AWS Organizations

AWS Organizations

Even for a small cloud Software company, the number of AWS accounts backing the infrastructure can be innumerable, and thus overwhelming to manage. The reason for this multitudinous, is because an account in AWS is generally used for segregating cloud resources across teams and environments. So for example, if you have just 10 development teams, each team would get an AWS account per dev, test, prod and stage environment. So your total accounts would be 10X4=40. And if you are in the role of an Administrator with responsibility to manage access, security, and other operational aspects across these 40 accounts, it would be very unpleasant if you have to work individually on each account. AWS Organization makes this better by providing a single interface to organize, manage and administer all your AWS accounts.

Create, manage and group AWS accounts

Not only does AWS Organization enable management of existing accounts, but it can also create new AWS accounts both from the console and programmatically. The new AWS account created from Organization would need a new email address which would be linked as the root user email for the new account. Important to keep in mind that the password for this Root user is not provided and in order to access this account, the Root user password would need to be reset. 

Once all the accounts either existing or newly created, are part of the Organization, then they could be grouped by OUs (Organizational Units). OUs can help with segregating accounts by environments e.g. Dev, Prod, Test or by other means like Products or Departments e.g. HR, Engineering, Finance, etc. Below is an example grouping of accounts in AWS Organization using OUs. There are separate OUs for Scratchpad, Software products/workloads, Build Infrastructure, Security and Networking.

Centralized policy creation and enforcement

AWS Organization also allows the creation and enforcement of centralized security and compliance policies applicable to the managed accounts or OUs. For example, as a Security Admin, you have the ability to create and apply security policies such as below – 

• Enforce the use of Golden AMIs for all EC2 instances created in Production AWS accounts by preventing the use of unauthorized third-party images. 
• Restrict the usage of AWS services which are not SOC2 compliant
• Restrict the access of AWS account with root user credentials

This enforcement is possible via a special AWS Policy that operates at an Organizational level – Service Control Policy (SCP). We will cover this policy in the next lesson.

Centralized enablement of security services

AWS Organization is also a one stop solution for enabling key AWS security services across all the managed AWS accounts that are linked to the Organization. So an administrator would not need to go to each individual account and enable services like for example – audit logging with CloudTrail or configuration management with AWS Config.

Below are some of the most important security use cases that can be centrally enabled with Organization: 

1. Centralized Audit logging with Organization trail in AWS CloudTrail 
2. Centralized Configuration management with AWS Config
3. Centralized Threat detection with AWS GuardDuty
4. Centralized Backup plans with AWS Backup
5. Centralized Vulnerability management with AWS Inspector
6. Centralized sensitive data detection with AWS Macie

There are more services which can be centrally enabled with Organization but the above is a prioritized list of common security services.

Lab Demo

In the lab demo, we will do the following:

• Create an AWS account with Organization from console and command-line
• Group accounts into OU
• Create Cloudtrail for audit logging across all linked accounts from the management AWS account

Security tidbits

Summary of security best practices to keep in mind regarding AWS Organizations: