Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wrangling Multiple AWS Accounts with AWS Organizations

4,489 views

Published on

Providing more control around how to manage your AWS accounts with our newly launched service - AWS Organizations. In this session we'll look at aspects affecting your account management before and after AWS Organizations, how AWS Organizations can programmatically create and manage your AWS accounts and apply organisational controls with familiar policies across these accounts to meet your business needs. We'll also cover best practices and troubleshooting tips to get you started.

Speaker: Pierre Liddle, Solutions Architect, Amazon Web Services

Published in: Technology
  • Be the first to comment

Wrangling Multiple AWS Accounts with AWS Organizations

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pierre Liddle Solutions Architect, Amazon Web Services Level 200 © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wrangling Multiple AWS Accounts with AWS Organizations
  2. 2. In this Session • How did we get here • Service overview • Demo • Best practices • Troubleshooting
  3. 3. How Did We Get Here
  4. 4. Users Groups Roles PoliciesResources S3 A AWS Account Overview
  5. 5. A Administrative Boundary Resources Containment Billing Entity Environmental Business Workload AWS Account Decisions
  6. 6. AWS Accounts, One to Many A W A W S A S W S A W A W W S S S A W S A A A W SWWS S A AW W A A
  7. 7. Service Overview
  8. 8. AWS Organizations • New management capability for centrally managing multiple AWS accounts - Simplified creation of new AWS accounts - Logically group AWS accounts for management convenience - Apply organizational control policies (OCP) - Simplified billing • Console, SDK, and CLI support for all management tasks
  9. 9. AWS Organizations A1 A2 A4 M Master Account / Administrative root Organizational Unit (OU) AWS Account Organization Control Policy (OCP) AWS Resources A3 Dev Test Prod
  10. 10. AWS Organizations Create new AWS Organizations Accounts A5A1 A2 A4 M A3 Dev Test Prod -Email address (required) -Account name (required) -IAM role name (optional)
  11. 11. AWS Organizations A1 A2 A4 M A3 Dev Test Prod A5 Invite other AWS Accounts to join your AWS Organizations
  12. 12. AWS Organizations A1 A2 A4 M A3 Dev Test Prod A5 B1 M
  13. 13. AWS Organizations A1 A2 A4 A Dev Test Prod A3
  14. 14. A3 AWS Organizations A1 A2 A4 A Dev Test Prod
  15. 15. OCP V1: Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – Whitelisting - Define the list of APIs that must be blocked – Blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
  16. 16. { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "EC2:*","S3:*” ], "Resource":"*" } ] } { "Version":"2012-10-17", "Statement":[ { "Effect":”Deny", "Action":[ ”SQS:*” ], "Resource":"*" } ] } Whitelisting example Blacklisting example
  17. 17. SCPs are Necessary but not Sufficient SCP IAM Allow: S3:* Allow: SQS:* Allow: EC2:*Allow: EC2:*
  18. 18. Simplified Billing • Single payer for all AWS accounts • All AWS usage across AWS accounts in your organization rolled up for volume pricing and billing • All existing Consolidated Billing families will be migrated to an organization in billing mode
  19. 19. Different Management Levels You select the management level when creating a new organization Billing mode • Backward-compatible with current Consolidated Billing (CB) • Organization created from Consolidated Billing family automatically in Billing mode Full-control mode • Everything included in Billing mode • Enables management of ALL types of OCPs • Changing from Billing mode to Full control mode requires consent from all AWS accounts in your organization
  20. 20. Demo
  21. 21. [ec2-user ~]$ aws organizations create-account --email pierreliddle@amazon.com --account-name ”Production" --role-name ”Org-Admins" { "CreateAccountStatus": { "State": "IN_PROGRESS", "Id": "car-842ceec004ad1…", "AccountName": ”Production" } } Automation – Create New Account
