Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior. It can be centrally managed across hundreds of AWS accounts by designating a GuardDuty administrator account, typically through integration with AWS Organizations. This approach provides centralized visibility and management of security findings from all member accounts. GuardDuty automatically analyzes various data sources, including AWS CloudTrail event logs, VPC Flow Logs, and DNS logs, using machine learning and threat intelligence to identify threats. This fully managed solution requires minimal setup and maintenance, directly addressing the need for automatic detection with the least operational effort.

B. Centralize CloudWatch logs and use Inspector.

Amazon Inspector is a vulnerability management service for workloads like EC2 instances, not a real-time threat detection service for logs.

C. Centralize CloudTrail logs and query with Athena.

This solution is not automatic; it requires security analysts to manually write and run queries in Amazon Athena to search for threats, which is high operational effort.

D. Stream logs to Kinesis and process with Lambda.

This requires building and maintaining a custom detection solution using AWS Lambda, which represents the highest operational effort among the choices.

1. Amazon GuardDuty Documentation - Managing GuardDuty accounts with AWS Organizations: "To simplify the management of your multi-account environment, we recommend that you use our integration with AWS Organizations... The delegated GuardDuty administrator account can enable and manage GuardDuty for all accounts in the organization." This confirms the centralized management and low-effort scaling capability.

2. Amazon GuardDuty Documentation - How Amazon GuardDuty works: "GuardDuty is a regional security monitoring service that helps you identify and prioritize potential threats... GuardDuty processes data from multiple AWS sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs." This highlights its automatic, log-based detection capabilities.

3. Amazon Inspector Documentation - What is Amazon Inspector?: "Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure." This clarifies that Inspector's purpose is vulnerability scanning, not log analysis for threat detection.

4. AWS Documentation - Querying AWS CloudTrail logs: This page details the process of setting up tables in the AWS Glue Data Catalog and using Amazon Athena to run standard SQL queries on CloudTrail logs stored in S3. This process demonstrates the manual, query-based nature of the solution, contrasting with GuardDuty's automatic detection.