Skip to content

runbooks security deploy-guarddutyΒΆ

Auto-generated from runbooks security deploy-guardduty --help on 2026-05-21. Source of truth: runbooks PyPI package v1.3.22

Usage: runbooks security deploy-guardduty [OPTIONS]

  Deploy GuardDuty organization-wide with delegated admin configuration (JIRA
  FIN-64).

  This command provides comprehensive GuardDuty deployment across AWS
  Organizations:

  Deployment Steps:
  1. Discover all accounts in organization
  2. Check current GuardDuty status across accounts
  3. Configure delegated admin account
  4. Enable GuardDuty across all active accounts
  5. Configure auto-enable for new accounts
  6. Validate 100% coverage and generate report

  Best Practices:
  - Delegated admin: Use Security/Audit account (not management account)
  - Auto-enable: Recommended (automatically enables for new accounts)
  - Finding aggregation: Central account receives all findings
  - Dry-run first: Always test deployment plan before execution

  GuardDuty Configuration:
  - Finding frequency: FIFTEEN_MINUTES (fastest detection)
  - S3 data events: ENABLED (bucket threat detection)
  - Kubernetes audit logs: ENABLED (EKS security)
  - Malware protection: ENABLED (EBS volume scanning)

  Examples:

    # Dry-run deployment plan (safe, no changes)   runbooks security deploy-
    guardduty --delegated-admin 123456789012 --dry-run

    # Execute organization-wide deployment   runbooks security deploy-
    guardduty --delegated-admin 123456789012 --no-dry-run

    # Deploy without auto-enable for new accounts   runbooks security deploy-
    guardduty --delegated-admin 123456789012 --no-auto-enable --no-dry-run

Options:
  --profile TEXT                  AWS profile for single-account operations.

                                  πŸ“‹ Profile Selection Guide: ━━━━━━━━━━━━━━━━━
                                  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

                                  Single Account β†’ Use --profile YOUR_PROFILE
                                  Example: --profile dev-account   When:
                                  Developer/operator working in one AWS
                                  account

                                  Multi-Account LZ β†’ Use --all-profiles (see
                                  inventory commands)   Example: --all-
                                  profiles   When: Platform team discovering
                                  across organization

                                  πŸ” Enrichment Profiles (Automatic):   β€’
                                  Organizations: MANAGEMENT_PROFILE   β€’ Costs:
                                  BILLING_PROFILE   Note: Separate from
                                  discovery profile

                                  Decision: Single account = --profile |
                                  Multi-account = --all-profiles
  --region TEXT                   AWS region override (default: ap-
                                  southeast-2)
  --dry-run                       Safe analysis mode - no resource
                                  modifications (enterprise default)
  --delegated-admin TEXT          Account ID for GuardDuty delegated
                                  administrator  [required]
  --auto-enable-new-accounts / --no-auto-enable
                                  Auto-enable GuardDuty for new accounts
  --output-file TEXT              Output file for deployment report
  --output-dir PATH               Output directory for exported files
  --help                          Show this message and exit.

ExamplesΒΆ