A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to designate a delegated administrator account to manage GuardDuty for all member accounts. Which AWS service must be used to enable GuardDuty for all accounts?
GuardDuty integrates with AWS Organizations for multi-account management.
Why this answer
Option D is correct because AWS Organizations is the foundational service required to designate a delegated administrator for Amazon GuardDuty in a multi-account environment. GuardDuty integrates directly with Organizations to allow a management account to enable GuardDuty for all member accounts and delegate administration to a specified account, which then manages threat detection across the organization without needing additional services.
Exam trap
The trap here is that candidates may confuse AWS Organizations as merely an organizational tool and think they need a separate service like CloudFormation StackSets or Control Tower to enable GuardDuty across accounts, but GuardDuty natively integrates with Organizations for delegated administration and automatic enablement.
How to eliminate wrong answers
Option A is wrong because AWS CloudFormation StackSets is used to deploy infrastructure as code across multiple accounts and regions, but it is not required or used to enable GuardDuty or designate a delegated administrator; GuardDuty's multi-account setup is managed through the GuardDuty console or API using Organizations. Option B is wrong because AWS Control Tower provides a governance framework for landing zones and uses Account Factory and preventive/ detective guardrails, but it does not directly enable GuardDuty or designate a delegated administrator; GuardDuty integration is handled via Organizations, not Control Tower. Option C is wrong because AWS Config is a service for resource inventory, configuration history, and compliance rules, not for enabling GuardDuty or managing delegated administration; GuardDuty's multi-account enablement relies on Organizations APIs, not Config.