AWS Organizations  sandbox 

Feb 15, 2024 / Notes / 2 min
Table of Contents

Multi-account architectures

New account - does not inherit all required properties from an org. Ensure details are updated before leaving the org.

Payment method, Tax information, Contact info, Root password etc.

Consolidated billing

cannot use cost-allocation tags in member accounts, only possible in payer account, which is the management account for an organization. aws support can not do this.

cannot disable cost savings plan, and reservations in member accounts. only possible to limit it to a particular account from the org management/payer account.

what is compliance report? uses? runs every 48 hrs

Private Marketplace?

Enable All Features or Consolidated Billing Only

  • All Features is the default when creating new Organization
  • Invited accounts must accept the reqeust to enable all features before it can be enabled. Not applicable for accounts created via the Organization
  • You cannot revert to Consolidated Billing only mode after switching to All features
  • SCPs depend on all features enabled
  • SSO depends on all features enabled

Tag Policy

Stanardize on tags

Doesn’t do anything if a resource is missing a tag key 🤷‍♂️, best to use in combination of SCP

To find all resources without any tag consider using Resource Manager. This is not possible to get from organization compliance report. example - aws resource-explorer-2 search --query-string "tag:none"

resource manager report can be run every 36 hours but only supports 1000 resources max.

Service Control Policy

How does Inheritance work for SCP?

It behaves differently depending on whether the policy uses allow or deny statements.

Deny policy - any deny statement from the root org to the account OU will result in a deny action

scp-deny

Allow policy - ALL SCP from the root of the org, must have an allow statement for an action to be allowed in the account. Because of this, you will find a AWSFullAccess SCP applied at the root of an Org by default.

scp-allow

Deny public IP

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Condition": {
        "Bool": {
          "ec2:AssociatePublicIpAddress": "true"
        }
      },
      "Resource": "arn:aws:ec2:*:*:network-interface/*"
    },
    {
      "Action": [
        "ec2:AssociateAddress"
      ],
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}

Should you use Bool or BoolIfExists?

SCP does not support Principal, NotPrincipal, NotResource

SCP supports NotAction, however, it can only be used with Effect:Deny

https://stackoverflow.com/questions/70027448/aws-organization-scp-policy-to-deny-any-ec2-instances-in-any-vpcs-with-public-ip

Control Tower

Account Factory

Delegated Admin