Class 4 Lab 1 ‐ AWS Organization Configuration - Justin-Boyd/Cloud-Security-Class GitHub Wiki

Task 1: Create an AWS Organization

Step 1

Step 2

  • Navigate to AWS Organizations under Management & Governance.

Step 3

  • Click Create an organization.

Step 4

  • Note an organization is created with your root user and a management account.
  • Click Add an AWS account to start the process of adding a new account to the organization.

Step 5

  • In the prompt that asks how to add the account to the organization, click Create an AWS account.

Step 6

  • In the form requesting account details, fill in only the required fields and click Create. Use another name/nickname for the account.
  • Note: The address must not be associated with an existing account. Create a new email address for Gmail (or another mail service) before proceeding with the next step.

Step 7

  • When the account is activated, it will appear in AWS Organizations

Task 2: Create a Policy

Step 1

  • Navigate to the Policies tab, select Service control policies, and enable the policy.

Step 2

  • Click Enable service control policies.

Step 3

  • Note the message that the service control policies are enabled and click Create policy to create a new one.

Step 4

  • Name the policy EC2 Deny Management and provide a short description.

Step 5

  • Scroll down, type EC2 in the search bar, and select it. Then, select All actions and make sure the Effect has Deny.

Step 6

  • Scroll down and click Add a resource.

Step 7

  • In the window that appears, select the service EC2. For the resource type, select All Resources and click Add resource. This will assign resources to which the statements will be applied.

Step 8

  • Scroll down to the bottom to click Create policy to complete the process and verify that the new policy is created.

Task 3: Policy Attachment and Verification

Step 1

  • Select the EC2 Deny Management policy.

Step 2

  • Click the Actions dropdown menu and select Attach policy. Then, select the nicknamed account and attach the policy.

Step 3

  • Log out from your current account by clicking your name in the top right corner and selecting Sign Out.

Step 4

  • Log in to the new nicknamed account. Since the nicknamed account was created without a password, upon the initial login (with the account’s email), select Forgot password?

Step 5

  • A message will be sent to the account’s email address with a link for password creation.

Step 6

  • Provide a new password for the user and log in to the nicknamed account.

Step 7

  • You will be prompted for the new AWS console. Select Maybe later. Then, at the AWS Management Console, select EC2.

Step 8

  • Notice that all APIs are errored out. Try to launch an EC2 instance and note the message specifying that you are not authorized to perform this operation.