SlideShare uma empresa Scribd logo

Windsor AWS UG Deep Dive - AWS Organizations

G
Goran Karmisevic

Windsor AWS UG Deep Dive - AWS Organizations

Tecnologia
1 de 35
Architecting Cloud Governance and Security with Multi-account Strategy Deep Dive: AWS Organizations IAM, CloudTrail, CloudWatch, STS
Why is Security important? It keeps CxOs awake at night!
Why we need more than one account? AWS Account is highest degree of: Security Boundary Resource Isolation Billing Separation One account is not enough: Many Teams Billing (unless you have exceptional tagging) Isolation Business processes Security controls
Single vs Multiple Accounts Multi Account Complete security and resource isolation Smaller blast radius Simplified billing per account Setup and operation overhead More complex security policies across accounts Single Account Bigger blast radius More complex tagging Less resource isolation Minimal setup and operation overhead Less complex security policies
What is Governance and Compliance? What is Governance and Compliance? Governance is the oversight role and the process by which companies manage and mitigate business risks. Compliance ensures that an organization has the process and internal controls to meet the requirements imposed by the governance body.
AWS Security Mind Map https://cloudonaut.io
AWS Organizations - Key Terms • Organization - entity you create to consolidate your AWS accounts • Root - parent container for AWS accounts inside your organization • Organizational Unit (OU) - container for accounts within a root • Account - an AWS account that contains your resources • Master account - the account that created the organization • Member accounts - created within organization or existing accounts invited to join the organization • Invitation - process of asking an existing account to join the organization; issued by the master account • Handshake 🤝 - use to implement invitations and switch between feature sets • Service Control Policy (SCP) - filters that allow only the specified services and actions to be used in affected accounts
AWS Organizations - Feature Sets • Must select between two feature sets: • Consolidated billing - default • All feature set - includes all the functionality of consolidated billing, plus it provides advanced features such as Security Control Policy (SCP) • You can go back and forth between the feature sets however SCPs are lost If you previously collected your company's accounts into a Consolidated Billing family, then AWS has automatically converted it into an organization for you. Every invited account must approve enabling all features by accepting the request.
AWS Organizations - Benefits • Centralized management of your accounts • Enables automation of account creation • Consolidated billing - master account, which created the organization, pays for member accounts • Grouping of accounts into organizational units (OUs) • Control over the AWS services and actions in accounts • Integration with IAM - if either denies access to a resource or service, it cannot be used by the user • Eventually consistent model - may take some time for changes to propagate
Creating an organization • In the account that will be organization’s master account sign in as IAM user or assume an IAM role • Create organization • Select feature set • Confirm by choosing Create organization • Create accounts as required or ‘Invite an AWS Account to Join Your Organization’
Deleting an Organization • In the account that will be organization’s master account sign in as IAM user or assume an IAM role • Remove all accounts from the organization • Go to Settings tab; choose ‘Delete organization’ • Confirm by choosing ‘Delete organization’
SCP • SCPs are filters that allow only the specified services and actions to be used in affected accounts • IAM full permission to S3 but SCP “denies” S3 for the account - what is the resultant permission? • SCPs affect all users in attached accounts including the root user • SCP can be attached to: • A root - affects all accounts in the organization • An OU - affects all accounts in that OU including accounts in child OUs • An individual account • SCPs don’t apply to the master account • Use either white listing or black listing to manage services • Apply to a test account first
SCP - Whitelisting / Blacklisting • Nothing stops us from consuming resources until we decide to do so • Default access - FullAWSAccess policy attached to all roots, OUs, and accounts • Whitelisting - explicitly specifies the access that IS allowed - everything else is implicitly blocked - replaces FullAWSAccess policy with a new one • Blacklisting - explicitly specifies access that IS NOT allowed - everything else is allowed - leave FullAWSAccess policy in place and attach additional policies
Immutable Infrastructure • From master account create a member account through AWS Organizations • Provision resources as required in the member account (S3 websites / Lambda functions / CloudTrail / Config) • In master account in AWS Organizations create a blacklist policy that disables access to provisioned resources and apply it to appropriate OU • We now have "immutable infrastructure" from the point of view of the member accounts • For Example: • S3 websites which can't have their contents changed • Lambda functions which are invoke-only "black boxes" • ACM cert / key pairs which can't be deleted • Prevent CloudTrail, Config from ever being turned off
Removing a Member Account from Your Organization • Two options: • Removing a Member Account from Your Organization - done by IAM user in the organization’s master account • Leaving an Organization as a Member Account - done by root user of the member account • All required account information provided to operate as a standalone AWS account or not yet provided (open a case w/ AWS support)
Managing OUs • Creating an OU • Renaming OU • Moving an Account to an OU or Between the Root and OUs • Deleting an OU That You No Longer Need - move all accounts out of the OU and any child OUs, and then delete the child OUs
Closing an AWS Account • Backup any applications and data you need to retain • Closing is in ‘Billing and Cost Management' console; not through AWS Organizations console • Open the Billing and Cost Management console • Select 'My Account’ • On ‘Account Settings’ page in Close Account section check the box next to terms and then choose ‘Close Account’ • Confirm when prompted • After closing you can sign in as the root user to view past bills and contact AWS Custer Support Important Closing an account doesn't remove it from an organization. A closed member account in an organization still counts towards your limit of accounts in the organization. You can remove the account from the organization to avoid it counting against the limit.
Accessing Member Accounts • Accessing a Member Account as the Root User -Request a new password for the member account’s root user • Accessing a Member Account That Has a Master Account Access Role - grant permissions to members of an IAM group in the master account to access the role. • Creating the OrganizationAccountAccessRole in an Invited Member Account - create an AWS Organizations admin role in a member account then grant permissions to members of an IAM group in the master account to access the role.
Cost Management • AWS Organizations - No charge for using this service; global service accessed through us-east-1 region. • IAM - No charge for using this feature • Account - No cost for using this feature
AWS Organizations - Best Practices 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principal of “Least privilege” 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization 8. Create new AWS accounts for the right reasons
Master Account
InfoSec Account
Enabling Innovation
Development Account
VPC / Direct Connect / VPN Connections
New Account Paradox • Newly opened master account not able to create new accounts/invite accounts to join the Organization until Billings Verification
You cannot add accounts to your organization while it is initializing. Try again later.
Payment method verification You may now send requests to other account owners to add their accounts to your Consolidated Bill.
SCPs at Work Root SecInfo OU FullAWSPermissions Implicit Deny Everything FullAWSPermissions Explicit Deny Workspaces
Demo: AWS Organizations
No Cameras During the Web Demo!!!
References • Applying AWS Organizations to Complex Account Structures - April 2017 AWS Online Tech Talks • Limits of AWS Organizations - http://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_lim its.html • https://aws.amazon.com/organizations/ • http://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.h tml • AWS re:Invent 2016: Architecting Security and Governance Across a Multi- Account Strategy (SAC319)
Presentation • Google “Windsor AWS User Group” • Click “Join” • Click “Presentations”

