Practical steps using AWS Organization

Sulaiman Olubiyi - Jun 29 '22 - - Dev Community

Scenario where you have to manage several accounts in your company being the Cloud Administrator.

AWS architecture diagram
AWS Organization offers solution to the pain-point with several advantages;

  • AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.

  • Using AWS Organizations, you can create accounts and allocate resources, group accounts to organize your workflows.

  • Apply policies for governance using SCP(Service Control Policy)

  • Simplify billing by using a single payment method for all of your accounts(consolidated billing)

It consists of two entities:

  1. Management/Master account: The management account creates the organization.
  2. Member account: these are accounts which are invited by the management account.

Steps in creating an AWS Organization

  • Click to the AWS console

  • Login to you accounts with your IAM credentials

  • Search for the aws organization on the search bar
    homepage

  • Click on the AWS Organization title indicate above

  • Click the Create Organization on the home page

  • After creating an organization, invitation can be send to member account either existing account or a new account

Add AWS account

  • An existing account can be invited using account ID or email
    existing AWS account

  • A new account can be invited using email only
    new AWS account

  • when you create a new account the role is automatically given, BUT adding an existing account requires to manually create the role

  • Grant OrganizationAccountAccessRole to the master account from the member account IAM for trusted entity and permission.

  • Go to the IAM service, Click on role, then create the trusted entity
    Trust entity

  • The account ID of the master account is given as a trusted entity for this role.
    Master account

  • Also, assign the AWS Managed permission AdministratorAccess to the role
    Image description

  • Ensure that the role name is OrganizationAccountAccessRole , add description based on your preference
    OrganizationAccountAccessRole and click the create icon.

  • For an existing AWS account, the admin needs to accept the invitation sent by the master account to join the organization.

  • Proceed to Master account and switch role
    Image description

  • Login into the member accounts with the credentials created earlier.
    Switch role 1

Switch role 2

  • After putting the correct login credentials, you will be successfully login into the member account as a Federated user* login

HIERACCCHY STRUCTURE

This enable to create the OU(Organizational Unit) within the root container of the organization. Members account can be grouped into the OU.

  • In the AWS Organization Dashboard (Master Account), tick the root as specified , then click actions
    Organizational unit

  • Create the Organizational unit to structure the member accounts
    OU deployment

  • Click the member account to add to OU, then click on actions to move.
    Adding account to OU 1

Adding account to OU 2

USING SERVICE CONTROL POLICY(SCP).

SCP is used to perform permission across member accounts, the permission given should also be allowed in the IAM of the member accounts.
SCP basically restricts the access to AWS services prior before the IAM permission takes over.

SCP

By default, the SCP is disabled in the organization.

Thanks for reading!!!

. . . . . . .