Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Organizations In Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Organizations-001

Ensure that Amazon Organizations service is currently in use to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the security and compliance policies within your company. AWS Organizations is an account management tool that enables you to centralize multiple AWS accounts into an organization that you create and administer. Amazon Organizations is available to all customers at no additional cost and has two main feature sets:
Consolidated Billing features – which provides basic management tools that you can use to centrally manage all the accounts (master and member accounts) within your organization. With this feature you can get a combined view of AWS charges incurred by all your accounts and also take advantage of pricing benefits from aggregated usage. This represents the default feature set applied to an organization that is migrated from a Consolidated Billing family of AWS accounts.
All features – provides Consolidated Billing capabilities plus advanced policy-based management through Service Control Policies (SCPs), which give you fine-grained control over which services and actions that member AWS accounts can access and use. Service Control Policies are similar to IAM policies except they don't grant any access permissions, instead they act as filters that allow only the specified services to be used in affected accounts. This represents the complete feature set that is available to an organization.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

You can use AWS Organizations service for: controlling access to AWS services (i.e. managing individual account permissions at scale) – using Service Control Policies (SCPs) that control AWS service use across multiple AWS accounts by working around the permissions that these policies can grant to entities in an account such as IAM users and roles, central management of policies across multiple AWS accounts – Organizations provides the necessary tools to centrally manage policies across multiple accounts without requiring custom scripts or manual implementations, automating AWS account creation and management – using the service API to create new accounts programmatically and to add them to groups, simplify billing – by enabling you to set up a single payment method for all the AWS accounts within your organization through the Consolidated Billing feature.


Audit

To check if your AWS account belongs to an Organization, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using the root credentials.

02 Navigate to AWS Organizations home page at https://console.aws.amazon.com/organizations/.

03 If there are no AWS accounts listed, instead a Getting Started page is displayed:

Organizations

the selected AWS account does not belong to an Amazon Organization.

Using AWS CLI

01 Run describe-organization command (OSX/Linux/UNIX) to get information about the organization that the current AWS account belongs to. This command can be called from any AWS account (Member or Master) within an organization:

aws organizations describe-organization

02 The command output should return metadata about the organization that the selected account belongs to or an error message if the account is not associated with an organization:

An error occurred (AWSOrganizationsNotInUseException) when calling the DescribeOrganization operation: Your account is not a member of an organization.

If the AWSOrganizationsNotInUseException error is returned (as shown in the example above), the selected account does not belong to an AWS Organization.

Remediation / Resolution

To make use of Amazon Organizations service and benefit from centralized control over the use of AWS services across multiple accounts you must create first an organization (with All features set enabled) using your current AWS account as the master account then invite other accounts to join your organization. Once the member accounts respond to your invitation, create Organizational Units (OUs) to place the new member accounts. The final step is to apply restrictions to what actions can be delegated to users and roles within the member accounts by using Service Control Policies (SCPs). An SCP will allow you to explicitly specify the access that is allowed (safelisting) or to explicitly specify the access that is not allowed (blocklisting). To create and configure your organization, you need to perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console using the root credentials.

02 Navigate to AWS Organizations home page at https://console.aws.amazon.com/organizations/.

03 On the Getting Started page, click Create organization.

04 Within Create new organization dialog box, select ENABLE ALL FEATURES to use All features set (including Consolidated Billing features, policy-based controls and hierarchical management of accounts) for your new organization. All features set allows you to apply SCPs to limit what the accounts within the organization can do as well as create, manage and pay for the organization’s accounts using consolidated billing. Click Create organization to confirm that your new organization has all features enabled. You have now an AWS organization with your current account as its only member. This account is the master account of the organization.

05 Now that you have an organization, you can begin to populate it with existing accounts. To invite an existing AWS account to join your organization, select Accounts tab, click Add account from the dashboard top menu and choose Invite account option.

06 Enter the account ID (e.g. 123456789012) or the email address (e.g. member_account5@cloudconformity.com) of the account that you want to invite in the Account ID or email box.

07 In the Notes box, provide a short note to be included in the email that is sent to the owner of the account that receives the invitation. Click Invite to send your invitation. Once the account owner opens the email that was sent by AWS from the master account (current AWS account) and accept your invitation, the account becomes a member of your organization.

08 (Optional) To invite other AWS accounts owners to join your organization, repeat steps no. 5 – 7.

09 Create an Organizational Unit (OU) to place the member account(s) invited at the previous steps. To create and populate your OU, select Organize Accounts tab then choose + New organizational unit.

