Multi-Account Management Using AWS Organizations

Many AWS users found it difficult to manage multiple AWS accounts as they scale up their resources for a variety of reasons and because of multiple accounts billing becomes more complex due to the operational overhead cost of multiple AWS accounts.

In this post, we will resolve all these problems by introducing AWS Organization to make account management simple.

What Is AWS Organizations?

The AWS organization offers policy management from multiple AWS Accounts. Users can create a group of accounts and then apply policies to those groups that centrally control the use of AWS Services down to the API level across multiple accounts.  This helps you to centrally manage the accounts without the need for custom scripts and manual processes. This new AWS service includes consolidated billing and account management capabilities which help you to better manage the security and compliance requirements of your business.

AWS Organizations Terminologies

• Organization: It represents an entity that you create by combining a set of AWS accounts. All these member accounts are managed within the organization.
• Root: The parent container that holds all the accounts consolidated in an organization. The root user account is automatically created by AWS when you create an organization.
• Organization Unit: Acts like a container for accounts within a root. An Organization Unit(OU) can also contain other Organization Units, enabling you to create a hierarchy. This hierarchy will look like an inverted tree, with a root at the top, the OUs as the branches, and accounts as the leaves.
• Account: A normal AWS account that contains all your AWS resources. Users can create a new account or invite others to join their organization. The account that creates the organization is called the master account while the other accounts are known as member accounts.
• Invitation: It is used to describe the process of inviting another account to join an organization. Only a master account user can issue an invitation. The invited account becomes a member account once it accepts the invitation. Invitations can also be sent to current members when an organization wants to change something such as enabling all features.
• Handshake: A process involving two parties (the handshake initiator and the recipient) exchange information.

Service Control Policies (SCP)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. It offers central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. Key points of SCP

• Whitelist or blacklist IAM actions
• Applied at the OU or Account level
• Does not apply to the Master Account
• SCP is applied to all the Users and Roles of the Account, including Root user
• The SCP does not affect service-linked roles
• service-linked roles enable other AWS services to integrate with AWS Organizations
  and can’t be restricted by SCPs.
• SCP must have an explicit Allow (does not allow anything by default)
• Use cases:
  Restrict access to certain services (for example: can’t use EMR)
  Enforce PCI compliance by explicitly disabling services

Features of AWS Organizations

Now you all have an understanding of what AWS Organizations exactly is, what benefits can this bring to your AWS environment?

• Account Management
  The major benefit that AWS Organization brings is its ability to centrally manage multiple Accounts from a single AWS account, which is also known as the master account.  Users can start by linking their existing accounts to an Organization and on a move-forward basis, by creating new accounts directly from the service.
• Greater control of your AWS environment
  Through the use of Service Control Policies(SPC) attached to the Root (Master Account), Organizational Units or individual accounts, administrators of the master account gain full control over which services and features—even down to specific API calls—that an IAM user within those accounts can use, regardless of the user’s identity-based or resource-based permissions.
• Consolidated Billing
  The Root account of your AWS Organization can be used for consolidating the bill and costs from all the members of AWS accounts. This allows for greater overall cost management for your individual AWS accounts.
• Categorization and grouping of accounts
  By using Organizational Units, you can segregate and group-specific AWS accounts together, applying different SCPs to associated with each OU.  For example, if you have a number of AWS accounts that do not have the ability to access any Analytical services. In this case, you could place these accounts into a single OU and assign an SCP that denies this functionality.

Creating and configuring an organization

1. Create your organization
   In this step, you create an organization with your current AWS account as the management account (formerly known as the “master account”). You also invite one AWS account to join your organization, and you create a second account as a member account.
2. Create the organizational units
   Next, you create two organizational units (OUs) in your new organization and place the member accounts in those OUs.
3. Create service control policies
   You can apply restrictions to what actions can be delegated to users and roles in the member accounts by using service control policies (SCPs). In this step, you create two SCPs and attach them to the OUs in your organization.
4. Testing your organization’s policies
   You can sign in as users from each of the test accounts and see the effects that the SCPs have on the accounts.

None of the steps incurs costs to your AWS bill as AWS Organizations is a free service.

Difference between an AWS Organizations service control policy and an IAM policy?

• AWS Organizations’ service control policy (SCPs) do not replace associating Identity and Access Management policies within an AWS account.
• IAM policies can allow or deny access to AWS services or API actions that work with IAM. An Identity and Access Management (IAM) policy can be applied only to IAM identities (users, groups, or roles). IAM policies can’t restrict the AWS account root OR master user.
• You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations accounts, or for groups of accounts within an (OU) organizational unit. The specified actions from an attached SCP affect all IAM identities including the root or master account.
• AWS services that aren’t explicitly allowed by the SCPs associated with an AWS account or its parent OUs are denied access to the AWS accounts or OUs associated with the SCP. SCPs associated with an OU are inherited by all AWS accounts in that OU.

Related/References

The post Multi-Account Management Using AWS Organizations appeared first on Cloud Training Program.