Security, Identity & Compliance | AWS Organizations

Question 1

What is AWS Organizations?

General

AWS Organizations | Security, Identity & Compliance

Answer 1

AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts and then apply policies to those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.

Question 2

Which administrative actions does AWS Organizations enable?

General

AWS Organizations | Security, Identity & Compliance

Answer 2

AWS Organizations enables the following administrative actions:

Create an AWS account and add it to your organization, or add an existing AWS account to your organization.

Organize your AWS accounts into groups called organizational units (OUs).

Organize your OUs into a hierarchy that reflects your company’s structure.

Centrally manage and attach policies to the entire organization, OUs, or individual AWS accounts.

Question 3

Which controls does AWS Organizations enable in this release?

General

AWS Organizations | Security, Identity & Compliance

Answer 3

In this release, you can define and enforce the AWS service actions, such as Amazon EC2 RunInstances, that are available for use in different AWS accounts within an organization.

Question 4

Do I need to migrate from my Consolidated Billing family to AWS Organizations?

General

AWS Organizations | Security, Identity & Compliance

Answer 4

No, AWS has migrated Consolidated Billing families to AWS Organizations automatically, with only consolidated billing features enabled.

Question 5

How do I get started?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 5

To get started, you must first decide which of your AWS accounts will become the master account. If you have a Consolidated Billing family, we already converted your Consolidated Billing payer AWS account to be the master account. If you do not have a Consolidated Billing family, you can either create a new AWS account or select an existing one.

Steps for customers using Consolidated Billing

Navigate to the Consolidated Billing console. AWS redirects you to the new AWS Organizations console.

AWS converted your Consolidated Billing family automatically, so you can start taking advantage of the new organizational capabilities.

Steps for customers not using Consolidate Billing

You need to create a new organization by following these simple steps:

Sign in as an administrator to the AWS Management Console using the AWS account you want to use to manage your organization.

Go to the AWS Organizations console.

Choose Create Organization.

Select what features you want to enable for your organization. Either consolidated billing only features or all features

Add AWS accounts to your organization by using one of the following two methods:

Invite existing AWS accounts to join your organization by using their AWS account ID or associated email address.

Create new AWS accounts.

Model your organizational hierarchy by grouping your AWS accounts in OUs.

If you choose to enable all features for your organization, then you can author and assign controls to these OUs.

You can also use the AWS CLI (for command-line access) or SDKs (for programmatic access) to perform the same steps to create a new organization.

Note: You can initiate the creation of a new organization only from an AWS account that is not already a member of another organization.

For more information, see Getting started with AWS Organizations.

Question 6

What is an organization?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 6

An organization is a collection of AWS accounts that you can organize into a hierarchy and manage centrally.

Question 7

What is an AWS account?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 7

An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.

Question 8

What is a master account?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 8

A master account is the AWS account you use to create your organization. From the master account, you can create other accounts in your organization, invite and manage invitations for other accounts to join your organization, and remove accounts from your organization. You can also attach policies to entities such as administrative roots, organizational units (OUs), or accounts within your organization. The master account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization. You cannot change which account in your organization is the master account.

Question 9

What is a member account?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 9

A member account is an AWS account, other than the master account, that is part of an organization. If you are an administrator of an organization, you can create member accounts in the organization and invite existing accounts to join the organization. You also can apply policies to member accounts. A member account can belong to only one organization at a time.

Question 10

What is an administrative root?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 10

An administrative root is the starting point for organizing your AWS accounts. The administrative root is the top-most container in your organization’s hierarchy. Under this root, you can create OUs to logically group your accounts and organize these OUs into a hierarchy that best matches your business needs.

Question 11

What is an organizational unit (OU)?

Core Concepts

AWS Organizations | Security, Identity & Compliance

Answer 11

An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy. For example, you can group all accounts that belong to the same department into a departmental OU. Similarly, you can group all accounts running production services into a production OU. OUs are useful when you need to apply the same controls to a subset of accounts in your organization. Nesting OUs enables smaller units of management. For example, in a departmental OU, you can group accounts that belong to individual teams in team-level OUs. These OUs inherit the policies from the parent OU in addition to any controls assigned directly to the team-level OU.

Question 12

What is a policy?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 12

A policy is a “document” with one or more statements that define the controls that you want to apply to a group of AWS accounts. In this release, AWS Organizations supports a specific type of policy called a Service Control Policy (SCP). An SCP defines the AWS service actions, such as Amazon EC2 RunInstances, that are available for use in different accounts within an organization.

Question 13

Can I define and manage my organization regionally?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 13

No. All organization entities are globally accessible, similar to how AWS Identity and Access Management (IAM) works today. You do not need to specify a region when you create and manage your organization. Users in your AWS accounts can use AWS services in any geographic region in which that service is available.