10 In the Create organizational unit dialog box, provide a name for your new OU (e.g. "Production") then click Create organizational unit to confirm the action. Now you can move your member account(s) into the newly created Organizational Unit.

11 Select the first member account that you want to place into your OU, then click Move to initiate the moving process.

12 Within Move 1 account dialog box, choose the Organizational Unit you want to move the account to then click Move to confirm the action. To make sure the selected member account has been moved to your new OU, click on the Organizational Unit to access its management page.

13 (Optional) To move other available member accounts to your Organizational Unit, repeat steps no. 10 – 12.

14 Now it’s time to create the necessary Service Control Policy (SCP) for your Organizational Unit (OU). As example, this conformity rule utilizes an SCP that defines a safelist of all the services and actions that can be enabled for users and roles within the OU created earlier (named "Production"). Once the policy is active, the users of the accounts available within the "Production" OU are able to access only the listed services and actions. To create the required Service Control Policy, select Policies tab then click Create policy to initiate the SCP creation process.

15 On the Create policy page, choose Policy generator and provide a name and a description for your new SCP using the Policy name and Description fields. For Choose Overall Effect select Allow then choose the AWS service(s) and action(s) that you want to safelist from the Statement builder section using the Add statement button to add as many services/actions as you need, e.g.

Add Statement

Once all the necessary AWS services and actions have been defined, click Create policy to generate your SCP.

16 To attach your new SCP to a root or to any OU within a root, you must first enable the policy type for that root as the policy types are not enabled by default. To enable Service Control Policy type for the root in your organization, select Organize Accounts tab, choose Root from the left navigation panel then click Enable next to the Service control policies:

Service Control Enable

17 Click on the Organizational Unit that you want to configure (e.g. "Production") to access its management page.

18 Under POLICIES section, click Service control policies to expand the panel with the policies attached/available to the selected OU. Locate the SCP created at step no. 14 and 15, then click Attach to associate your SCP with the "Production" Organizational Unit (OU). Once attached, the member accounts available in the "Production" OU will be able to access the AWS services and actions defined within the SCP.
Important Note: since all OUs created under the root account inherit the "FullAWSAccess" policy that allows access to every operation, make sure this policy is detached just after attaching your new SCP.

Using AWS CLI

01 First, run create-organization command (OSX/Linux/UNIX) to create the AWS organization. The account whose user is calling the create-organization command automatically becomes the master account of the organization, therefore create-organization must be called using credentials from the account that is to become the organization's master account. The following command example creates a new AWS organization with all features enabled and Service Control Policies (SCPs) also enabled on the root:

aws organizations create-organization
	--feature-set ALL

02 The command output should return the new organization metadata:

{
    "Organization": {
        "AvailablePolicyTypes": [
            {
                "Status": "ENABLED",
                "Type": "SERVICE_CONTROL_POLICY"
            }
        ],
        "MasterAccountId": "123456789012",
        "MasterAccountArn": "arn:aws:organizations::123456789012:account/o-d4czvpm5un/123456789012",
        "FeatureSet": "ALL",
        "MasterAccountEmail": "master_account@cloudconformity.com",
        "Id": "o-d4czvpm5un",
        "Arn": "arn:aws:organizations::123456789012:organization/o-d4czvpm5un"
    }
}

03 Run invite-account-to-organization command (OSX/Linux/UNIX) to invite an existing AWS account to join the organization created at the previous steps. The following command example invites the account owned by member_account5@cloudconformity.com to join the new AWS organization:

aws organizations invite-account-to-organization
	--target Id=member_account5@cloudconformity.com,Type=EMAIL
	--notes "This is a request to join Cloud Conformity AWS organization."

04 The command output should return details about the handshake that is created to support the invitation request:

{
    "Handshake": {
        "Id": "h-cd73e2edb83d476083e9389a541aa54d",
        "State": "OPEN",
        "Resources": [
            {
                "Type": "ORGANIZATION",
                "Resources": [
                    {
                        "Type": "MASTER_EMAIL",
                        "Value": "master@cloudconformity.com"
                    },
                    {
                        "Type": "MASTER_NAME",
                        "Value": "Cloud Conformity"
                    },
                    {
                        "Type": "ORGANIZATION_FEATURE_SET",
                        "Value": "CONSOLIDATED_BILLING"
                    }
                ],
                "Value": "o-d4czvpm5un"
            },
            {
                "Type": "ACCOUNT",
                "Value": "123456789012"
            }
        ],
        "Parties": [
            {
                "Type": "ORGANIZATION",
                "Id": "2ig639bx3e"
            },
            {
                "Type": "ACCOUNT",
                "Id": "123456789012"
            }
        ],
        "Action": "INVITE",
        "RequestedTimestamp": 1501502812.633,
        "ExpirationTimestamp": 1502798812.633,
        "Arn": "arn:aws:organizations::123456789012:handshake/o-2ig639bx3e/invite/h-cd73e2edb83d476083e9389a541aa54d"
    }
}

