Description:

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.


Rationale:

An entity that you create to consolidate your AWS accounts so that you can administer them as a single unit. You can use the AWS Organizations console to centrally view and manage all of your accounts within your organization. An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root or placed in one of the OUs in the hierarchy.


Impact:

AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.


Default Value:

By default, no account is part of AWS Organizations.

 

Audit:

  • Sign in to the AWS Management Console.

  • Go to AWS Organizations home page at https://console.aws.amazon.com/organizations

  • If it shows this account is part of so and so organization, it means the account is part os AWS organizations

    If the above details are not shown up then follow the implementation steps 


Remediation:

Pre-Requisite:

  • Create the Organization in the account from which you want to control


Implementation Steps

  1. Sign in to the AWS Management Console.

  2. Go to the AWS Organizations home page at https://console.aws.amazon.com/organizations

  3. Click on Create an organization

    It will create an organization and automatically add the current account into organizations(i.e, Management Account)

  4. To invite an existing AWS account to join your organization, click on AWS Accounts and select Add an AWS account from the dashboard top menu.

  5. Select Invite an existing AWS account (Also you can create a new account from organizations by selecting Create an AWS account)

    Note: First you need to verify the management account's email address before you can invite AWS accounts to join your organization

  6. Enter the Email address or account ID of the AWS account you want to invite

    Note: You can add multiple accounts at a time by clicking on Add another.

    Optional: You can include a message in the invitation email that you want to say.



  7. Click on Send invitation


An invitation will be sent to the AWS account you mentioned(i.e, The account you want to add).

  • Sign in to the account that you want to add

  • Go to the AWS Organizations at https://console.aws.amazon.com/organizations

  • Click on Invitations in the left navigation pane

  • It will show up the Invitation sent from the master account, Click on Accept Invitation


Backout plan:

If you want to leave the organization then follow the same steps in the audit section and click Leave the organization

Reference:

https://aws.amazon.com/organizations/

Inviting an AWS account to join your organization - AWS Organizations