Practical steps using AWS Organization

Scenario where you have to manage several accounts in your company being the Cloud Administrator.

AWS Organization offers solution to the pain-point with several advantages;

• AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.

• Using AWS Organizations, you can create accounts and allocate resources, group accounts to organize your workflows.

• Apply policies for governance using SCP(Service Control Policy)

• Simplify billing by using a single payment method for all of your accounts(consolidated billing)

It consists of two entities:

1. Management/Master account: The management account creates the organization.
2. Member account: these are accounts which are invited by the management account.

Steps in creating an AWS Organization

• Click to the AWS console

• Login to you accounts with your IAM credentials

• Search for the aws organization on the search bar
  

• Click on the AWS Organization title indicate above

• Click the Create Organization on the home page

• After creating an organization, invitation can be send to member account either existing account or a new account

• An existing account can be invited using account ID or email
  

• A new account can be invited using email only
  

• when you create a new account the role is automatically given, BUT adding an existing account requires to manually create the role

• Grant OrganizationAccountAccessRole to the master account from the member account IAM for trusted entity and permission.

• Go to the IAM service, Click on role, then create the trusted entity
  

• The account ID of the master account is given as a trusted entity for this role.
  

• Also, assign the AWS Managed permission AdministratorAccess to the role
  

• Ensure that the role name is OrganizationAccountAccessRole , add description based on your preference
  OrganizationAccountAccessRole and click the create icon.

• For an existing AWS account, the admin needs to accept the invitation sent by the master account to join the organization.

• Proceed to Master account and switch role
  

• Login into the member accounts with the credentials created earlier.
  

• After putting the correct login credentials, you will be successfully login into the member account as a Federated user*

HIERACCCHY STRUCTURE

This enable to create the OU(Organizational Unit) within the root container of the organization. Members account can be grouped into the OU.

• In the AWS Organization Dashboard (Master Account), tick the root as specified , then click actions
  

• Create the Organizational unit to structure the member accounts
  

• Click the member account to add to OU, then click on actions to move.
  

USING SERVICE CONTROL POLICY(SCP).

SCP is used to perform permission across member accounts, the permission given should also be allowed in the IAM of the member accounts.
SCP basically restricts the access to AWS services prior before the IAM permission takes over.

By default, the SCP is disabled in the organization.

Thanks for reading!!!