Multi-Account Management Using AWS Organizations
There is complexity in billing due to the operational overhead cost of managing multiple AWS accounts when they scaled up their capacity for a variety of reasons.
In order to make account management simple, AWS Organization is the current best service offered by AWS in this post we will be covering everything that you need to know to implement this in your organization and get rid of complexity.
What Are AWS Organizations?
The AWS organization services help customers to enable control of policies across several AWS Accounts. Users can centrally manage the use of AWS Services down to the API level across numerous accounts by creating groups of accounts and applying policies to those groups. This enables you to manage the accounts centrally without the use of special scripts or labor-intensive manual procedures.
The integrated billing and account management features of this AWS service allow you to better manage your company’s security and compliance.
AWS Organizations Terminologies
Now the main point why to use AWS Organization as we know that AWS Organization help to manage the account centrally but it is not just a central managing service it can do more thing also, so before deep diving and understanding what it can do we need to understand the terms that will be frequently used in AWS Organization
- Organization: It depicts a thing you make out of a bunch of AWS accounts. The organization oversees the management of each of these member accounts.
- Root: The parent container for all consolidated accounts in an organization. AWS automatically creates the root user account when you create an organization.
- Organizational unit: It serves as a container for accounts. In order to build a hierarchy, an Organization Unit (OU) can also contain additional Organization Units. The OUs will serve as the branches of this hierarchy’s inverted tree, while the accounts will serve as its leaves.
- A standard AWS account that houses all of your AWS resources is called an account. Users can either ask people to join their group or register a new account. The master account is the one that establishes the organization, while the other accounts are referred to as member accounts.
- Invitation: This term refers to the action of inviting a different account to join a group. An invitation can only be sent by a master account. Once the invited account accepts the invitation, it becomes a member account. When a company wishes to make a change, like turning on all the features, invitations can also be given to existing members.
- Handshake: A procedure in which the initiator and the recipient of the handshake exchange information.
Service Control Policies (SCP)
Here it comes to service control policy also called SCP. We can understand it as a boundary through which we can control and manage policies of AWS Accounts.
You can manage rights in your company by using service control policies (SCPs), a sort of organizational policy. It provides centralized management of the highest permissible levels for each account in your organization. You can use SCPs to make sure your accounts abide by the access control policies established by your company.
Key points of SCP
- Identity and Access Management (IAM) activities can be whitelisted or blacklisted.
- They are applied at the OU or account level.
- The Master Account is not affected.
- All users and roles in the account, including the root user, are subject to SCPs. However, service-linked roles, which allow other AWS services to interact with AWS Organizations, are not affected by SCPs.
- SCP requires an explicit Allow (does not by default allow anything).
- Access to some services can be restricted (for instance, EMR cannot be used). Explicitly disable services to enforce PCI compliance
The SCP policy can be implemented and automated through the help of cloud formation which is good to know when we want things to be automated.
As SCP is used at the group level we need to make sure that accounts that need similar kinds of permission should be placed together for better management and implementation of policy.
Features of AWS Organizations
What advantages may AWS Organizations provide to your AWS environment now that everyone is clear on what they are?
· Greater control of your AWS environment
Administrators of the master account have complete control over which services and features — even down to specific API calls — an IAM user within those accounts can use, regardless of the user’s identity-based or resource-based permissions, by using Service Control Policies (SPC) attached to the Root (Master Account), Organizational Units, or individual accounts.
· Consolidated Billing
The bill and expenses from all the AWS accounts in your organization can be combined in the Root account. This makes it possible to better monitor overall costs for each of your individual AWS accounts.
· Categorization and grouping of accounts
You can separate and group distinct AWS accounts using organizational units, applying various SCPs to each OU’s associated SCPs. If you have several AWS accounts, for instance, none of which may access any analytical services. You could do this by grouping these accounts under a single OU and assigning an SCP that forbids this feature.
Creating and Configuring an Organization
- Create your organizational structure
In this step, we will be using your current AWS account as the management account (formerly known as the “master account”). Additionally, we need to create a second account as a member account and invite that AWS account to join the company.
2. Create the organizational units
The following step is to add the member's accounts to the organizational units (OUs) you just created in your new organization.
3. Create service control policies(SCPs)
Using service control policies, you can limit the actions that can be assigned to users and roles in member accounts (SCPs). You need to construct SCPs in this stage and attach them to your organization’s OUs.
4. Testing your organization’s policies
To observe the effects of the SCPs on the test accounts, sign in as users from each of the test accounts.
Note: None of the steps incurs costs to your AWS bill as AWS Organizations is a free service.
SO what is difference between AWS Organization Service Control Policy And IAM policy?
- The service control policies (SCPs) offered by AWS Organization do not take the place of an AWS account’s associated Identity and Access Management policies.
- AWS services or API operations that use IAM can have access granted or denied by IAM policies. Only IAM identities are eligible for the application of an Identity and Access Management (IAM) policy (users, groups, or roles). The root OR master user of an AWS account cannot be restricted by IAM policies.
- You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations accounts, or for groups of accounts within an (OU) organizational unit. The specified actions from an attached SCP affect all IAM identities including the root or master account.
- Access to the AWS accounts or OUs linked with the SCPs is prohibited for AWS services that aren’t expressly permitted by the SCPs associated with an AWS account or its parent OUs. All AWS accounts in an OU that has SCPs inherit those SCPs.
Conclusion
I hope now you have a better understanding of what exactly AWS Organization is and how it can make a significant change in the traditional way of working with AWS Accounts.
In the next article, I’m going to discuss how to use AWS Organizations to Automate End-to-End Account management.
