AWS Organization - TannerWeinacker/Capstone GitHub Wiki

"With AWS Organizations you can perform account management activities at scale by consolidating multiple AWS accounts into a single organization"

Setting up an AWS Organization

image
Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html

Information needed for creating an organization

  • Email for root user (this can be changed at any time)
  • Payment details (Credit Card and billing information)
  • The organization itself (What company or institute is creating an AWS organization)

Inviting AWS accounts

After the organization is created, inviting other AWS accounts to join the organization will be needed.

  1. Navigate to https://console.aws.amazon.com/organizations/v2/home/accounts
  2. Select Add an AWS account
  3. Once there invite to an existing AWS account, this will prompt for an email or account ID, enter the information needed and send the invitation.
  4. Once the invitation is sent, the invitee will need to accept the invitation to join the organization

Creating member accounts

If the user attempting to join the organization does not have an existing AWS account, the administrator must create one.

  1. Navigate to https://console.aws.amazon.com/organizations/v2/home/accounts
  2. Create an AWS account
  3. Enter your account name and an email address
  4. If the IAM role name is left blank, AWS will automatically use the default OrganizationAccountAccessRole, this can be changed later.

Creating Organizational Units

Creating a hierarchy for the accounts will allow a more efficient organization of user accounts. Using OU's will allow for separation between roles and will be easier to manage account deletion and creation later.

  1. Navigate to https://console.aws.amazon.com/organizations/v2/home/accounts
  2. Choose the check box next to the Root container.
  3. On the Children tab, choose Actions, and then under the Organizational unit, choose to Create new.
  4. Enter a name for the specific OU
  5. To move an account into the created OU, select the checkbox next to the OU -> actions -> AWS account -> Move

Usecase

For cyber.aws, looking at how cyber.local is set up with the AD OUs will be beneficial, meeting with Devin to get some insight on how cyber.local is set up. Since this is a hybrid environment, we will want to make it very similar to on-prem configurations.

Service control policies

Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Service control policies are used to manage permissions within the organization. SCPs set limits on the actions that the account can use.
SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization.

Enabling SCP

  1. Navigate to https://console.aws.amazon.com/organizations/v2/home/policies and select Service control policies
  2. Select Enable service control policies.

Creating an SCP

SCPs are JSON files, an example of one is below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1234567890123",
            "Effect": "Deny",
            "Action": [
                "cloudtrail:AddTags",
                "cloudtrail:CreateTrail",
                "cloudtrail:DeleteTrail",
                "cloudtrail:RemoveTags",
                "cloudtrail:StartLogging",
                "cloudtrail:StopLogging",
                "cloudtrail:UpdateTrail"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

To create an SCP you will need to

  1. Navigate to https://console.aws.amazon.com/organizations/v2/home/policies
  2. Service Control Policies -> Create Policy
  3. Enter a policy name
  4. Select a service and what is needed for the specific policy
  5. Select the effect of allow or deny

Attaching SCP to OU

  1. In the Policies tab -> Service Control Policies -> Attach
  2. Select the SCP you would like to attach
  3. To detach: Policies tab -> Service Control Policies -> Detach

Usecase

  • Limiting student accounts
  • Creating and limiting Leahy Center management accounts (Allowing enough privilege to monitor but not too much that they will be able to add features or alter already configured ones)
  • Different classes will require different limitations, so attaching the SCP to OUs will allow for smoother transitions for accounts in classes.

Next Steps

After the Organization is created, the OUs and SCPs are configured, and the management accounts are added, setting up features and configuring security will be the next steps.

AWS Account Creation CLI

Create an Account:

aws organizations create-account --email <value> --account-name <value>

Options

--email <string> Email address must not already be associated with another AWS account

--account-name <string>

--role-name <string> (Optional) IAM role

--tags <value> Key-> (string) Value -> (string)

The Key Identifier, or name, of the tag
The string value associated with the key of the tag
Syntax = "Key=string,Value=string"

--iam-user-access-to-billing <value> Allow/Deny, when set to allow the user gains access to account billing information if they have the required permission

Default is set to ALLOW

--region
--profile

AD Connector

AD Connector

AWS Control Tower

https://aws.amazon.com/controltower/?org_product_faq_CT&control-blogs.sort-by=item.additionalFields.createdDate&control-blogs.sort-order=desc

AWS Root User

To Transfer the root user

  • Sign in and select the account drop down, from there select account
  • Edit > Account Settings
  • Edit the existing account credentials (Switch to the new account credentials)
  • Save changes and click done

Well-Architected Labs

https://www.wellarchitectedlabs.com/

Features

Take from existing security policies such as password expiration, password history, and account lockout policies.
Able to enable MFA if an existing RADIUS infrastructure is on-prem

Note: If a user is mapped to multiple roles, the user will be presented with a choice at sign-in as to which role they want to assume. The user session is valid for 1 hour.

Useful Links

Quotas
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html
Viewing Organization Details
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html
Enabling Features
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html
Organization Documentation
https://docs.aws.amazon.com/organizations/index.html
AD account integration
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html
AD Service Ports
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)
Creating accounts AWS CLI
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/create-account.html
Manage Access Keys
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
Root Account
https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/
Organization Unit CLI https://docs.aws.amazon.com/cli/latest/reference/organizations/create-organization.html?orgs_product_rc_CLI

⚠️ **GitHub.com Fallback** ⚠️