AWS is hosting the first FSI Cloud Symposium in Hong Kong, which will take place on Thursday, March 23, 2017 at Grand Hyatt Hotel. The event will bring together FSI customers, industry professional and AWS experts, to explore how to turn the dream of transformation, innovation and acceleration into reality by exploiting Cloud, Voice to Text and IoT technologies. The packed agenda includes expert sessions on a host of pressing issues, such as security and compliance, as well as customer experience sharing on how cloud computing is benefiting the industry.
Speaker: Brian Wagner, Security Consultant, Professional Services, AWS
8. AWS Organizations
• New management capability for centrally managing multiple
AWS accounts
- Simplified creation of new AWS accounts
- Logically group AWS accounts for management convenience
- Apply organizational control policies (OCP)
- Simplified billing
• Console, SDK, and CLI support for all management tasks
9. AWS Organizations
A1 A2 A4
M
Master Account /
Administrative root
Organizational Unit (OU)
AWS Account
Organization
Control
policy (OCP)
AWS Resources
A3
Dev Test Prod
10. Apply Organizational Control Policies (OCP)
• Describes controls to be applied
• Different use cases have different types of OCPs
• OCPs can be attached to
- Organization
- OUs
- AWS account
• OCPs are inherited up the hierarchy
- AWS Account OU Organization
12. OCP V1: Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are
accessible
- Define the list of APIs that are allowed – Whitelisting
- Define the list of APIs that must be blocked – Blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection
between the SCP and assigned IAM permissions
• Necessary but not sufficient
• IAM policy simulator is SCP aware
13. SCPs are necessary but not sufficient
SCP IAM
Allow: S3:* Allow: SQS:*
Allow: EC2:*Allow: EC2:*
14. Simplified Billing
• Single payer for all AWS accounts
• All AWS usage across AWS accounts in your
organization rolled up for volume pricing and billing
• All existing Consolidated Billing families will be migrated
to an organization in billing mode
15. Different Management Levels
You select the management level when creating a new organization
Billing mode
• Backward-compatible with current Consolidated Billing (CB)
• Organization created from Consolidated Billing family automatically in
Billing mode
Full-control mode
• Everything included in Billing mode
• Enables management of ALL types of OCPs
• Changing from Billing mode to Full control mode requires consent from
all AWS accounts in your organization
16. Least Privilege for Management
• IAM permissions for all AWS Organizations actions
• You can also specify AWS Organizations resources
(organization, OU, AWS account) as resources in an
IAM policy
• You can delegate permissions to manage your
organization to an IAM user in another AWS account by
using IAM roles
• All organization management activity is logged in AWS
CloudTrail
18. Best practices – AWS Organizations
• Monitor activity of the master account using CloudTrail
• Do not manage resources in the master account
• Manage your organization using the principle of “Least Privilege”
• Use OUs to assign controls
• Test controls on single AWS account first
• Only assign controls to root of organization if necessary
• Avoid mixing “whitelisting” and “blacklisting” SCPs in organization
• Create new AWS accounts for the right reasons
19. • Reduce or remove use of root
• Create Individual IAM Users
• Configure a strong password policy
• Enable MFA for privileged users
• Grant least privilege
• Manage permissions with groups
• Restrict privileged access further with conditions
• Rotate security credentials regularly
• Use IAM roles to share access
• Use IAM roles for Amazon EC2 instances
• Monitor activity
Best practices – AWS IAM
20. • AWS Organizations
• IAM Policies for AWS Organizations
• Logging AWS Organizations events with AWS Cloudtrail
• Troubleshooting AWS Organization Policies
• IAM Policy Simulator
Resources