Question 14

Can I change which AWS account is the master account?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 14

No. You cannot change which AWS account is the master account. Therefore, you should select your master account carefully.

Question 15

How do I add an AWS account to my organization?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 15

Use one of the following two methods to add an AWS account to your organization:

Method 1: Invite an existing account to join your organization

Sign in as an administrator of the master account and navigate to the AWS Organizations console.

Choose the Accounts tab.

Choose Add account and then choose Invite account.

Provide the email address of the account that you want to invite or the AWS account ID of the account.

Note: You can invite more than one AWS account by providing a comma-separated list of email addresses or AWS account IDs.

The specified AWS account receives an email inviting it to join your organization. An administrator in the invited AWS account must accept or reject the request using the AWS Organizations console, AWS CLI, or Organizations API. If the administrator accepts your invitation, the account becomes visible in the list of member accounts in your organization. Any applicable policies, such as SCPs, will be enforced automatically in the newly added account. For example, if your organization has an SCP attached to the root of your organization it will directly be enforced on the newly created accounts.

Method 2: Create an AWS account in your organization

Sign in as an administrator of your master account and navigate to the AWS Organizations console.

Choose the Accounts tab.

Choose Add account and then choose Create account.

Provide a name for the account and the email address for the account.

You can also create an account by using the AWS SDK or AWS CLI. For both methods, after you add the new account, you can move it to an organizational unit (OU). The new account automatically inherits the policies attached to the OU.

Question 16

Can an AWS account be a member of more than one organization?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 16

No. An AWS account can be a member of only one organization at a time.

Question 17

How can I access an AWS account that was created in my organization?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 17

As part of AWS account creation, AWS Organizations creates an IAM role with full administrative permissions in the new account. IAM users and IAM roles with appropriate permissions in the master account can assume this IAM role to gain access to the newly created account.

Question 18

Can I set up multi-factor authentication (MFA) on the AWS account that I create in my organization programmatically?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 18

No. This currently is not supported.

Question 19

Can I move an AWS account that I have created using AWS Organizations to another organization?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 19

Yes. However, you must first remove the account from your organization and make it a standalone account (see below). After making the account standalone, it can then be invited to join another organization.

Question 20

Can I remove an AWS account that I created using Organizations and make it a standalone account?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 20

Yes. When you create an account in an organization using the AWS Organizations console, API, or CLI commands, AWS does not collect all of the information required of standalone accounts. For each account that you want to make standalone, you need to update this information, which can include: providing contact information, agreeing to the AWS Customer Agreement, providing a valid payment method, and choosing a support plan option. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account is not attached to an organization. For more information, see Removing a Member Account from Your Organization.

Question 21

How many AWS accounts can I manage in my organization?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 21

This can vary. If you need additional accounts, go to the AWS Support Center and open a support case to request an increase.

Question 22

How can I remove an AWS member account from an organization?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 22

You can remove a member account by using one of the following two methods. You might have to provide additional information to remove an account that you created using Organizations. If the attempt to remove an account fails, go to the AWS Support Center and ask for help with removing an account.

Method 1: Remove an invited member account by signing in to the master account

Sign in as an administrator of the master account and navigate to the AWS Organizations console.

In the left pane, choose Accounts.

Choose the account that you want to remove and then choose Remove account.

If the account does not have a valid payment method, you must provide one.

Method 2: Remove an invited member account by signing in to the member account

Sign in as an administrator of the member account that you want to remove from the organization.

Navigate to the AWS Organizations console.

Choose Leave organization.

If the account does not have a payment method, you must provide one.

Question 23

How can I create an organizational unit (OU)?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 23

To create an OU, follow these steps:

Sign in as an administrator of the master account and navigate to the AWS Organizations console.

Choose the Organize accounts tab.

Navigate in the hierarchy to where you want to create the OU. You can create it directly under the root, or you can create it within another OU.

Choose to Create organizational unit and provide a name for your OU. The name must be unique within your organization.

Note: You can rename the OU later.

You now can add AWS accounts to your OU. You can also use the AWS CLI and AWS APIs to create and manage an OU.

Question 24

How can I add a member AWS account to an OU?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 24

Follow these steps to add member accounts to an OU:

In the AWS Organizations console, choose the Organize accounts tab.

Choose the AWS account, and then choose Move account.

In the dialog box, select the OU to which you want to move the AWS account.

Alternatively, you can use the AWS CLI and AWS APIs to add AWS accounts to an OU.

Question 25

Can an AWS account be a member of multiple OUs?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 25

No. An AWS account can be a member of only one OU at a time.

