New feature motivation

In AWS Organizations, it is a best practice to configure a delegated administrator for core security services (GuardDuty, Security Hub, AWS Config) and to ensure they are enabled in all opted-in Regions.
Currently, Prowler has checks such as organizations_delegated_administrators, but these mainly verify who is delegated, not whether each service is properly configured org-wide.

Without org-aware checks, gaps can occur:

• GuardDuty or Security Hub may be enabled in some Regions but not others.
• AWS Config may be enabled in an account but missing an org-wide aggregator.
• Delegated Admin may not be set consistently across services.

Adding org-aware checks would help enterprises validate consistent service coverage across all accounts and Regions, strengthening centralized security posture.

Solution Proposed

Introduce new checks under the relevant services to verify Delegated Admin presence and Region coverage. Examples:

• guardduty_delegated_admin_enabled_all_regions
  Verify a delegated admin account is set (list-organization-admin-accounts).
  Verify GuardDuty is enabled and detectors exist in all opted-in Regions.
  Verify org auto-enable is turned on (describe-organization-configuration).

• securityhub_delegated_admin_enabled_all_regions
  Verify a delegated admin account is set (list-organization-admin-accounts).
  Verify Security Hub is enabled in all opted-in Regions.

• config_delegated_admin_and_org_aggregator_all_regions
  Verify a delegated admin account is registered.
  Verify an Organization Aggregator exists with AllAwsRegions=true or matches the list of enabled Regions (DescribeConfigurationAggregators).

Supporting APIs:

• account:ListRegions → get opted-in Regions
• organizations:ListDelegatedAdministrators / ListAccounts
• GuardDuty: list-organization-admin-accounts, describe-organization-configuration, list-detectors
• Security Hub: list-organization-admin-accounts, service status APIs
• Config: DescribeConfigurationAggregators

Describe alternatives you've considered

• Manual validation: Security teams manually run CLI commands per Region/service → time-consuming and error-prone.
• Account-level checks only: Works for single accounts, but misses org-wide gaps.
• Relying on tags or spreadsheets: Requires constant updates and does not guarantee actual service enablement.

These approaches do not scale in multi-account, multi-Region organizations.

Additional context

• GuardDuty and Security Hub are regional services: delegated admin and enablement must be verified per Region.
• AWS Config requires an Organization Aggregator to collect data org-wide.
• Existing Prowler check organizations_delegated_administrators validates trusted accounts, but not whether services are configured across all Regions.
• I’d be happy to contribute implementation and tests for these checks, along with documentation updates.