A security team needs to continuously monitor their AWS environment for malicious activity, unauthorized behavior, and compromised EC2 instances. They want a centralized view across multiple accounts. Which solution is MOST appropriate?

Enable AWS CloudTrail in all accounts and use Amazon Athena to query logs daily.

Enable Amazon GuardDuty in all accounts and aggregate findings into a delegated administrator account using AWS Security Hub.

Deploy third-party IDS/IPS agents on all EC2 instances.

Use Amazon Macie to scan all EBS volumes for malicious files.