I would like to allow users in all accounts in my AWS Organization (under a number of different OUs) to access only a few AWS services: RDS, EC2, S3, etc. In other words, I need to prevent access to anything else. I was thinking about using SCP but denying access to so many services seems to be a bad idea (the FullAWSAccess service control policy is attached by default). I would like to ask if you have ever done something like that and if you have, how?
I have a question regarding the possibilities as admin of an organization. The plan is to link an external AWS account of a freelancer to our organization.
After some research it turns out that the instances remain invisible to colleagues from the same organization. AWS sees these as 2 personal accounts with personal instances. But we want to keep an eye on our freelancer. AWS organizations mainly serve to work from the same bank account. But that's all.
Is there a way to see how many instances your organization has? Or to see how much that specific account spends from the common account?
Do you see other ways to keep an eye on the freelancer?
Thank you in advance!
We have multiple OU's in our AWS organisation.
We use AWS cli to create new AWS organisation members. For eg.
aws organizations create-account --email [email protected] --account-name "testaccount"
Everytime a new member account is created, it is added under root and not in any OU.
We want to add new member account in a particular OU. We can move the new member accounts manually through cli or console to any OU but we want to specify it at the time of account creation itself.
It will be really helpful if someone can point me into the right direction.
Update:
I'm trying to automate moving of new member accounts from root to a particular OU. This is what I've done, running these commands from a ps1 file. I'm not being able to pass $AccId variable in the move command. Any suggestions?
aws organizations create-account --email [email protected] --account-name test
$Id = aws organizations list-create-account-status --states IN_PROGRESS --query 'CreateAccountStatuses[*].Id' --output text
$AccId = aws organizations describe-create-account-status --create-account-request-id $Id --query 'CreateAccountStatus.AccountId' --output text
aws organizations move-account --account-id $AccId --source-parent-id r-0000 --destination-parent-id ou-0000-000000
We have certain AWS labs which we offer to our customers. Every time a user opens the lab, a new member account is created and added to the organisational account.
This only happens the first time when a user logs into the lab. This member account has no resource restrictions and can do anything the user wants.
For eg.
- Launching any type and number of ec2 instances.
- Create as many s3 buckets as possible and upload files of any size.
- Launch any type of RDS and ElastiCache clusters.
This has been creating a huge problem for us and we want to limit resources depending upon what is required to perform in the labs.
After a lot of research, I came up with this:
Resource restrictions on OU level using SCP:
1. Deny every service by default.
2. Allow only those services which are used in tasks.
3. Allow those services in 1 particular region only (For e.g. us-east-1)
4. Limit what type of instances can be launched (For e.g. t2.micro only)
5. Limit specific AMI's using which instances can be launched (For e.g. Only free AMI's like ubuntu and linux AMI's, no windows AMI's)
6. Policy for limiting s3 bucket sizes is not possible.
Organisation account removal:
1. Can't remove member account if they don't have required information to become standalone account.
2. This information includes:
- AWS Customer Agreement
- choose a support plan
- provide and verify the required contact information
- provide a current payment method
3. This can't be automated so the idea is to create 2 OU's "Organisational units".
- Working accounts
- Disabled accounts
4. 1st OU will have required permissions to perform the lab tasks only (Principle of least privilege)
5. 2nd OU will have no permissions, Deny All for all services and actions.
Managing OU's
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html
Moving accounts from one OU to another OU A program can be written to list account under the "working accounts OU"
https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts-for-parent.html
From the output, filter out the "JoinedTimestamp" parameter and perform move operation on accounts which are older than xx days.
https://docs.aws.amazon.com/cli/latest/reference/organizations/move-account.html
I want to know from experienced AWS architects whether the second part of the "Organisational Unit" is possible.
If yes, can someone help me to figure out how to achieve it as I don't have much programming experience.
Please consider that I'm new to AWS administration.
I have full access to my organisation's AWS account. One of our website(developed in Drupal) is developed by a vendor who hosts it in their AWS account(dev/prod env.). They have a master account and separate accounts for each clients.
My organisation wants to migrate the entire infrastructure in-house in our own AWS environment, which does seem to be a great idea. Meanwhile, I've found AWS Organisations and I know I can invite vendor to join our organisation and then we can restrict their access(only development access) and mange the website and respective infrastructure ourselves. But this means we will have the control of their root account, which won't happen as they have other client accounts as well.
In this scenario, please suggest the best way to get full access and control to only our account?