Question 26

Can an OU be a member of multiple OUs?

Organizing AWS accounts

AWS Organizations | Security, Identity & Compliance

Answer 26

No. An OU can be a member of only one OU at a time.

Question 27

How many levels can I have in my OU hierarchy?

Permissions

AWS Organizations | Security, Identity & Compliance

Answer 27

You can nest your OUs five levels deep. Including root and AWS accounts created in the lowest OUs, your hierarchy can be five levels deep.

Question 28

How can I control who can manage my organization?

Permissions

AWS Organizations | Security, Identity & Compliance

Answer 28

You control who can manage your organization and its resources in the same way that you manage access to your other AWS resources: you attach IAM policies to IAM users, groups, or roles in the master account. With IAM policies, you can control the following:

Creating an organization, organization unit (OU), or AWS account.

Adding, moving, and removing AWS accounts to and from your organization and OUs.

Creating policies and attaching them to the root of your organization, OUs, and individual accounts.

Question 29

Why is there an IAM role defined in every account that I create using AWS Organizations?

Permissions

AWS Organizations | Security, Identity & Compliance

Answer 29

This role enables users in the master account to access a new member account. A new member account initially doesn’t have any users or passwords and can be accessed only by using this role. After you use the role to access the member account and create at least one IAM user with administrator permissions in it, you can safely delete the role if you want. For more information about IAM roles and users, see Accessing a Member Account That Has a Master Account Access Role.

Question 30

Can I grant permission to manage my organization to IAM users in any AWS member account in my organization?

Permissions

AWS Organizations | Security, Identity & Compliance

Answer 30

Yes. If you want to grant IAM users in a member account permission to manage your entire organization or parts of your organization, you can use IAM roles. You create a role with the appropriate permissions in the master account and allow users or roles in the member account to assume the new role. This is the same cross-account method that you use to grant an IAM user in one account access to a resource (for example, an Amazon DynamoDB table) in another account.

Question 31

Can an IAM user in a member account sign in to my organization?

Permissions

AWS Organizations | Security, Identity & Compliance

Answer 31

No. IAM users can sign in only to their associated member account in your organization.

Question 32

Can an IAM user sign in to an OU in my organization?

Permissions

AWS Organizations | Security, Identity & Compliance

Answer 32

No. IAM users can sign in only to their associated AWS account in your organization.

Question 33

Can I control who in my AWS account can accept an invitation to join an organization?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 33

Yes. Using IAM permissions, you can grant or deny users in your account the ability to accept or decline invitations to join an organization. The following policy grants access to view and manage invitations in an AWS account:

{

“Version”:”2012-10-17”,

“Statement”:[

{

“Effect”:”Allow”,

“Action”:[

“organizations:AcceptHandshake”,

“organizations:DeclineHandshake”,

“organizations:DescribeHandshake”,

“organizations:ListHandshakesForAccount”

],

“Resource”:” *”

}

]

}

For more information, see Using Identity-Based Policies (IAM Policies) for AWS Organizations.

Question 34

At what levels of my organization can I apply a policy?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 34

You can attach a policy to the root of your organization (applies to all accounts in your organization), to individual organizational units (OUs), which applies to all accounts in the OU including nested OUs, or to individual accounts.

Question 35

How can I attach a policy?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 35

You can attach a policy in one of two ways:

In the AWS Organizations console, navigate to where you want to assign the policy (the root, an OU, or an account), and then choose Attach Policy.

In the Organizations console, choose the Policies tab and do one of the following:

Choose an existing policy, choose Attach Policy from the Actions drop-down list, and then choose the root, OU, or account to which you want to attach the policy.

Choose Create Policy, and then as part of the policy creation workflow, choose the root, OU, or account to which you want to attach the new policy.

For more information, see Managing Policies.

Question 36

Are policies inherited through hierarchical connections in my organization?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 36

Yes. For example, let’s assume that you have arranged your AWS accounts into OUs according to your application development stages: DEV, TEST, and PROD. Policy P1 is attached to the organization’s root, policy P2 is attached to the DEV OU, and policy P3 is attached to AWS account A1 in the DEV OU. With this setup, P1+P2+P3 all apply to account A1.

For more information, see About Service Control Policies.

Question 37

What types of policies does AWS Organizations support?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 37

Currently, AWS Organizations supports Service Control Policies (SCPs). You can use SCPs to define and enforce the actions that IAM users, groups, and roles can perform in the accounts to which the SCP is applied.

