What is the MOST operationally efficient way to meet these requirements?
Designate a central security account as the AWS Security Hub administrator account. Create a script that sends an invitation from the Security Hub administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure Security Hub to run the CIS AWS Foundations Benchmark scans.
Run the CIS AWS Foundations Benchmark across all accounts by using Amazon Inspector.
Designate a central security account as the Amazon GuardDuty administrator account. Create a script that sends an invitation from the GuardDuty administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure GuardDuty to run the CIS AWS Foundations Benchmark scans.
Designate an AWS Security Hub administrator account. Configure new accounts in the organization to automatically become member accounts. Enable CIS AWS Foundations Benchmark scans.
Explanations:
While Security Hub can run security checks, it does not automatically run the CIS AWS Foundations Benchmark scans across all accounts unless specifically configured. The need to create a script to invite new accounts introduces unnecessary operational overhead.
Amazon Inspector is not designed to scan AWS accounts against the CIS AWS Foundations Benchmark. It is primarily used for assessing security vulnerabilities in EC2 instances and containerized applications, not for organizational-wide security best practices.
Amazon GuardDuty is a threat detection service focused on monitoring for malicious or unauthorized activity within AWS accounts. It does not offer native scanning of accounts against the CIS AWS Foundations Benchmark.
AWS Security Hub is the most operationally efficient way to scan all accounts for compliance with the CIS AWS Foundations Benchmark. It integrates natively with AWS Organizations, automatically adding new accounts, and can automatically run the CIS Benchmark scans.