This document discusses AWS Organizations and best practices for managing multiple AWS accounts. It provides an overview of AWS Organizations, including how to create and group accounts, apply organizational policies, and simplify billing. Best practices are presented such as monitoring the master account, assigning least privilege, and testing controls on a single account first. A case study describes how Geoscience Australia used AWS Organizations to improve their process for creating new AWS accounts.
8. AWS Organisations
• New management capability for centrally managing multiple
AWS accounts
- Simplified creation of new AWS accounts
- Logically group AWS accounts for management convenience
- Apply organisational control policies (OCP)
- Simplified billing
• Console, SDK, and CLI support for all management tasks
9. AWS Organisations
A1 A2 A4
M
Master Account /
Administrative root
Organisational Unit (OU)
AWS Account
Organisation
Control
Policy (OCP)
AWS Resources
A3
Dev Test Prod
10. AWS Organisations Create new
AWS Organisations
Accounts
A5A1 A2 A4
M
A3
Dev Test Prod
-Email address (required)
-Account name (required)
-IAM role name (optional)
11. AWS Organisations
A1 A2 A4
M
A3
Dev Test Prod
A5
Invite other AWS accounts
to join your AWS Organisations
15. OCP V1: Service Control Policies (SCPs)
• Enables you to control which AWS service APIs
are accessible
- Define the list of APIs that are allowed – Whitelisting
- Define the list of APIs that must be blocked – Blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection between
the SCP and assigned IAM permissions
• Necessary but not sufficient
• IAM policy simulator is SCP-aware
17. SCPs are Necessary but not Sufficient
SCP IAM
Allow: S3:* Allow: SQS:*
Allow: EC2:*Allow: EC2:*
18. Simplified Billing
• Single payer for all AWS accounts
• All AWS usage across AWS accounts in your organisation
rolled up for volume pricing and billing
• All existing consolidated billing (CB) families will be migrated
to an organisation in billing mode
19. Different Management Levels
You select the management level when creating a new organisation
Billing mode
• Backward-compatible with current consolidated billing (CB)
• Organization created from CB family automatically in billing mode
Full-control mode
• Everything included in billing mode
• Enables management of ALL types of OCPs
• Changing from billing mode to full control mode requires consent
from all AWS accounts in your organisation
28. And then...
Have a credit card
Have a unique group email
address
Enter contact details
29. More details...
Have a credit card
Have a unique group email
address
Enter contact details
Enter payment details
30. Oh okay...
Have a credit card
Have a unique group email
address
Enter contact details
Enter payment details
Enter captcha
31. I just...
Have a credit card
Have a unique group email
address
Enter contact details
Enter payment details
Enter captcha
Receive automated phone
call
32. Losing the will to continue...
Have a credit card
Have a unique group email
address
Enter contact details
Enter payment details
Enter captcha
Receive automated phone
call
Handshake consolidated
billing account
33. ಠ_ಠ
Have a credit card
Have a unique group email
address
Enter contact details
Enter payment details
Enter captcha
Receive automated phone
call
Handshake Consolidated
Billing account
Manage root credentials,
including MFA
44. Best Practices – AWS Organizations
• Monitor activity of the master account using CloudTrail
• Do not manage resources in the master account
• Manage your organization using the principal of “Least privilege”
• Use OUs to assign controls
• Test controls on single AWS account first
• Only assign controls to root of organization if necessary
• Avoid mixing “whitelisting” and “blacklisting” SCPs in organization
• Create new AWS accounts for the right reasons
• Familiarize yourself with service limits
45. • Reduce or remove use of root
• Create Individual IAM Users
• Configure a strong password policy
• Enable MFA for privileged users
• Grant least privilege
• Manage permissions with groups
• Rotate security credentials regularly
• Use IAM roles to share access
• Use IAM roles for Amazon EC2 instances
• Monitor activity
Best Practices – AWS IAM
46. Summary and Call to Action
• Definitions: Account, User, Group, Policies, Resources
• AWS Organization Service Overview
• Best practices
• Call to Action