CSAP AWS Organizations

  Amazon Web Services (AWS), Certified Solutions Architect Professional

Main Menu

Menu

  • AWS Organizations
  • Creating first AWS Organization & SCP

AWS Organizations

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13249216?start=0

Overview

This was a high level view.  It did not dig deep into how to create policies or setup consolidated billing.

AWS offers centralized policy-based management as well as the feature of consolidated billing for multiple AWS accounts through the feature of AWS Organizations

There are two primary features of AWS Organizations

  • Consolidated Billing Only
  • All Features (Policy Restrictions)
    • Can even control the access permissions for child accounts

Consolidated Billing

  • Can see total costs for each child account from the Master account.

Example of Policy Restrictions

  • The Organization (aka Master account) can deny the ability to disable CloudTrail in Account A (child account)
    • This includes Account A’s root account
  • The Organization can deny all S3 in Account B (child account)
    • Also includes the root account

 

Creating first AWS Organization & SCP

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13249218?start=0

Requirements

  • 2 AWS Accounts
    • Master
    • Child

Process

  • Master account
    • ‘AWS Organizations’ > [ Create organization ]
    • Select ‘Enable all features‘ or ‘Enable only consolidated billing’ > [ Create organization ]
    • To add a new account to the organization, click [ Add account ]
    • Select to ‘Invite account‘ (pre-existing) or ‘Create account’ (brand new)
      • Email or account ID: Enter the root email address or the account id of the existing account.
      • [ Invite ]
        • If your Organization is newly created it may take up to an hour (per documentation) or several hours (reality) for it to initialize before you can invite new accounts.  “You cannot add accounts while it is initializing. Try again later.
  • Child account
    • ‘AWS Organizations’.  You will see the invitation to join.
    • [ Accept ] > [ Confirm ]

Confirm the join was successful

  • Master Account
    • Refresh the page and you will now see the new child account.
  • Child account
    • ‘Billing dashboard’.  “Your account is now a member of an organization”
    • In the next step, we’re going to disable S3 access on this account.  Verify you currently have access to S3 at this time.

Adding Policies

  • Master account
    • ‘AWS Organizations’ > Policies
      • FullAWSAccess policy is created by default
      • [ Create policy ]
        • Policy name: S3Deny
        • Description: ‘Deny all S3 Access’
        • Choose overall effect: Deny or Allow
        • Select service: Amazon S3
        • Select action: All
        • Click ‘Add statement’
        • [ Create policy ]
      • Enable polices
        • ‘AWS Organizations’ > Organize accounts
          • Service control policies: ‘Enable’
          • Click ‘Accounts’ to return to the accounts screen
      • Click the account to add the policy to > ‘Service Policies’
        • S3Deny: ‘Attach’
  • Child Account
    • Log back in and see if you can still access S3.  You should see “Error Access Denied”

LEAVE A COMMENT