AWS Organization Study Note

AWS Organization Study Note

Enabling Trusted Access with Other AWS Services

You can use trusted access to enable an AWS service that you specify, called the trusted service, to perform tasks in your organization and its accounts on your behalf.

This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM users or roles.

When you enable access, the trusted service can create an IAM role called a service-linked role in every account in your organization.

The trusted service creates the roles asynchronously as needed, and not necessarily in all accounts of the organization.

AWS Services that You Can Use with AWS Organizations

• AWS IAM:
  Helps you securely control access to AWS resources.
• AWS Artifact:
  Enables you to download AWS security compliance reports such as ISO and PCI reports.
• AWS CloudTrail:
  Helps you enable governance, compliance, and operational and risk auditing of your account.
• Amazon CloudWatch Events:
  Monitors your AWS resources and the applications you run on AWS in real time.
• AWS Config:
  Enables you to assess, audit, and evaluate the configurations of your AWS resources.
• AWS Control Tower:
  Helps you set up and govern a secure, compliant, multiaccount AWS environment.
• AWS Directory Server:
  Makes it easy to set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory.
• AWS Firewall Manger:
  Centrally configures and manages firewall rules for web applications across your accounts and applications.
• AWS License Manager:
  Streamlines the process of bringing software licenses to the cloud.
• AWS RAM:
  Enables you to share specified AWS resources that you own with other accounts.
• AWS Service Catalog:
  Enables you to create and manage catalogs of IT services that are approved for use on AWS.
• Service Quotas:
  Enables you to view and manage your service quotas, also referred to as limits, from a central location.
• AWS Single Sign-On
  Provides single sign-on services for all of your accounts and cloud applications.

Services that support Trusted Access with Your Organization

• AWS Artifact and AWS Organizations
• AWS CloudTrail and AWS Organizations
• AWS Config and AWS Organizations
• AWS Directory Service and AWS Organizations
• AWS Firewall Manager and AWS Organizations
• AWS License Manager and AWS Organizations
• AWS RAM and AWS Organizations
• AWS Service Catalog and AWS Organizations
• Service Quotas and AWS Organizations
• AWS Single Sign-On and AWS Organizations

Service Control Policies

• Type of policy used to manage Org.
• Offer central control over the maximum available permissions for all accounts in your Org.
• SCP is only available when all features enabled.
• SCPs grant/deny actions that account within Org can perform.
• SCP DOES NOT grant permission! You need IAM to do so.

Organizations enables the following capabilities

• Consolidate billing across multiple AWS accounts.
• Automate AWS account create and management.
• Govern access to AWS services, resources and regions.
• Centrally manage policies across multiple AWS accounts.
• Configure AWS services across multiple accounts.

Organization VS Control Tower

AWS Control Tower is best suited if you want an automated deployment of a multi-account environment with AWS best practices. If you want to define your own custom multi-account environment with advanced governance and management capabilities, we would recommend AWS Organizations.

When creating new account from Organization, Organization creates an IAM role with full administrative permission in the new account.

To move an AWS account from Org-A to Org-B, first remove account from Org-A, then invite account from Org-B.

Linked account and leave the Org by clicking “Leave Organization” in the AWS Org console if such permission is granted from Master account.

AWS account/OU CANNOT be a member of multiple OU at the same time.

You can have FIVE levels deep for your OU the max.

SCPs

• You use SCPs to define and enforce the actions that IAM users, groups, and roles can perform in the accounts to which the SCP is applied.
• Allow you to control WHICH AWS service ACTIONS are accessible to principals (root, IAM users, IAM roles).

• The effective permission on a principal in an account that has an SCP attached is the intersection of what is allowed explicitly in the SCP and what is allowed explicitly in the permissions attached to the principal.
• Apply an empty SCP to a principals equals to attaching policy explicitly denies all actions.
• Effective permissions granted to a principal is the intersection of SCP and IAM policy. For example, SCP allows EC2 and S3 all action, IAM policy allows EC2 and SNS all action, the principal can ONLY perform EC2 action.
• You can have an Org not enforcing SCP, which is enabled consolidating bill only.
• Bill for Org will not reflect the structure of Org. Need to use cost allocation tags in individual AWS account to categorize and track AWS cost. This allocation will be visible in the consolidated bill for your Org.
• AWS services have integrated with Org, providing a centralized location to manage and configure services across accounts in Org. Such function is integrated in each services such as Config or CloudTrail, not Org.

Reference:

• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrated-services-list.html
• https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate.html
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html?icmpid=docs_orgs_console
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html