Recomendados

Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudAmazon Web Services
 
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formationOlaf Conijn
 

Recomendados

Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudAmazon Web Services
 
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formationOlaf Conijn
 
Getting Started with Amazon Enterprise Applications
Getting Started with Amazon Enterprise ApplicationsGetting Started with Amazon Enterprise Applications
Getting Started with Amazon Enterprise ApplicationsAmazon Web Services
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - TorontoAmazon Web Services
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management ServicesNagesh Ramamoorthy
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended PracticesAmazon Web Services
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Transparency and Auditing on AWS
Transparency and Auditing on AWSTransparency and Auditing on AWS
Transparency and Auditing on AWSAmazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAdam Book
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...Amazon Web Services
 
Webcast: AWS account setup tips for audit, governance, and security
Webcast: AWS account setup tips for audit, governance, and securityWebcast: AWS account setup tips for audit, governance, and security
Webcast: AWS account setup tips for audit, governance, and securityApplatix
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSAmazon Web Services
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteAmazon Web Services
 
AWS Storage services
AWS Storage servicesAWS Storage services
AWS Storage servicesNagesh Ramamoorthy
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsAmazon Web Services
 
Account Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAccount Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAmazon Web Services
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerAmazon Web Services
 
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...Amazon Web Services
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 

Mais conteúdo relacionado

Mais procurados

Getting Started with Amazon Enterprise Applications
Getting Started with Amazon Enterprise ApplicationsGetting Started with Amazon Enterprise Applications
Getting Started with Amazon Enterprise ApplicationsAmazon Web Services
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - TorontoAmazon Web Services
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management ServicesNagesh Ramamoorthy
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Transparency and Auditing on AWS
Transparency and Auditing on AWSTransparency and Auditing on AWS
Transparency and Auditing on AWSAmazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAdam Book
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...Amazon Web Services
 
Webcast: AWS account setup tips for audit, governance, and security
Webcast: AWS account setup tips for audit, governance, and securityWebcast: AWS account setup tips for audit, governance, and security
Webcast: AWS account setup tips for audit, governance, and securityApplatix
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSAmazon Web Services
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteAmazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsAmazon Web Services
 
Account Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAccount Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAmazon Web Services
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerAmazon Web Services
 

Mais procurados (20)

Getting Started with Amazon Enterprise Applications
Getting Started with Amazon Enterprise ApplicationsGetting Started with Amazon Enterprise Applications
Getting Started with Amazon Enterprise Applications
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management Services
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Transparency and Auditing on AWS
Transparency and Auditing on AWSTransparency and Auditing on AWS
Transparency and Auditing on AWS
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrail
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
 
Webcast: AWS account setup tips for audit, governance, and security
Webcast: AWS account setup tips for audit, governance, and securityWebcast: AWS account setup tips for audit, governance, and security
Webcast: AWS account setup tips for audit, governance, and security
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWS
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - Keynote
 
AWS Storage services
AWS Storage servicesAWS Storage services
AWS Storage services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi Accounts
 
Account Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAccount Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWS
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems Manager
 

Semelhante a Windsor AWS UG Deep Dive - AWS Organizations

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...Amazon Web Services
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 
Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec
Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsecDeleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec
Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsecAndrew Alaniz
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Amazon Web Services
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxAmazon Web Services
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeYan Cui
 
Identity access management (iam)
Identity access management (iam)Identity access management (iam)
Identity access management (iam)Parag Patil
 
Enrollement steps
Enrollement stepsEnrollement steps
Enrollement stepsAmir Arama
 
1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_AccessCrishantha Nanayakkara
 
Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with SecurityAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
Aws meetup control_tower
Aws meetup control_towerAws meetup control_tower
Aws meetup control_towerAdam Book
 
Accelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAccelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAmazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Amazon Web Services
 
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 

Semelhante a Windsor AWS UG Deep Dive - AWS Organizations (20)

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control Policy
 
Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec
Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsecDeleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec
Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
 
Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New Launches
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as code
 
Identity access management (iam)
Identity access management (iam)Identity access management (iam)
Identity access management (iam)
 
Enrollement steps
Enrollement stepsEnrollement steps
Enrollement steps
 
1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access
 
Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with Security
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
Aws meetup control_tower
Aws meetup control_towerAws meetup control_tower
Aws meetup control_tower
 
Accelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAccelerating YourBusiness with Security
Accelerating YourBusiness with Security
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
 
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 

Último

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Windsor AWS UG Deep Dive - AWS Organizations

