DRAFT: AWS organizations for multi-account
AWS Organizations is a great tool for managing multiple AWS accounts at scale, but there are a few dependencies and gotchas for implementing all of the services which may not be self-evident. This is a guide to AWS Organizations and related services.
Definitions
- AWS Organizations - The AWS service which facilitates the creation of account families by linking one or many linked accounts (member, child, payee accounts) under one master account (parent, payer account).
- “Billing only mode” - the default operation of AWS Organizations in which the master account pays to bill for all member accounts and can see billing information but has no other control over linked accounts. Another name for this is consolidated billing.
- “Full access mode” - an operating mode of AWS Organizations which allows the master account certain administrative controls over linked accounts. By default an organization is in billing only mode, and all accounts must opt-in to turn the organization to full access mode.
- OU - Organizational Unit; a group of AWS accounts. OUs can be nested by accounts can only belong to one OU.
- SCP - Service Control Policy; essentially an IAM policy that applies to a whole AWS account including the root user.
Account tenancy
Master account
The services/features in this list must be administered from the organization’s master account. In addition to being the top-level account, the master account has the special designation of being the billing account for all accounts below. It is important for organizations to understand that users in this account with billing visibility can see the billing for all linked accounts. Particularly when an AWS reseller is involved, it becomes imperative to secure the billing information contained in this account. The following is a list of services and features which can only be administered from the master account:
- AWS Organizations
- Any org API or feature including the list of accounts, inviting accounts, and managing OUs and SCPs can only be done from the master account.
- AWS Single Sign-On
- Also typically means that the underlying AWS Directory Service directory lives in the master account, but it is possible to share directories across accounts
- AWS CloudFormation StackSets when using OUs
- A disappointing realization is that even with the administration that AWS Organizations provides, it is still necessary to set up each AWS account which will be used as a part of the StackSets deployment with the execution role.
- StackSets can still be created from non-master accounts if the execution role is set up to allow administration from that account, but must use account Ids and cannot use OUs.
- AWS CloudTrail with organization trails
- Organization trails cannot be removed or disabled by anyone in any member account, but must be administered from the master account. The logs can still be sent to any AWS account like a dedicated log account.
- AWS Config Rules at the org level
- Allows you to deploy a set of Config rules to all accounts in your organization
- You can still use aggregation from any account
- AWS Config Rules Aggregation with OUs
- AWS Config Rules tie in with Organizations to automatically aggregate rules and evaluations from all member accounts or any sunset based on OUs
- Aggregation can be set up from any account, but only the master account can use the inherent Organizations access and OUs
- AWS Service Catalog Organization Portfolios
- Only the master account can share a portfolio with an entire organization
- This feature will not work if you use launch constraint roles
- RAM
- Control Tower
- License Manager Organizations Link
- Quota Requests
- Cost Allocation Tags
- IAM Organization Activity
- Private Marketplace
Management Account
The following services have no direct tie-ins with Organizations and designate their own master management accounts:
- Firewall Manager
- Guard Duty
- Security Hub
- Macie