by Fritz Kunstler, Sr. Security Consultant, AWS AWS Organizations offers policy-based management for multiple AWS Accounts. Learn how Organizations helps you more easily manage policies for groups of accounts and automate account creation.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Introduction to AWS Organizations
Fritz Kunstler
Senior AWS Security Consultant

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Agenda
• AWS Organizations background
• Key concepts
• Immutable infrastructure using AWS Organizations
• Best practices

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Prod
In the beginning…
Dev-Test Sandbox• A developer creates an AWS account
• A network engineer helps create more
VPCs and establishes VPN access
• Controls are implemented via roles,
policies, tagging, security groups, etc.

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Today
Jump
account
Your cloud team
Dev account
Prod account
Data science
account
Security account
Cross-
account
trusts
Cross-account
resource access
You

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Introducing AWS Organizations
• Policy-based management for multiple AWS accounts
• Control AWS
service use across
accounts
• Consolidate
billing and usage
reporting
• Automate
account
creation

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How does Organizations complement AWS IAM?
• Create AWS accounts
• Create organizational units (OUs)
• Attach SCPs to OUs
• Create users, roles, and policies in an account
• Manage assignment of users to roles in an account
• Create cross-account trusts (delegation and federation)
• Manage cross-account access

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
A1 A2 A4
M
Master Account / Administrative root
Organizational Unit (OU)
AWS Account
Service
Control
Policy (SCP)
AWS Resources
A3
Dev Test Prod
AWS Organizations - key concepts

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
What is a Service Control Policy (SCP)?
• Service Control Policies (SCPs)
allow you to control which AWS
service actions are accessible to
account principals – including root
• Authorization is the intersection of
what is allowed explicitly in the
SCP and what is allowed explicitly
in the IAM permissions attached to
the principal.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway"
],
"Resource": [
"*"
]
}
]
}

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
A3A1 A2 A4
A
Dev Test Prod
Service Control Policies - inheritance

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable infrastructure: AWS Organizations
How can I freeze long lived resources (e.g. VPCs)?

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Create account hierarchy and apply policies
A6
Development Test Production
A8A1
A5
A4A3
A2
A9
A7
Root
Service Control Policies (SCPs) use the same policy language,
but only specify Actions

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SCPs are necessary but not sufficient
Allow: EC2:*Allow: S3:* Allow: SQS:*
Allow: EC2:*Allow: EC2:*
SCP IAM
permissions

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Use cases
• Delegated administration:
– Situation: Central team responsible for basic account setup and security baseline,
downstream teams responsible for all other account management.
– Challenge: Need to ensure that security baseline can’t be modified by anyone other
than the central team.

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Solution
A6
Setup Test Production
A8
A1
A5
A4
A3A2
A7
Root
Step 1: Create “Setup” OU and “ImmutableInfra” SCP

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Example SCP
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway“,
“ec2:DeleteSubnet”,
<snip>
],
"Resource": "*"
}
]
}
Include mutating actions for
all resource types you wish to
be immutable.

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Solution
A6
Setup Test Production
A8
A1
A5
A4
A3A2
A9 A7
Root
Step 2: Provision new account, place in Setup OU

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Solution
Step 3: Build desired long lived infrastructure
Central Team

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Solution
A6
Setup Test Production
A8
A1
A5
A4
A3A2
A9 A7
Root
Step 4: Move new account to proper OU (SCP now applies)

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Immutable Infrastructure: Solution
Result: Infrastructure usable, but immutable
Central Team
X
Downstream Team
X
Root User
X

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Best practices – AWS Organizations
1. Monitor activity in the master account using AWS CloudTrail.
2. Do not manage resources in the master account.
3. Manage your organization using the principle of “least privilege.”
4. Use OUs to assign controls.
5. Test controls on a single AWS account first.
6. Only assign controls to the root of an organization if necessary.
7. Define and apply criteria for when a new account is necessary.
8. Reset root password and enable MFA as usual

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS