Step-by-Step Guide to Setting up and Configuring AWS Organizations

June 22, 2020 / Nirav Shah

What Is AWS Organizations? Multi-Account Management Overview

• AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
• Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts. Through integrations with other AWS services, you can use Organizations to define central configurations and resource sharing across accounts in your organization. AWS Organizations is available to all AWS customers at no additional charge.

What Are the Benefits of AWS Organizations for Enterprises?

• Centrally manage policies across multiple AWS accounts
  • To improve control over your AWS environment, you can use AWS Organizations to create groups of accounts, and then attach policies to a group to ensure the correct policies are applied across the accounts without requiring custom scripts and manual processes.

• Govern access to AWS services, resources, and regions
  • AWS Organizations allows you to restrict what services and actions are allowed in your accounts. You can use Service Control Policies (SCPs) to apply permission guardrails on AWS Identity and Access Management (IAM) users and roles. For example, you can apply an SCP that restricts users in accounts in your organization from launching any resources in regions that you do not explicitly allow.

• Automate AWS account creation and management
  • AWS Organizations helps you simplify IT operations by automating AWS account creation and management. The Organizations APIs enable you to create new accounts programmatically, and to add the new accounts to a group. The policies attached to the group are automatically applied to the new account. For example, you can automate the creation of new accounts for workload or application isolation and grant entities in those accounts access only to the necessary AWS services.

• Configure AWS services across multiple accounts
  • AWS Organizations helps you configure AWS services and share resources across accounts in your organization. For example, Organizations integrate with AWS Single Sign-on to enable you to easily provision access for all of your developers to accounts in your organization from a single place. You can make central changes to access permissions and have them automatically updated on accounts in your organization.

• Consolidate billing across multiple AWS accounts
  • You can use AWS Organizations to set up a single payment method for all the AWS accounts in your organization through consolidated billing. With consolidated billing, you can see a combined view of charges incurred by all your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for Amazon EC2 and Amazon S3.

How to Set Up and Configure AWS Organizations Step by Step

• Prerequisites
  • master-account-number – The account that you use to create the organization. This account becomes the master account. The owner of this account has an email address of master-account@example.com.
  • member1-account-number – An account that you invite to join the organization as a member account. The owner of this account has an email address of member1@example.com
  • member2-account-number – An account that you create as a member of the organization. The owner of this account has an email address of member2@example.com

Step 1: Create your organization

• In this step, you sign in to account master-account-number as an administrator, create an organization with that account as the master, and invite an existing account, member1-account-number, to join as a member account.
  • Sign in to AWS as an administrator of account master-account-number and open the AWS Organizations console
  • On the introduction page, choose Create organization.
  • In the Create organization confirmation dialog box, choose Create organization.
    • The organization is created. You’re now on the Accounts tab. The star next to the account email indicates that it’s the master account.
    • A verification email is automatically sent to the address that is associated with your master account. There might be a delay before you receive the verification email.
  • Verify your email address within 24 hours.
• Invite an existing account to join your organization.
• Now that you have an organization, you can start to populate it with accounts. In the steps in this section, you invite an present account to be a part of as a member of your organization.
  • Open the Organizations console
  • Choose the Accounts tab. The star next to the account name indicates that it is the master account.
    • Now you can invite other accounts to join as member accounts.
  • On the Accounts tab, choose Add account and then choose Invite account.
  • In the Account ID or email box, enter the email address of the owner of the account that you want to invite, similar to the following: member222@example.com.
  • Choose Invite. AWS Organizations sends the invitation to the account owner.
  • For the functions of this tutorial, you now want to be given your very own invitation. Do one of the following to get to the Invitations web page in the console.
    • Open the e-mail that AWS despatched from the grasp account and select the hyperlink to receive the invitation. When precipitated to signal in, do so as an administrator in the invited member account.
    • Open the AWS Organizations console and signal in as an administrator of the member account. Choose Invitations. The quantity beside the hyperlink shows how many invites this account has.
  • On the Invitations page, choose Accept and then choose Confirm.
  • Sign out of your member account and sign in again as an administrator in your master account.

• Create a member account

• In the steps in this section, you create an AWS account that is automatically a member of the organization. We refer to this account in the tutorial as member2-account-number.
• To create a member account
  • On the AWS Organizations console, on the Accounts tab, choose Add account.
  • For Full name, enter a name for the account, such as MainApp Account.
  • For Email, enter the e-mail tackle of the person who is to acquire communications on behalf of the account. This price have to be globally unique. No two bills can have the equal e-mail address. For example, you would possibly use some thing like mainapp@example.com.
  • For IAM function name, you can go away this clean to routinely use the default function title of OrganizationAccountAccessRole, or you can furnish your very own name. This function permits you to get right of entry to the new member account when signed in as an IAM person in the grasp account. For this tutorial, go away it clean to educate AWS Organizations to create the position with the default name.
  • Choose Create. You would possibly want to wait a quick whilst and refresh the web page to see the new account show up on the Accounts tab.

Step 2: Create the organizational units

• In the steps in this section, you create organizational devices (OUs) and area your member bills in them. Your hierarchy appears like the following illustration when you are done. The grasp account stays in the root. One member account is moved to the Production OU, and the different member account is moved to the MainApp OU, which is a infant of Production.
• On the AWS Organizations console, choose the Organize Accounts tab and then choose + New organizational unit.
• For the name of the OU, enter Production and then choose Create organizational unit.
• Choose your new Production OU to navigate into it and then choose + New organizational unit.
• For the name of the second OU, enter MainApp and then choose Create organizational unit.
• Now you can move your member accounts into these OUs.
• In the tree view on the left, choose the Root.
• Select the first member account, member1-account-number, and then choose Move.
• In the Move accounts dialog box, choose Production and then choose Move.
• Select the second member account, member2-account-number, and then choose Move.
• In the Move accounts dialog box, choose Production to expose MainApp. Choose MainApp and then choose Move.

Step 3: Create the service control policies

• In the steps in this section, you create three carrier manage insurance policies (SCPs) and connect them to the root and to the OUs to avert what customers in the organization’s debts can do. The first SCP prevents all people in any of the member bills from growing or enhancing any AWS CloudTrail logs that you configure. The grasp account isn’t always affected by using any SCP, so after you follow the CloudTrail SCP, you need to create any logs from the grasp account.
• To create the first SCP that blocks CloudTrail configuration actions
  • Choose the Policies tab and then choose Create policy.
  • For Policy name, enter Block CloudTrail Configuration Actions.
  • In the Policy section on the left, select CloudTrail for the service. Then choose the following actions: AddTags, CreateTrail, DeleteTrail, RemoveTags, StartLogging, StopLogging, and UpdateTrail.
  • Still in the left pane, choose Add resource and specify CloudTrail and All Resources. Then choose Add resource.
  • The policy statement on the right updates to look similar to the following.

	{
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Sid": "Stmt1234567890123",
        	"Effect": "Deny",
        	"Action": [  	 
            	"cloudtrail:AddTags",    
            	"cloudtrail:CreateTrail",  	 
            	"cloudtrail:DeleteTrail",  	 
            	"cloudtrail:RemoveTags",  	 
            	"cloudtrail:StartLogging",  	 
            	"cloudtrail:StopLogging",  	 
            	"cloudtrail:UpdateTrail"
        	],
        	"Resource": [
            	"*"
        	]
    	}
	]
	}

• To create the second policy that allows approved services for the production OU
  • From the list of policies, choose Create policy.
  • For Policy name, enter Allow List for All Approved Services.
  • Position your cursor in the right pane of the Policy section and paste in a policy like the following.

• 			{
  				"Version": "2012-10-17",
  				"Statement": [
  			    	{
  			        	"Sid": "Stmtmaster-account-number1",
  			        	"Effect": "Allow",
  			        	"Action": [
  			            	"ec2:*",
  			            	"elasticloadbalancing:*",
  			            	"codecommit:*",
  			            	"cloudtrail:*",
  			            	"codedeploy:*"
  			          	],
  			        	"Resource": [ "*" ]
  			    	}
  				]
  			}
  

• To create the third policy that denies access to services that can’t be used in the MainApp OU
  • From the Policies tab, choose Create policy.
  • For Policy name, enter Deny List for MainApp Prohibited Services.
  • In the Policy section on the left, select Amazon DynamoDB for the service. For the action, choose All actions.
  • Still in the left pane, choose Add resource and specify DynamoDB and All Resources. Then choose Add resource.
• The policy statement on the right updates to look similar to the following.

• 			{
  			  "Version": "2012-10-17",
  			  "Statement": [
  				{
  			  	"Effect": "Deny",
  			  	"Action": [ "dynamodb:*" ],
  			  	"Resource": [ "*" ]
  				}
  			  ]
  			}
  

Step 4: Testing your organization’s policies

• You now can sign in as a user in any of the member accounts and try to perform various AWS actions:
  • If you sign in as a user in the master account, you can perform any operation that is allowed by your IAM permissions policies. The SCPs don’t affect any user or role in the master account, no matter which root or OU the account is located in.
  • If you sign in as the root user or an IAM user in account member1-account-number, you can perform any actions that are allowed by the allow list. AWS Organizations denies any attempt to perform an action in any service that isn’t in the allow list. Also, AWS Organizations denies any attempt to perform one of the CloudTrail configuration actions.
  • If you sign in as a user in account member2-account-number, you can perform any actions that are allowed by the allow list and not blocked by the deny list. AWS Organizations denies any attempt to perform an action that isn’t in the allow list policy and any action that is in the deny list policy. Also, AWS Organizations denies any attempt to perform one of the CloudTrail configuration actions.

Also read: 17 New AWS Services | AWS Latest Services

Hire AWS Developer