  22. 22. [ec2-user ~]$ aws sts assume-role --role-arn arn:aws:iam::111122223333:role/Org-Admins --role-session-name "account-bootstrap” { "AssumedRoleUser": { "AssumedRoleId": "AROAJLV5KFI2Q4I2RNTZO:account-bootstrap", "Arn": "arn:aws:sts::999999999999:assumed-role/Org- ………….Admins/account-bootstrap" }, "Credentials": { "SecretAccessKey": "<removed>", "SessionToken": "<removed>", "AccessKeyId": "ASIAJVVKXYXXBHROX4AQ" }… Use AssumeRole on the New Account
  23. 23. Best Practices
  24. 24. Best Practices – AWS Organizations • Monitor activity of the master account using CloudTrail • Do not manage resources in the master account • Manage your organization using the principal of “Least privilege” • Use OUs to assign controls • Test controls on single AWS account first • Only assign controls to root of organization if necessary • Avoid mixing “whitelisting” and “blacklisting” SCPs in organization • Create new AWS accounts for the right reasons
  25. 25. • Reduce or remove use of root • Create Individual IAM Users • Configure a strong password policy • Enable MFA for privileged users • Grant least privilege • Manage permissions with groups • Restrict privileged access further with conditions • Rotate security credentials regularly • Use IAM roles to share access • Use IAM roles for Amazon EC2 instances • Monitor activity Best Practices – AWS IAM
  26. 26. Troubleshooting
  27. 27. Immediate Visibility AWS Organizations uses a distributed computing model called eventual consistency.
  28. 28. Policy Elements Currently: • You can specify only "*" in the Resource element of an SCP • You cannot specify individual resource ARNs • You cannot specify a Principal (user, account) element in an SCP
  29. 29. { "Version": "2012-10-17", "Statement": { "Effect":"Allow", "Action":"ec2:Describe*”, "Resource":"*” } } { "Statement": { "Effect": "Deny", "Action": "s3:*”, "Resource": "*" } } { "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:Describe*”, "Resource":"*” }, { "Effect": "Deny", "Action": "s3:*”, "Resource": "*" } ] } More than one Policy Object and Statement
  30. 30. CloudTrail Events for AWS Organizations { "eventVersion": "1.04”, "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111122223333:user/bob", "accountId": ”…”,"accessKeyId":”…","userName":”…" }, "eventTime": ”…", "eventSource": "organizations.amazonaws.com", "eventName": "CreateAccount", "awsRegion": "us-east-1", "sourceIPAddress": "192.168.0.1", "userAgent": ”…", "requestParameters": { "email": ”bob@amazon.com", "accountName": "ProductionAccount" }
  31. 31. CloudTrail Events for AWS Organizations { "eventVersion": "1.04”, "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111122223333:user/bob", "accountId": ”…","accessKeyId":”…","userName":”…" }, "eventTime": ”…", "eventSource": "organizations.amazonaws.com", "eventName": "CreateOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "192.168.0.1", "userAgent": ”…", "requestParameters": { "name": "OU:Production", "parentId": ”ExampleRootID111" }
  32. 32. CloudTrail Events for AWS Organizations { "eventVersion": "1.04”, "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111122223333:user/bob", "accountId": ”…","accessKeyId":”…","userName":”…" }, "eventTime": ”…", "eventSource": "organizations.amazonaws.com", "eventName": " InviteAccountToOrganization ", "awsRegion": "us-east-1","sourceIPAddress": "192.168.0.1", "requestParameters": {"notes": "This is a request for Alice's account to join Bob's organization.", "target": { "type": "ACCOUNT", "id": "222222222222" }}
  33. 33. AWS Organizations Limits Currently: • Total number of accounts in a single Organization: 20 • Maximum invites that can be sent per day: 20 • Maximum depth of an OU hierarchy: 5
  34. 34. Resources AWS Organizations http://bit.ly/AWSOrg IAM Policies for AWS Organizations http://bit.ly/AWSOrgPol Logging Events http://bit.ly/AWSOrgLog Code 03 = bGwgY29k
  35. 35. Thank you!

×