Question 38

What is a Service Control Policy (SCP)?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 38

Service Control Policies (SCPs) allow you to control which AWS service actions are accessible to principals (account root, IAM users, and IAM roles) in the accounts of your organization. An SCP is required but is not the only control that determines which principals in an account can access resources to grant principals in an account access to resources. The effective permission on a principal in an account that has an SCP attached is the intersection of what is allowed explicitly in the SCP and what is allowed explicitly in the permissions attached to the principal. For example, if an SCP applied to an account states that the only actions allowed are Amazon EC2 actions, and the permissions on a principal in the same AWS account allow both EC2 actions and Amazon S3 actions, the principal is able to access only the EC2 actions.

Principals in a member account (including the root user for the member account) cannot remove or change SCPs that are applied to that account.

Question 39

What does an SCP look like?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 39

SCPs follow the same rules and grammar as IAM policies, except you can not specify conditions and the resource section must be equal to “*”. You can use an SCP to deny or allow access to AWS service actions.

Whitelist example

The following SCP grants access to all EC2 and S3 service actions in the AWS account. All principals (account root, IAM user, and IAM role) in an account with this SCP applied will not be able to access any other actions, no matter which IAM policies are directly assigned to them. Those IAM policies must explicitly grant EC2 or S3 service actions for the principals to access them.

{

“Version”:”2012-10-17”,

“Statement”:[

{

“Effect”:”Allow”,

“Action”:[“EC2:*”,”S3:*”],

“Resource”:”*”

}

]

}

Blacklist example

The following SCP allows access to all AWS service actions except the S3 action, PutObject. All principals (account root, IAM user, and IAM role) with appropriate permissions assigned directly to them in an account with this SCP applied can access any action except the S3 PutObject action.

{

“Version”:”2012-10-17”,

“Statement”:[

{

“Effect”:”Allow”,

“Action”: “*:*”,

“Resource”:”*”

},

{

“Effect”:”Deny”,

“Action”:”S3:PutObject”,

“Resource”:”*”

}

]

}

For more examples, see Strategies for Using SCPs.

Question 40

If I attach an empty SCP to an AWS account, does that mean that I allow all AWS service actions in that AWS account?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 40

No. SCPs behave the same way as IAM policies: an empty IAM policy is equivalent to a default DENY. Attaching an empty SCP to an account is equivalent to attaching a policy that explicitly denies all actions.

Question 41

Can I specify resources and principals in an SCP?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 41

No. In the current release, you can specify only AWS services and actions in an SCP. You can specify resources and principals by using IAM permission policies within the AWS account. For more details, see Service Control Policy Syntax.

Question 42

What are the effective permissions if I apply an SCP to my organization and my principals also have IAM policies?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 42

The effective permissions granted to a principal (account root, IAM user, and IAM role) in an AWS account with an SCP applied are the intersection between those allowed by the SCP and the permissions granted to the principal by IAM permission policies. For example, if an IAM user has “Allow”: “ec2:* “ and “Allow”: “sqs:* “, and the SCP attached to the account has “Allow”: “ec2:* “ and “Allow”: “s3:* “, the resultant permission for the IAM user is “Allow”: “ec2:* “ The principal cannot perform any Amazon SQS (not allowed by the SCP) or S3 actions (not granted by the IAM policy).

Question 43

Can I simulate the effect of an SCP on an AWS account?

Control management

AWS Organizations | Security, Identity & Compliance

Answer 43

Yes, the IAM policy simulator can include the effects of SCPs. You can use the policy simulator in a member account in your organization to understand the effect on individual principals in that account. An administrator in a member account with the appropriate AWS Organizations permissions can see if an SCP is affecting the access for the principals (account root, IAM user, and IAM role) in your member account.

For more information, see Service Control Policies.

Question 44

Can I create and manage an organization without enforcing an SCP?

Billing

AWS Organizations | Security, Identity & Compliance

Answer 44

Yes. You decide which policies that you want to enforce. For example, you could create an organization that takes advantage only of the consolidated billing functionality. This allows you to have a single-payer account for all accounts in your organization and automatically receive default tiered-pricing benefits.

Question 45

What does AWS Organizations cost?

Billing

AWS Organizations | Security, Identity & Compliance

Answer 45

AWS Organizations is offered at no additional charge.

Question 46

Who pays for usage incurred by users under an AWS member account in my organization?

Billing

AWS Organizations | Security, Identity & Compliance

Answer 46

The owner of the master account is responsible for paying for all usage, data, and resources used by the accounts in the organization.

Question 47

How does AWS Organizations compare with Consolidated Billing?

Billing

AWS Organizations | Security, Identity & Compliance

Answer 47

The features of Consolidated Billing are now part of AWS Organizations. Organizations enables you to consolidate payment for multiple AWS accounts within your company by designating a single-payer account. For more information, see Consolidated Billing and AWS Organizations.