Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with AWS Organizations (SAC323)


Published on

AWS Organizations is a new administrative capability, which allows you to control multiple AWS accounts centrally. With Organizations, you can hierarchically organize and manage your AWS accounts and apply organizational controls across these accounts to meet your business needs. In this session, we cover the capabilities of AWS Organizations and discuss best practices when managing multiple AWS accounts.

Published in: Technology

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with AWS Organizations (SAC323)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anders Samuelsson 12/1/2016 NEW SERVICE: Centrally Manage Multiple AWS Accounts with AWS Organizations
  2. 2. What to Expect from the Session • Overview • Best practices • Demo
  3. 3. AWS Organizations Available in limited public preview
  4. 4. Service Overview • New management capability for centrally managing multiple AWS accounts - Simplified creation of new AWS accounts - Logically group AWS accounts for management convenience - Apply organizational control policies (OCP) - Simplified billing • An AWS account can be a member of only one organization • Console, SDK, and CLI support for all management tasks
  5. 5. Key concepts Organization • Consolidated set of all AWS accounts you can centrally control AWS account • Resource container for AWS resources such as Amazon S3 buckets, Amazon EC2 instances • Access to resources controlled by AWS Identity and Access Management (IAM) principals (users, roles) • Smallest unit of management in AWS Organizations Master account • Payer account for all other accounts in your organization • Management “hub” for managing your organization Organizational unit (OU) • Set of AWS accounts logically grouped within an organization Administrative root • Starting point for hierarchy of OUs Organization control policy (OCP) • Document describing controls to be applied to a selected set of accounts • Different use cases have different types of OCPs
  6. 6. Let’s get to the details
  7. 7. Programmatic creation of new AWS accounts • New AWS accounts can only be created from the master account • As part of the creation process you can configure - Email address (required) - Account name (required) - IAM role name (optional - default name is OrganizationAccountAccessRole) o Trust policy configured for AssumeRole access from master account o Permissions configured with FULL CONTROL - IAM user access to billing (optional) Note! IAM users still need permissions • New AWS account - Is automatically part of your organization - Cannot be removed from the organization
  8. 8. aws organizations create-account --email --account-name "Production Account” --role-name Role-to-access-anders-account CLI sample – CreateAccount
  9. 9. Invite existing AWS accounts to an organization • Invitation can only be initiated from master account • Invited AWS account can accept or decline invitation - Default action is DECLINE - Can be controlled with IAM permissions • When invitation is accepted - AWS account becomes member of your organization - Applicable OCPs automatically applied • Invited AWS accounts can be removed from organization
  10. 10. Logically group AWS accounts • Group AWS accounts into organizational units (OUs) for management convenience • AWS accounts and OUs can be member of an OU • AWS account can be member of multiple OUs
  11. 11. Example A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 Security
  12. 12. Apply Organizational Control Policies (OCP) • Describes controls to be applied • Different use cases have different types of OCPs • OCPs can be attached to - Organization - OUs - AWS account • OCPs are inherited up the hierarchy (AWS account, OU, organization)
  13. 13. Example A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 Security
  14. 14. OCP supported in V1: Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
  15. 15. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
  16. 16. SCPs are necessary but not sufficient Allow: EC2:*Allow: S3:* Allow: SQS:* Allow: EC2:*Allow: EC2:* SCP IAM Permissions
  17. 17. Simplified billing • Single payer for all AWS accounts • All AWS usage across AWS accounts in your organization rolled up for volume pricing and billing • All existing Consolidated Billing families will be migrated to an organization in billing mode
  18. 18. Different management levels You select the management level when creating a new organization Billing mode • Backward-compatible with current Consolidated Billing (CB) • Organization created from Consolidated Billing family automatically in Billing mode Full-control mode • Everything included in Billing mode • Enables management of ALL types of OCPs • Changing from Billing mode to Full control mode requires consent from all AWS accounts in your organization
  19. 19. Least privilege for managing your organization • IAM permissions for all AWS Organizations actions • You can also specify AWS Organizations resources (organization, OU, AWS account) as resources in an IAM policy • You can delegate permissions to manage your organization to an IAM user in another AWS account by using IAM roles • All organization management activity is logged in AWS CloudTrail
  20. 20. Demo
  21. 21. AWS Organizations Best practices
  22. 22. Best practices – AWS Organizations 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principal of “Least privilege” 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization 8. Create new AWS accounts for the right reasons
  23. 23. Related Sessions ARC314 – Enabling Enterprise Migrations: Creating an AWS Landing Zone ENT203 – Enterprise Fundamentals: Design Your Account and VPC Architecture for Enterprise Operating Models SAC319 – Architecting Security and Governance Across a Multi-Account Strategy SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service
  24. 24. Remember to complete your evaluations!
  25. 25. Thank you!