Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html

• Email for root user (this can be changed at any time)
• Payment details (Credit Card and billing information)
• The organization itself (What company or institute is creating an AWS organization)

After the organization is created, inviting other AWS accounts to join the organization will be needed.

1. Navigate to https://console.aws.amazon.com/organizations/v2/home/accounts
2. Select Add an AWS account
3. Once there invite an existing AWS account, this will prompt for an email or account ID, enter the information needed and send the invitation.
4. Once the invitation is sent, the invitee will need to accept the invitation to join the organization

If the user attempting to join the organization does not have an existing AWS account, the administrator must create one.

1. Navigate to https://console.aws.amazon.com/organizations/v2/home/accounts
2. Create an AWS account
3. Enter your account name and an email address
4. If the IAM role name is left blank, AWS will automatically use the default OrganizationAccountAccessRole, this can be changed later.

Creating a hierarchy for the accounts will allow a more efficient organization of user accounts. Using OU's will allow for separation between roles and will be easier to manage account deletion and creation later.

1. Navigate to https://console.aws.amazon.com/organizations/v2/home/accounts
2. Choose the check box next to the Root container.
3. On the Children tab, choose Actions, and then under the Organizational unit, choose to Create new.
4. Enter in a name for the specific OU
5. To move an account into the created OU, select the checkbox next to the OU -> actions -> AWS account -> Move

For cyber.aws, looking at how cyber.local is set up with the AD OUs will be beneficial, meeting with Devin to get some insight on how cyber.local is set up. Since this is a hybrid environment, we will want to make it very similar to on-prem configurations.

Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Service control policies are used to manage permissions within the organization. SCPs set limits on the actions that the account can use.
SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization.

1. Navigate to https://console.aws.amazon.com/organizations/v2/home/policies and select Service control policies
2. Select Enable service control policies.

SCPs are JSON files, an example of one is below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1234567890123",
            "Effect": "Deny",
            "Action": [
                "cloudtrail:AddTags",
                "cloudtrail:CreateTrail",
                "cloudtrail:DeleteTrail",
                "cloudtrail:RemoveTags",
                "cloudtrail:StartLogging",
                "cloudtrail:StopLogging",
                "cloudtrail:UpdateTrail"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

To create an SCP you will need to

1. Navigate to https://console.aws.amazon.com/organizations/v2/home/policies
2. Service Control Policies -> Create Policy
3. Enter a policy name
4. Select a service and what is needed for the specific policy
5. Select the effect of allow or deny

1. In the Policies tab -> Service Control Policies -> Attach
2. Select the SCP you would like to attach
3. To detach: Policies tab -> Service Control Policies -> Detach

• Limiting student accounts
• Creating and limiting Leahy Center management accounts (Allowing enough privilege to monitor but not too much that they will be able to add features or alter already configured ones)
• Different classes will require different limitations, so attaching the SCP to OUs will allow for smoother transitions for accounts in classes.

After the Organization is created, the OUs and SCPs are configured, and the management accounts are added, setting up features and configuring security will be the next steps.

aws organizations create-account --email <value> --account-name <value>

--email <string> Email address must not already be associated with another AWS account

--account-name <string>

--role-name <string> (Optional) IAM role

--tags <value> Key-> (string) Value -> (string)

The Key Identifier, or name, of the tag
The string value associated with the key of the tag
Syntax = "Key=string,Value=string"

--iam-user-access-to-billing <value> Allow/Deny, when set to allow the user gains access to account billing information if they have the required permission

Default is set to ALLOW

--region
--profile

AD connector allows users to sign into AWS applications such as Amazon WorkSpaces, WorkDocs, WorkMail. Join Windows instances through EC2 Launch wizard or through EC2 Simple System Manager API. Also allowing for federated sign-in by mapping AD identities to AWS IAM roles.

VPC needs at least two subnets. Each Subnet must be in a different Availability Zone.
There must be a VPN or Direct Connect circuit between the VPC and on-prem environment.
Running Windows 2003 or newer.
VPC must have default hardware tenancy Minimum Ports:

TCP/UDP 53 - DNS
TCP/UDP 88 - Kerberos Authentication
TCP/UDP 389 - LDAP
VPC must not be configured with the following endpoints:
Route53
CloudWatch VPC endpoint
System Manager VPC
Security Token Service VPC

https://aws.amazon.com/controltower/?org_product_faq_CT&control-blogs.sort-by=item.additionalFields.createdDate&control-blogs.sort-order=desc

To Transfer the root user

• Sign in and select the account drop down, from there select account
• Edit > Account Settings
• Edit the existing account credentials (Switch to the new account credentials)
• Save changes and click done

Take from existing security policies such as password expiration, password history, and account lockout policies.
Able to enable MFA if an existing RADIUS infrastructure is on-prem

Note: If a user is mapped to multiple roles, the user will be presented with a choice at sign-in as to which role they want to assume. The user session is valid for 1 hour.

Organization Setup

Quotas
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html
Viewing Organization Details
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html
Enabling Features
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html
Organization Documentation
https://docs.aws.amazon.com/organizations/index.html
AD account integration
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html
AD Service Ports
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)
Creating accounts AWS CLI
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/create-account.html