• AWS Organisations provides central management and governance for multiple AWS accounts
  • Best suited if you want to define your own custom multi-account environment with advanced governance and management capabilities
  • Avoid using the master account for any types of AWS resource deployment within your Organisations structure. You can use for accounts and billing purposes. Treat your master account as billing and user store but not the resources because you want to be able to apply Service Control Policies to each and every nested accounts and users but not your master account.
  • Service Control Policies actually do not grant you access to anything but they overlay the existing IAM permissions you have.
  • Service Control Policies do not effect the master account at all, even the IAM user accounts on the master account.

Migrating from consolidated billing organisations to full featured organisations

  • If you receive a single bill monthly for multiple accounts, you are using AWS Organisations
  • You need to migrate in order to use advanced features.

Some of the things you can do with AWS Organisations

  • Create new AWS Accounts programmatically
  • Group account into OUs for management
  • Centrally provision accounts (AWS CloudFormation StackSets)
  • Tag AWS Accounts
  • Manage service quotas (limits) for new accounts

Control Access and Permissions

  • Deploy console and CLI access to accounts via AWS Single Sign-On
    • Enable AWS SSO
    • Connect your corporate identities with AWS Directory Service
    • Grant SSO access to your accounts and applications
    • Manage user permissions centrally
  • Define permissions based on membership in an organisation (aws:PrincipalOrgID condition key). You can use this key within S3 bucket policy to allow people who are members of the organisation!
  • You can use trusted access to enable an AWS service that you specify, called the trusted service, to perform tasks in your organization and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM users or roles. When you enable access, the trusted service can create an IAM role called a service-linked role in every account in your organization. That role has a permissions policy that allows the trusted service to do the tasks that are described in that service’s documentation. This enables you to specify settings and configuration details that you would like the trusted service to maintain in your organization’s accounts on your behalf.

Service Control Policies

  • Don’t grant permissions to users, wider wrap and control
  • Define the maximum available permissions for IAM entities in an account
  • Attach SCPs to OU, and individual accounts.
  • Suppose you have an IAM permission to allow EC2 and SQS and you have a SCP within your account or OU that allows EC2 and S3, it will be the intersection of both and you will only be able to access to EC2
  • You can only allow specific actions with ‘whitelist’ actions. E.g. HIPA compliance
  • You can block specific actions with ‘Blacklist’ actions. Deny policies. E.g. production accounts and you wanna make sure they don’t leave the organisation by mistake or API calls by mistake etc.
  • Explicit deny overrides everything followed by implicit deny followed by explicit allow.

Use Cases

  • Deny access to AWS based on the requested region. You can use this to be compliant with GDPR and only allow your account to be able to spin up resources within specified region
  • Prevent IAM principals from making changes to a common administrative IAM role. You are a central IT admin where you wanna manage and audit different accounts.

Audit, monitor and secure your environments

  • Aggregate AWS Config data in a central location for compliance auditing of your accounts (AWS Config)
  • Centrally create, provision and modify web application firewalls to secure your apps (AWS Firewall)
  • Accept business agreements for organisations accounts (AWS Artifact)
  • Allow organisation-wide notification publishing (AWS CloudWatch Events)
  • Centrally enable audit logging (AWS CloudTrail)

Share resources across accounts

  • Centrally define critical resources and make them available to your logically isolated workloads in accounts. From the AWS RAM CLI, use the enable-sharing-with-aws-organisations command.
  • Managed AD (domain join of instances across accounts via AWS Directory Service)
  • AWS Service Catalog allows you to centrally manage catalogs and provisions and ensures users have access to the software they are required to run their business. You can also change centrally.
  • Amazon Resource Access Manager use case (define subnets and share with all of your accounts for example)
    • AWS VPC Transit gateways and subnets
    • AWS License Manager configurations
    • AWS Route 53 resolver rules
    • You can use trusted access to enable an AWS service that you specify, called the trusted service, to perform tasks in your organisation and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM users or roles. When you enable, trusted access can create an IAM role called service linked role in every account in your organisation. Name of the IAM service-linked role that can be created in accounts when trusted access is enabled: AWSResourceAccessManagerServiceRolePolicy

Centrally manage costs and billing

  • Consolidate into a single bills. Consolidated billing treats all the accounts within an organisation as one account. This means all the accounts can benefit from Reserved instance pricing. In the payer account / master account, you can turn-off Reserved instance discount sharing on the preferences page
  • Manage your tax settings across accounts from a central tax code
  • Gain insights and manage spending across your organisation (AWS Budgets and AWS Cost Explorer)

AWS Service Limits IAM Limits

  • Number of groups in an account: 300
  • Roles in an account: 1000
  • Managed policies attached to a user: 10
  • Managed policies attached to a role: 10
  • Some limits can be increased depending on AWS help desk. Limits that cannot be changed
  • Access keys assigned to an IAM user: 2
  • 5000 users inside a single account - maximum