a governed Organization.