  • 1. Architecting Cloud Governance and Security with Multi-account Strategy Deep Dive: AWS Organizations IAM, CloudTrail, CloudWatch, STS
  • 2. Why is Security important? It keeps CxOs awake at night!
  • 3. Why we need more than one account? AWS Account is highest degree of: Security Boundary Resource Isolation Billing Separation One account is not enough: Many Teams Billing (unless you have exceptional tagging) Isolation Business processes Security controls
  • 4. Single vs Multiple Accounts Multi Account Complete security and resource isolation Smaller blast radius Simplified billing per account Setup and operation overhead More complex security policies across accounts Single Account Bigger blast radius More complex tagging Less resource isolation Minimal setup and operation overhead Less complex security policies
  • 5. What is Governance and Compliance? What is Governance and Compliance? Governance is the oversight role and the process by which companies manage and mitigate business risks. Compliance ensures that an organization has the process and internal controls to meet the requirements imposed by the governance body.
  • 6. AWS Security Mind Map https://cloudonaut.io
  • 7. AWS Organizations - Key Terms • Organization - entity you create to consolidate your AWS accounts • Root - parent container for AWS accounts inside your organization • Organizational Unit (OU) - container for accounts within a root • Account - an AWS account that contains your resources • Master account - the account that created the organization • Member accounts - created within organization or existing accounts invited to join the organization • Invitation - process of asking an existing account to join the organization; issued by the master account • Handshake 🤝 - use to implement invitations and switch between feature sets • Service Control Policy (SCP) - filters that allow only the specified services and actions to be used in affected accounts
  • 8. AWS Organizations - Feature Sets • Must select between two feature sets: • Consolidated billing - default • All feature set - includes all the functionality of consolidated billing, plus it provides advanced features such as Security Control Policy (SCP) • You can go back and forth between the feature sets however SCPs are lost If you previously collected your company's accounts into a Consolidated Billing family, then AWS has automatically converted it into an organization for you. Every invited account must approve enabling all features by accepting the request.
  • 9. AWS Organizations - Benefits • Centralized management of your accounts • Enables automation of account creation • Consolidated billing - master account, which created the organization, pays for member accounts • Grouping of accounts into organizational units (OUs) • Control over the AWS services and actions in accounts • Integration with IAM - if either denies access to a resource or service, it cannot be used by the user • Eventually consistent model - may take some time for changes to propagate
  • 10. Creating an organization • In the account that will be organization’s master account sign in as IAM user or assume an IAM role • Create organization • Select feature set • Confirm by choosing Create organization • Create accounts as required or ‘Invite an AWS Account to Join Your Organization’
  • 11. Deleting an Organization • In the account that will be organization’s master account sign in as IAM user or assume an IAM role • Remove all accounts from the organization • Go to Settings tab; choose ‘Delete organization’ • Confirm by choosing ‘Delete organization’
  • 12. SCP • SCPs are filters that allow only the specified services and actions to be used in affected accounts • IAM full permission to S3 but SCP “denies” S3 for the account - what is the resultant permission? • SCPs affect all users in attached accounts including the root user • SCP can be attached to: • A root - affects all accounts in the organization • An OU - affects all accounts in that OU including accounts in child OUs • An individual account • SCPs don’t apply to the master account • Use either white listing or black listing to manage services • Apply to a test account first
  • 13. SCP - Whitelisting / Blacklisting • Nothing stops us from consuming resources until we decide to do so • Default access - FullAWSAccess policy attached to all roots, OUs, and accounts • Whitelisting - explicitly specifies the access that IS allowed - everything else is implicitly blocked - replaces FullAWSAccess policy with a new one • Blacklisting - explicitly specifies access that IS NOT allowed - everything else is allowed - leave FullAWSAccess policy in place and attach additional policies
  • 14. Immutable Infrastructure • From master account create a member account through AWS Organizations • Provision resources as required in the member account (S3 websites / Lambda functions / CloudTrail / Config) • In master account in AWS Organizations create a blacklist policy that disables access to provisioned resources and apply it to appropriate OU • We now have "immutable infrastructure" from the point of view of the member accounts • For Example: • S3 websites which can't have their contents changed • Lambda functions which are invoke-only "black boxes" • ACM cert / key pairs which can't be deleted • Prevent CloudTrail, Config from ever being turned off
  • 15. Removing a Member Account from Your Organization • Two options: • Removing a Member Account from Your Organization - done by IAM user in the organization’s master account • Leaving an Organization as a Member Account - done by root user of the member account • All required account information provided to operate as a standalone AWS account or not yet provided (open a case w/ AWS support)
  • 16. Managing OUs • Creating an OU • Renaming OU • Moving an Account to an OU or Between the Root and OUs • Deleting an OU That You No Longer Need - move all accounts out of the OU and any child OUs, and then delete the child OUs
  • 17. Closing an AWS Account • Backup any applications and data you need to retain • Closing is in ‘Billing and Cost Management' console; not through AWS Organizations console • Open the Billing and Cost Management console • Select 'My Account’ • On ‘Account Settings’ page in Close Account section check the box next to terms and then choose ‘Close Account’ • Confirm when prompted • After closing you can sign in as the root user to view past bills and contact AWS Custer Support Important Closing an account doesn't remove it from an organization. A closed member account in an organization still counts towards your limit of accounts in the organization. You can remove the account from the organization to avoid it counting against the limit.
  • 18. Accessing Member Accounts • Accessing a Member Account as the Root User -Request a new password for the member account’s root user • Accessing a Member Account That Has a Master Account Access Role - grant permissions to members of an IAM group in the master account to access the role. • Creating the OrganizationAccountAccessRole in an Invited Member Account - create an AWS Organizations admin role in a member account then grant permissions to members of an IAM group in the master account to access the role.
  • 19. Cost Management • AWS Organizations - No charge for using this service; global service accessed through us-east-1 region. • IAM - No charge for using this feature • Account - No cost for using this feature
  • 20. AWS Organizations - Best Practices 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principal of “Least privilege” 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization 8. Create new AWS accounts for the right reasons
  • 21.
  • 24.
  • 27. VPC / Direct Connect / VPN Connections
  • 28. New Account Paradox • Newly opened master account not able to create new accounts/invite accounts to join the Organization until Billings Verification
  • 29. You cannot add accounts to your organization while it is initializing. Try again later.
  • 30. Payment method verification You may now send requests to other account owners to add their accounts to your Consolidated Bill.
  • 31. SCPs at Work Root SecInfo OU FullAWSPermissions Implicit Deny Everything FullAWSPermissions Explicit Deny Workspaces
  • 33. No Cameras During the Web Demo!!!
  • 34. References • Applying AWS Organizations to Complex Account Structures - April 2017 AWS Online Tech Talks • Limits of AWS Organizations - http://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_lim its.html • https://aws.amazon.com/organizations/ • http://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.h tml • AWS re:Invent 2016: Architecting Security and Governance Across a Multi- Account Strategy (SAC319)
  • 35. Presentation • Google “Windsor AWS User Group” • Click “Join” • Click “Presentations”

