ThreatReaction
🛡Threat Reaction|Documentation

Accounts

The Accounts page manages the list of AWS accounts that Threat Reaction monitors. Each account entry associates a 12-digit AWS Account ID with a human-readable name, making it easier to identify the source account in the Events and Actions views.

In the app: /accounts

Account List

All registered accounts are listed with their Account ID, display name, and registration date. Threat Reaction uses this list to label findings and actions with the correct account name instead of the raw Account ID.

Adding an Account

To add an account:

  1. Enter the 12-digit AWS Account ID (no dashes).
  2. Enter an optional friendly name (e.g., "Production US-East").
  3. Click Add. The account appears in the list immediately.

The account must have GuardDuty enabled and the Threat Reaction EventBridge rule deployed in the same region to forward findings. In an AWS Organizations setup, this is typically handled by delegating GuardDuty to a central security account.

Deleting an Account

Removing an account from the list stops Threat Reaction from labeling new findings with that account's name. Existing events and actions for that account remain in DynamoDB — they are not deleted. The account ID will still appear in raw finding data; it will just not have a friendly name resolved.

Multi-Account Setups

If you use AWS Organizations with GuardDuty delegated administration, add the delegated security account here. All member account findings flow through the delegated account's EventBridge, so you only need one Threat Reaction stack. Add each member Account ID with a descriptive name to get human-readable labels in the Events view.

Account ID vs. Alias

AWS Account IDs are always 12-digit numbers. Do not use AWS account aliases (the custom names you set in the Billing console) — these are not unique across AWS and cannot be used to identify accounts in GuardDuty findings. Always use the numeric Account ID.

💡 Tip

In a multi-account Organization, register all member account IDs with descriptive names (e.g., 'Production', 'Staging', 'Data Science') so that Events and Actions are easy to triage at a glance.

ℹ️ Note

Threat Reaction does not cross-account by default. GuardDuty findings only flow in the region where the stack is deployed. To monitor a member account in a different region, deploy a separate Threat Reaction stack in that region.