Profile Applicability:
Level 1
Description:
AWS Organizations allows you to centrally manage and govern multiple AWS accounts. An AWS account can be part of an AWS Organization or it can be a standalone account. This SOP ensures that you can check if an AWS account is part of an organization by using the AWS Organizations service. This check helps ensure proper governance, central billing, and centralized security management.
Rationale:
Centralized Management: Being part of an AWS Organization enables centralized billing, security policies, and compliance management across multiple accounts.
Security & Compliance: Ensures that accounts are properly managed under a larger organizational umbrella, helping meet security and compliance requirements.
Cost Efficiency: AWS Organizations helps consolidate billing, enabling better cost management and optimization.
Impact:
Pros:
Governance: Enables central control over multiple AWS accounts, helping with uniform security policies and compliance.
Cost Savings: Centralized billing allows for volume discounts and better cost management.
Simplified Management: Easier account administration, especially for large organizations with multiple accounts.
Cons:
Complexity: Managing an organization with multiple accounts can add complexity, especially if not properly configured.
Overhead: Maintaining centralized policies and permissions requires ongoing administrative attention.
Default Value:
By default, an account is not part of an AWS Organization unless it has been explicitly invited and joined an organization.
Pre-requisite:
AWS IAM Permissions:
organizations:DescribeOrganization
organizations:ListAccounts
AWS CLI installed and configured.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Organizations under Services.
In the AWS Organizations Console, under Accounts, verify if the current account is listed.
If the account is part of an organization, it will be visible in the Accounts section along with other member accounts.
If the account is not listed, it is not part of an organization.
Using AWS CLI:
To check if the account is part of an AWS Organization, run the following command:
aws organizations describe-organization
If the account is part of an AWS Organization, the output will show information about the organization, such as:
{ "Organization": { "MasterAccountId": "123456789012", "MasterAccountEmail": "master@organization.com", "OrganizationId": "o-abcdefghij", "FeatureSet": "ALL" } }
If the account is not part of an organization, you will receive an error:
{ "Error": { "Code": "AccessDeniedException", "Message": "You are not authorized to access this resource" } }
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to AWS Organizations.
Under Accounts, check if the current account is listed as a member of the organization.
If the account is not part of an organization, follow the steps below to invite the account to join your AWS Organization.
Using AWS CLI:
If the account is not part of an organization, you can invite it to join your organization by running the following command:
aws organizations invite-account-to-organization --target Id=<account-id> --target Type=ACCOUNT
After inviting, the target account will receive an invitation to join the organization.
Backout Plan:
Using AWS Console:
If you need to remove an account from an organization, sign in to the AWS Management Console.
Navigate to AWS Organizations and go to Accounts.
Select the account you wish to remove and choose Remove from Organization. Ensure that the account is in good standing and does not have any active policies or services that may prevent removal.
Using AWS CLI:
To remove an account from an AWS Organization, run the following command:
aws organizations remove-account-from-organization --account-id <ACCOUNT_ID> --region <REGION>
Verify that the account has been removed by listing the accounts:
aws organizations list-accounts --region <REGION>
References: