3. Why we need more than one
account?
AWS Account is highest degree of:
Security Boundary
Resource Isolation
Billing Separation
One account is not enough:
Many Teams
Billing (unless you have exceptional tagging)
Isolation
Business processes
Security controls
4. Single vs Multiple Accounts
Multi Account
Complete security and resource
isolation
Smaller blast radius
Simplified billing per account
Setup and operation overhead
More complex security policies
across accounts
Single Account
Bigger blast radius
More complex tagging
Less resource isolation
Minimal setup and operation
overhead
Less complex security policies
5. What is Governance and
Compliance?
What is Governance and Compliance?
Governance is the oversight role and the process by which companies manage
and mitigate business risks.
Compliance ensures that an organization has the process and internal controls to
meet the requirements imposed by the governance body.
7. AWS Organizations - Key
Terms
• Organization - entity you create to consolidate your AWS accounts
• Root - parent container for AWS accounts inside your organization
• Organizational Unit (OU) - container for accounts within a root
• Account - an AWS account that contains your resources
• Master account - the account that created the organization
• Member accounts - created within organization or existing accounts invited to
join the organization
• Invitation - process of asking an existing account to join the organization;
issued by the master account
• Handshake 🤝 - use to implement invitations and switch between feature sets
• Service Control Policy (SCP) - filters that allow only the specified services and
actions to be used in affected accounts
8. AWS Organizations -
Feature Sets
• Must select between two feature sets:
• Consolidated billing - default
• All feature set - includes all the functionality of consolidated billing, plus it
provides advanced features such as Security Control Policy (SCP)
• You can go back and forth between the feature sets however SCPs are lost
If you previously collected your company's accounts into a Consolidated Billing family, then AWS has automatically converted it into an
organization for you.
Every invited account must approve enabling all features by accepting the request.
9. AWS Organizations -
Benefits
• Centralized management of your accounts
• Enables automation of account creation
• Consolidated billing - master account, which created the organization, pays for
member accounts
• Grouping of accounts into organizational units (OUs)
• Control over the AWS services and actions in accounts
• Integration with IAM - if either denies access to a resource or service, it cannot
be used by the user
• Eventually consistent model - may take some time for changes to propagate
10. Creating an organization
• In the account that will be organization’s master account sign in as IAM user or
assume an IAM role
• Create organization
• Select feature set
• Confirm by choosing Create organization
• Create accounts as required or ‘Invite an AWS Account to Join Your
Organization’
11. Deleting an Organization
• In the account that will be organization’s master account sign in as IAM user or
assume an IAM role
• Remove all accounts from the organization
• Go to Settings tab; choose ‘Delete organization’
• Confirm by choosing ‘Delete organization’
12. SCP
• SCPs are filters that allow only the specified services and actions to be used in
affected accounts
• IAM full permission to S3 but SCP “denies” S3 for the account - what is the
resultant permission?
• SCPs affect all users in attached accounts including the root user
• SCP can be attached to:
• A root - affects all accounts in the organization
• An OU - affects all accounts in that OU including accounts in child OUs
• An individual account
• SCPs don’t apply to the master account
• Use either white listing or black listing to manage services
• Apply to a test account first
13. SCP - Whitelisting /
Blacklisting
• Nothing stops us from consuming resources until we decide to do so
• Default access - FullAWSAccess policy attached to all roots, OUs, and
accounts
• Whitelisting - explicitly specifies the access that IS allowed - everything else is
implicitly blocked - replaces FullAWSAccess policy with a new one
• Blacklisting - explicitly specifies access that IS NOT allowed - everything else is
allowed - leave FullAWSAccess policy in place and attach additional policies
14. Immutable Infrastructure
• From master account create a member account through AWS Organizations
• Provision resources as required in the member account (S3 websites / Lambda
functions / CloudTrail / Config)
• In master account in AWS Organizations create a blacklist policy that disables
access to provisioned resources and apply it to appropriate OU
• We now have "immutable infrastructure" from the point of view of the member
accounts
• For Example:
• S3 websites which can't have their contents changed
• Lambda functions which are invoke-only "black boxes"
• ACM cert / key pairs which can't be deleted
• Prevent CloudTrail, Config from ever being turned off
15. Removing a Member Account
from Your Organization
• Two options:
• Removing a Member Account from Your Organization - done by IAM user in
the organization’s master account
• Leaving an Organization as a Member Account - done by root user of the
member account
• All required account information provided to operate as a standalone AWS
account or not yet provided (open a case w/ AWS support)
16. Managing OUs
• Creating an OU
• Renaming OU
• Moving an Account to an OU or Between the Root and OUs
• Deleting an OU That You No Longer Need - move all accounts out of the OU
and any child OUs, and then delete the child OUs
17. Closing an AWS Account
• Backup any applications and data you need to retain
• Closing is in ‘Billing and Cost Management' console; not through AWS
Organizations console
• Open the Billing and Cost Management console
• Select 'My Account’
• On ‘Account Settings’ page in Close Account section check the box next to
terms and then choose ‘Close Account’
• Confirm when prompted
• After closing you can sign in as the root user to view past bills and contact
AWS Custer Support
Important
Closing an account doesn't remove it from an organization. A closed member account in an organization still counts
towards your limit of accounts in the organization. You can remove the account from the organization to avoid it counting
against the limit.
18. Accessing Member Accounts
• Accessing a Member Account as the Root User -Request a new password for
the member account’s root user
• Accessing a Member Account That Has a Master Account Access Role - grant
permissions to members of an IAM group in the master account to access the
role.
• Creating the OrganizationAccountAccessRole in an Invited Member Account -
create an AWS Organizations admin role in a member account then grant
permissions to members of an IAM group in the master account to access the
role.
19. Cost Management
• AWS Organizations - No charge for using this service; global service accessed
through us-east-1 region.
• IAM - No charge for using this feature
• Account - No cost for using this feature
20. AWS Organizations - Best
Practices
1. Monitor activity in the master account using CloudTrail
2. Do not manage resources in the master account
3. Manage your organization using the principal of “Least
privilege”
4. Use OUs to assign controls
5. Test controls on single AWS account first
6. Only assign controls to root of organization if
necessary
7. Avoid mixing “whitelisting” and “blacklisting” SCPs in
organization
8. Create new AWS accounts for the right reasons
28. New Account Paradox
• Newly opened master account not able to create new accounts/invite accounts
to join the Organization until Billings Verification
29. You cannot add accounts to your organization while it is
initializing. Try again later.
30. Payment method verification
You may now send requests to other account owners to add their accounts
to your Consolidated Bill.
31. SCPs at Work
Root
SecInfo OU
FullAWSPermissions
Implicit Deny Everything
FullAWSPermissions
Explicit Deny Workspaces
Windsor AWS Group operates at intersection of Dev/Sec/Ops
Dev team to run app they wrote; Ops team to write infrastructure as code; Sec team to learn cloud governance/compliance/security and Dev/Ops teams must know cloud security - all IT jobs are now cybersecurity jobs
Showing up for our meetups means commitment to being taken out of your comfort zone
Single Account
Bigger blast radius
More complex tagging
Less resource isolation
If you previously collected your company's accounts into a Consolidated Billing family, then AWS has automatically converted it into an organization for you.
Every invited account must approve enabling all features by accepting the request.
When you are ready to restrict permissions, you replace the FullAWSAccess policy with one that allows only the more limited, desired set of permissions.
Make sense - don’t need to manage new services
Account is not deleted - just can’t consume resource
Closing an account doesn't remove it from an organization. A closed member account in an organization still counts towards your limit of accounts in the organization. You can remove the account from the organization to avoid it counting against the limit.
When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role in the account. This role has full administrative permissions in the member account. The role is also configured to grant that access to the organization's master account. You can create an identical role for an invited member account by following the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.
You cannot add accounts to your organization while it is initializing. Try again later.
Create a new account.
Record account # and role name.
Create an OU
Move newly created account into the new OU.
Create a new SCP and attach it to a new OU
Create a group.
Assign cloud_admin user to the group.
Create an inline policy that allows the user to assume the role
Demonstrate switching roles