[AWS] AWS Organizations

AWS Organizations is a centralized global management service of AWS accounts (up to 20) and billings.

Features and Benefits

  • Centralized management across a multi-account environment
    • Hierarchical grouping of accounts – Flexibility to organize accounts into Organizational Units (OUs)
  • Centralized cost management and optimized cost saving
  • Customize the environment with policies and tags
  • Integration with AWS Security Services
    • IAM & Identity Center
  • Centralized auditing via CloudTrail across accounts
  • Share resources with RAM (Resource Access Manager)
  • The service itself is free of charge.

Organizational Units

  • An OU is a hierarchical functional grouping of accounts.
    • The top level account is “root“.
    • You need to specify the “management account“, from which you control your organization.
  • OUs can be nested.
    • When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the OUs and accounts beneath it.
    • An OU can have exactly one parent.
    • Each account can be a member of exactly one OU.

Consolidating Bills

  • All accounts within an AWS Organization can consolidate bills into a single account.
    • A paying account should be used for billing purposes only.
    • Economy of scale – by using more, you can save more. (Volume pricing discount)

Management

Management Policies

  • Tag Policies
    • applied to enforce tag standardization.
    • You can require that tags need to be specified when resources are created.
      • If the appropriate tags are not specified, the resource creation fails.
  • Backup policies
    • help you standardize and implement a backup strategy for the resources across all the accounts in your organization.

SCP (Service Control Policies)

  • “AWS Organization” manages accounts & permissions, and limits account usage using Service Control Policies (SCP).
    • SCPs are similar to IAM permissions policies, except they do not grant any permissions.
    • SCP manages the maximum available permissions (scope) for account members.
      • SCPs alone are not sufficient for granting permissions to the accounts.
      • The resources and users (roles) need to be associated specific permissions and then SCPs are applied to set the boundaries.
  • Service Control Policies can be applied to
    • Root -> Management Account -> Organizational Unit -> Account
      • SPC applies to OU and individual Accounts, but not to Management Account.
    • Policies are inherited.
  • Steps to attach an SCP to an account within an OU
    1. Log in to the management account and create an SCP
    2. Select the Organization Unit
    3. Enable the SCP for the Organization Unit
    4. Attach the SCP to the account
  • Role switching is a method of accessing one account from another using only one set of credentials.
    • A role in Account B trusts Account A.
    • An identity in Account A can assume the role in Account B. (sts:AssumeRole) <- Trust Policy
    • Using the role, it can operate inside Account B <- Permissions Policy
  • Setup
    • OrganizationAccountAccessRole is needed in the member account when configuring linked accounts for role switching.
    • The management account assumes the OrganizationAccountAccessRole in each member account to do the task.

Condition Keys: Organization & Region

  • aws:PrincipalOrgID
    • Validates if the principal accessing the resource belongs to an account in your organization.

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "AllowPutObject",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::my-org-bucket/*",
    "Condition": {
      "StringEquals": {
         "aws:PrincipalOrgID":"o-xxxxxxxxxxx"
      }
    }
  }
}
  • aws:RequestRegion
    • applies the permission to the specified regions
{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "Deny EC2 Access",
    "Effect": "Deny",
    "Action": "ec2:*",
    "Resource": "*",
    "Condition": {
      "StringEquals": {
         "aws:RequestRegion":["us-west-1", "eu-central-1"]
      }
    }
  }
}

Best Practices with AWS Organizations

  • Consolidated Billing
    • A paying account should be used for billing purposes only.
  • Enable MFA on root account
  • Use strong password on root account
  • Configure access to AWS resources using Service Control Polices (SCPs) on Organization Units (OUs) or individual accounts.

Using CloudTrail with AWS Organizations

CloudTrail is per account and is enabled per region.

  1. Turn on CloudTrail in a paying account.
  2. Create a bucket in a paying account.
    • Attach the bucket policy that allows cross-account access.
  3. Turn on CloudTrail in all accounts in the Organization and use the bucket in the paying account.

AWS Resource Access Manager (RAM)

AWS Resource Access Manager (RAM) allows you to share resources with other accounts or within your AWS Organization.

  • You can share the following resources
    • EC2, Aurora, Transit Gateways, AWS License Manager configurations, Resource groups, Route 53 Resolver rules, and CodeBuild.
  • With RAM, you do not need to create duplicate resources in multiple accounts, which reduces the operational overhead of managing resources.
  • You can create a Resource Share and specify resources and principals (accounts or organization units (OUs)).

Unknown's avatar

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment