Scenario where you have to manage several accounts in your company being the Cloud Administrator.
AWS Organization offers solution to the pain-point with several advantages;
AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
Using AWS Organizations, you can create accounts and allocate resources, group accounts to organize your workflows.
Apply policies for governance using SCP(Service Control Policy)
Simplify billing by using a single payment method for all of your accounts(consolidated billing)
It consists of two entities:
- Management/Master account: The management account creates the organization.
- Member account: these are accounts which are invited by the management account.
Steps in creating an AWS Organization
Click to the AWS console
Login to you accounts with your IAM credentials
Click on the AWS Organization title indicate above
Click the Create Organization on the home page
After creating an organization, invitation can be send to member account either existing account or a new account
An existing account can be invited using account ID or email
when you create a new account the role is automatically given, BUT adding an existing account requires to manually create the role
Grant OrganizationAccountAccessRole to the master account from the member account IAM for trusted entity and permission.
Go to the IAM service, Click on role, then create the trusted entity
The account ID of the master account is given as a trusted entity for this role.
Also, assign the AWS Managed permission AdministratorAccess to the role
Ensure that the role name is OrganizationAccountAccessRole , add description based on your preference
OrganizationAccountAccessRole and click the create icon.For an existing AWS account, the admin needs to accept the invitation sent by the master account to join the organization.
Login into the member accounts with the credentials created earlier.
- After putting the correct login credentials, you will be successfully login into the member account as a Federated user*
HIERACCCHY STRUCTURE
This enable to create the OU(Organizational Unit) within the root container of the organization. Members account can be grouped into the OU.
In the AWS Organization Dashboard (Master Account), tick the root as specified , then click actions
Create the Organizational unit to structure the member accounts
Click the member account to add to OU, then click on actions to move.
USING SERVICE CONTROL POLICY(SCP).
SCP is used to perform permission across member accounts, the permission given should also be allowed in the IAM of the member accounts.
SCP basically restricts the access to AWS services prior before the IAM permission takes over.
By default, the SCP is disabled in the organization.
Thanks for reading!!!
Top comments (1)
Lovely read, well done