Notas do Editor

  1. Windsor AWS Group operates at intersection of Dev/Sec/Ops Dev team to run app they wrote; Ops team to write infrastructure as code; Sec team to learn cloud governance/compliance/security and Dev/Ops teams must know cloud security - all IT jobs are now cybersecurity jobs Showing up for our meetups means commitment to being taken out of your comfort zone
  2. Single Account Bigger blast radius More complex tagging Less resource isolation
  3. If you previously collected your company's accounts into a Consolidated Billing family, then AWS has automatically converted it into an organization for you. Every invited account must approve enabling all features by accepting the request.
  4. When you are ready to restrict permissions, you replace the FullAWSAccess policy with one that allows only the more limited, desired set of permissions. Make sense - don’t need to manage new services
  5. Account is not deleted - just can’t consume resource Closing an account doesn't remove it from an organization. A closed member account in an organization still counts towards your limit of accounts in the organization. You can remove the account from the organization to avoid it counting against the limit.
  6. When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role in the account. This role has full administrative permissions in the member account. The role is also configured to grant that access to the organization's master account. You can create an identical role for an invited member account by following the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.
  7. You cannot add accounts to your organization while it is initializing. Try again later.
  8. Create a new account. Record account # and role name. Create an OU Move newly created account into the new OU. Create a new SCP and attach it to a new OU Create a group. Assign cloud_admin user to the group. Create an inline policy that allows the user to assume the role Demonstrate switching roles