Skip to main content

Multi-Account Management

Guardian Pro is designed for organizations of any size, from a single AWS account to hundreds of accounts within an AWS Organization. The multi-account management capability lets you govern your entire AWS estate from a single Guardian Pro organization, with centralized visibility and account-level granularity.

How Multi-Account Works

When you connect Guardian Pro to your AWS Organization during onboarding, Guardian Pro automatically discovers all member accounts and deploys lightweight monitoring roles to each one. From that point forward, every account is independently scanned and monitored, while results are aggregated into a unified view across your organization.

Centralized Governance

Multi-account management gives you a single place to:

  • View aggregate health -- See the combined health score, finding counts, and compliance posture across all accounts.
  • Drill into any account -- Switch to an individual account to see its specific findings, cost data, and scan results.
  • Compare accounts -- Identify which accounts have the most critical issues or the highest spending.
  • Enforce consistent standards -- The same security checks, compliance frameworks, and cost policies apply uniformly across all accounts.
tip

The dashboard defaults to an aggregate view when you first sign in. Use the account selector in the header to focus on a specific account.

Organization Structure

Guardian Pro mirrors your AWS Organization structure automatically. When you onboard, Guardian Pro discovers:

  • All member accounts in your AWS Organization
  • Organizational Units (OUs) and their account memberships
  • Account metadata such as account names, IDs, and status

Automatic Account Discovery

When new accounts are added to your AWS Organization, Guardian Pro detects them during the next synchronization cycle. The monitoring role is automatically deployed to new accounts through the StackSet deployed during onboarding.

info

New accounts are detected and onboarded automatically if you used the recommended StackSet deployment during onboarding. For manually configured accounts, you will need to add them individually.

Account-Level Isolation

Each AWS account connected to Guardian Pro is treated as an independent unit:

AspectIsolation Guarantee
ScanningEach account is scanned independently with its own discovery and check cycle
FindingsFindings are scoped to the account where the resource was discovered
Cost dataSpending data is tracked and analysed per account
RemediationFixes are applied within the specific account where the finding exists
ComplianceCompliance scores are calculated per account and aggregated across the organization

This isolation ensures that issues in one account never affect the monitoring or remediation of another account.

Aggregate vs. Account Views

Guardian Pro provides two perspectives across all feature pages:

Aggregate View

The default view when no specific account is selected. Aggregate view shows:

  • Combined health score across all accounts
  • Total findings by severity, summed across accounts
  • Total AWS spending across the organization
  • Compliance posture averaged across all accounts

This is the view you want when reporting to leadership or assessing overall organizational risk.

Account View

When you select a specific account using the account selector, all pages update to show data only for that account:

  • Account-specific health score
  • Findings affecting only resources in that account
  • Cost data scoped to that account's spending
  • Compliance status reflecting only that account's controls
note

Switching accounts updates the Dashboard, Action Centre, Cost Intelligence, Compliance Dashboard, Architecture Advisor, Resource Explorer, and the AI Assistant context. The switch is instantaneous and does not require a page reload.

Managing Your Account Portfolio

Viewing Connected Accounts

To see all accounts connected to Guardian Pro:

  1. Navigate to Settings in the sidebar.
  2. Select Organization to view your full account list.
  3. Each account shows its name, AWS account ID, connection status, and the date it was added.

Account Statuses

StatusMeaning
ActiveThe account is fully connected and being scanned
PendingThe monitoring role is being deployed or has not been verified yet
ErrorThe monitoring role could not be assumed -- typically a permissions issue
DisconnectedThe account was removed or the monitoring role was deleted

Removing an Account

To stop monitoring a specific account:

  1. Navigate to Settings > Organization.
  2. Locate the account and select Remove.
  3. Confirm the removal.
caution

Removing an account deletes all historical findings, cost data, and compliance records for that account from Guardian Pro. This action cannot be undone. The IAM role in the AWS account itself is not automatically deleted -- you will need to remove it manually from the AWS Console or by deleting the StackSet instance.

Permissions Across Accounts

Your Guardian Pro user permissions apply uniformly across all accounts. If you have permission to view security findings, you can view them for any connected account. If you have remediation permissions, you can remediate findings in any account.

For more fine-grained control, see Users & Permissions in Settings.

Best Practices

  • Connect all accounts -- Even development and sandbox accounts benefit from security scanning. Misconfigurations in non-production accounts can still expose your organization to risk.
  • Review the aggregate view weekly -- Use the combined dashboard to spot trends across your organization, such as accounts with declining health scores.
  • Set budgets per account -- Use Cost Intelligence budgets at the account level to track spending against expected thresholds.
  • Use the AI Assistant for cross-account insights -- Ask questions like "Which account has the most critical findings?" or "Compare spending between my production accounts."

Next Steps