This post will cover the following content:
- What is AWS Organizations?
- Why should you use AWS Organizations?
- How to use AWS Organizations?
Let's get started...
AWS Organizations is a service that comes under AWS M&G category, which helps you centrally manage multiple AWS Accounts and govern your environment as you grow and scale your AWS resources.
You should use AWS Organizations if you would like to
Centrally manage your environment across multiple AWS accounts
With the help of AWS Organizations, you can
- Create new accounts that will automatically be a part of your Organization
- Invite other AWS Accounts to join your Organization
- Programmatically create new AWS accounts to quickly scale your workloads
- Attach appropriate policies to apply on some or all of the accounts.
- Use consolidated billing feature to consolidate and pay for all member accounts which helps to manage billing and cost centrally.
Manage your Organization
- Group AWS accounts into Organization Units(OUs) to easily manage and govern the boundaries based on service control policies(SCPs) for your OUs.
Simplify permission management and access control
- Using AWS SSO(Single-Sign-On) and Active Directory, control user-based permissions in your Organization.
- Apply SCPs to control access to AWS Services within OUs.
Efficiently share and provision resources across accounts
- Use AWS RAM(Resource Access Manager) to share critical resources within your Organisation to help reduce resource duplication.
- Use AWS License Manager to centrally meet your software license agreements
- Use AWS Service Catalog to easily share a catalog of IT services and custom products across accounts
Manage costs and optimize usage
- AWS Organization provides the feature of Consolidated billing to have shared billing functionality which enables the management account of your organization to pay for all the member accounts and take benefit of quantity discounts with a single bill.
- Use AWS Cost Explorer to track resource costs
- Use AWS Compute Optimizer to compute resource usage
Audit your environment for compliance
- You can use various AWS services with Organisations to centrally manage security of your resources such as
- AWS CloudTrail to audit all the events in your accounts
- AWS Config to centrally define your recommended configuration criteria across resources, AWS Regions, and accounts
- AWS GuardDuty for threat detection to protect your resources centrally
- AWS Control Tower to establish cross-account security audits, or manage and view policies applied across accounts
AWS Organizations is a global service and you can use AWS console, CLI, or API to create and use AWS Organization service.
I will be performing the following steps to show how to use this service:
- Creating an Organization
- Invite and Add other AWS account to my Organization
- Create Groups (OUs) within my Organization
- Apply SCPs(Service Control Policies) to the Group
I already have two separate AWS accounts. Will be using one as Management Account (formerly known as master account) and other as Member Account. Management account is the account that is used to create Organization and Member accounts are all the other accounts which you invite or create within an Organization.
- Login to your Management Account and go to the AWS Organizations console
- Click "Create Organization" in the top right corner
- You should receive a verification email sent to the email address associated with your Management Account in order to verify the account. You need to verify your email address in order to invite other AWS accounts to your Organization.
- Once verified, click "Add an AWS account" option
- Since I have an existing AWS account which I would like to invite in this Organization hence, I will be selecting "Invite an existing AWS account" option. If you do not have an existing account, you can simply create one within the Organization.
- Enter the email address or account ID of the AWS account which you want to invite in this Organization
- Add message to the owner of the AWS account (optional)
- Use tags to associate with the resources
- Accept the invitation by clicking on the link sent to the email address OR Login to the member AWS account -> go to AWS Organizations console -> Select Invitations from left pane -> Click Accept Invitation
- Now, login back to the Management account and go to AWS Organizations -> AWS Accounts, you should see the member account added to the Organizational Structure Organizational Structure should look like this:
Root -> management account -> member account
Initially, both management and member accounts comes under the Root.
- Proceed further to create the groups i.e, OUs within Organization Select the "Root" and go to "Actions" Select "Create New" under Organizational Unit Note: You cannot delete or rename Root. Enter the name for your new OU Mention tags (optional) Click "Create Organizational Unit" at the bottom
- Once created, your Organizational Structure should look like this:
Root -> New OU -> Management Account -> Member Account
This shows Root contains one OU named New OU, Management account, and Member account. Currently, New OU is empty.
- You can move the member or management accounts to the newly created OU in order to apply SCPs. To move an account from one OU to another, follow the steps below: Select the account which you want to move Go to "Actions" -> "Move" Select the OU under which you want to move that account Click "Move AWS account" at the bottom
- I have created the following Organizational Structure:
Root -> New OU -> Member Account -> Management Account
I have moved member account to new OU and kept Management Account under Root only. Will create SCP to create policies for New OU and member account.
- Go to "Policies" in the left pane and Click "Service Control Policies" -> "Enable Service control Policies"
- Once enabled, you can create your own SCP policies to apply them on member accounts, or OUs Note: You can apply SCPs to only member accounts in an organization. They have no effect on users or roles in the management account.
- To create SCP, follow the below steps:
Go to Policies -> Service Control Policies
Click "Create Policy" on the top right
Fill the details and click "Create Policy" at the bottom
Once created, it should be listed under "Available policies"
Now, select the newly created SCP and attach it to the member accounts or OUs
I have used one of the sample SCPs provided by AWS and attached it to my New OU that contains my member account.
This SCP will deny access to AWS based on the requested AWS Region. Read more details here.
In order to test if the SCP is working or not, I logged into my member account and tried to access the EC2 console. Below is the message displayed on the screen:
It restricted me to launch an EC2 instance and perform any operations which confirms that the SCP is working.
Hope this information helped. Thank you.