Monitor AWS Organizations Configuration Changes. Amazon Organizations is an account management tool that enables you to centralize multiple AWS accounts into an organization that you create and administer. AWS Organizations service is used for:
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Real-Time Threat Monitoring.
Controlling access to AWS services (i.e. managing individual account permissions at scale) – using Service Control Policies (SCPs) that control AWS services utilized across multiple AWS accounts by working around the permissions that these policies can grant to entities in an account such as IAM users and roles.
Central management of policies across multiple AWS accounts – Organizations service provides the necessary tools to centrally manage policies across multiple accounts without requiring custom scripts or manual implementations.
Automating AWS account creation and management – using the service API to create new accounts programmatically and to add them to groups.
Simplify billing – by enabling you to set up a single payment method for all the AWS accounts within your organization through the Consolidated Billing feature.
The activity detected by this RTMA conformity rule could be any administrator-specific action initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDK that is related to AWS Organizations configuration changes such as create organization, delete organization, create new accounts within an organization or remove a member account from an organization. Cloud Conformity RTMA can detect essentially any API call related to the service configuration changes within your AWS account(s) in order to help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or any other security breaches.
The communication channels for sending alert notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration changes alerts are Email, Slack, JIRA, ServiceNow and Zendesk.
Rationale
Monitoring configuration changes for your Amazon Organizations service in real-time is crucial for keeping your entire AWS environment secure. This Cloud Conformity RTMA rule helps you ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back in a timely manner.
Ultimately this enables you to control the security of the accounts currently available within your AWS Organizations and control what IAM users (including root account user) can and cannot do. The main purpose of this RTMA rule is to notify Cloud Conformity users in real-time when a configuration change (e.g. AWS account added/removed, Service Control Policy created/update/removed, etc) is detected within your organization.
References
- AWS Documentation
- AWS Organizations
- FAQs
- What Is AWS Organizations?
- AWS Organizations Terminology and Concepts
- AWS Blog(s)
- AWS Security Blog