05 Run list-roots command (OSX/Linux/UNIX) to describe the ID of the root that is defined within the current AWS organization:

aws organizations list-roots
	--query "Roots[*].Id"

06 The command output should return the requested root ID:

[
    "r-mkqb"
]

07 Now run create-organizational-unit command (OSX/Linux/UNIX) to create an Organizational Unit (OU) within the organization root, required to place the member account(s) invited at step no. 3. An OU is a container for accounts that enables you to organize them in order to apply policies according to your needs. The following command example creates and Organizational Unit named "Production" within a root account identified by the ID "r-mkqb":

aws organizations create-organizational-unit
	--parent-id r-mkqb
	--name "Production"

08 The command output should return the new OU metadata:

{
    "OrganizationalUnit": {
        "Id": "ou-mkqb-dy3g49ce",
        "Arn": "arn:aws:organizations::123456789012:ou/o-2ig639bx3e/ou-mkqb-dy3g49ce",
        "Name": "Production"
    }
}

09 Run move-account command (OSX/Linux/UNIX) to move the member account, invited to join the organization and identified by the ID 123456789012, to the Organizational Unit, identified by the ID "ou-mkqb-dy3g49ce", created at the previous steps (the command does not produce an output):

aws organizations move-account
	--account-id 123456789012
	--source-parent-id r-mkqb
	--destination-parent-id "ou-mkqb-dy3g49ce"

10 Run enable-policy-type command (OSX/Linux/UNIX) to enable the policy type for the organization root. After you enable the policy type, you can attach any policies (SCPs) of that type to the root, any OU, or account in that root:

aws organizations enable-policy-type
	--root-id r-mkqb
	--policy-type SERVICE_CONTROL_POLICY

11 The command output should return the request metadata:

[
    "Root": {
        "PolicyTypes": [],
        "Id": "r-mkqb",
        "Arn": "arn:aws:organizations::123456789012:root/o-2ig639bx3e/r-mkqb",
        "Name": "Root"
    }
}

12 Define the Service Control Policy (SCP) that will be attached to the OU created at step no. 7 and save it within a JSON file named "service-control-policy.json". As example, this conformity rule utilizes an SCP that defines a safelist for the following AWS services: EC2, RDS, S3 and ELB, with all their actions, policy that will be enabled later for IAM users and roles within the "Production" OU:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1501499112000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1501499370000",
            "Effect": "Allow",
            "Action": [
                "rds:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1501499383000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1501499411000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

13 Run create-policy command (OSX/Linux/UNIX) to create the SCP defined at the previous step. The following command example creates a policy named "AllowProdActions" using the policy definition saved to the "service-control-policy.json" JSON file:

aws organizations create-policy
	--type SERVICE_CONTROL_POLICY
	--description "Enables the necessary AWS services and actions required in production"
	--name AllowProdActions
	--content file://service-control-policy.json

14 The command output should return the SCP creation request metadata:

[
    "Policy": {
        "Content": " ... ",
        "PolicySummary": {
            "AwsManaged": false,
            "Description": "Enables the necessary AWS services and actions required in production",
            "Type": "SERVICE_CONTROL_POLICY",
            "Id": "p-c8i36fo4",
            "Arn": "arn:aws:organizations::123456789012:policy/o-2ig639bx3e/service_control_policy/p-c8i36fo4",
            "Name": "AllowProdActions"
        }
    }
}

15 Finally, run attach-policy command (OSX/Linux/UNIX) to attach the Service Control Policy created earlier, identified by the ID "p-c8i36fo4" to the Organizational Unit created at step no. 7, identified by the ID "ou-mkqb-dy3g49ce" (if successful, the command does not return an output):

aws organizations attach-policy
	--target-id ou-mkqb-dy3g49ce
	--policy-id p-c8i36fo4

References

Publication date Jul 19, 2017