Profile Applicability

  • Level 1

Description:

AWS Organizations allows you to set up and manage multiple AWS accounts, enabling centralized billing, governance, and policy management. To ensure that changes to AWS Organizations are being properly monitored, it is important to track activities like account creation, account suspension, or changes in organizational policies.

By enabling monitoring for AWS Organizations, organizations can keep track of changes, detect unauthorized modifications, and ensure compliance with organizational security policies. Monitoring helps maintain oversight of the administrative actions performed across all accounts in your organization.

Rationale:

Monitoring AWS Organizations changes provides the following benefits:

  • Security: Helps detect unauthorized or unintended changes within the organization.

  • Auditability: Ensures that all changes to AWS Organizations can be tracked for security, compliance, and auditing purposes.

  • Compliance: Meets regulatory requirements that mandate continuous monitoring and auditing of administrative activities.

  • Proactive management: Allows you to respond quickly to any configuration changes that could affect security, access control, or billing.

Without monitoring, unauthorized changes could go undetected, leading to potential security or compliance issues.

Impact:

Failure to monitor changes within AWS Organizations can result in:

  • Unauthorized changes: Changes to organizational structure, policies, or accounts could be made without detection, increasing the risk of security breaches.

  • Inconsistent configurations: Unauthorized modifications could lead to misconfigured policies, affecting the security and compliance posture of your organization.

  • Non-compliance: Failing to monitor organizational changes could violate regulatory requirements for security and auditing.

By enabling monitoring, organizations can ensure that all changes to AWS Organizations are tracked and any potential issues can be detected early.

Default Value:

AWS Organizations does not automatically enable logging for changes by default. Organizations must configure CloudTrail or other monitoring services to track changes within AWS Organizations.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • cloudtrail:CreateTrail

    • cloudtrail:DescribeTrails

    • cloudtrail:PutEventSelectors

    • cloudtrail:StartLogging

  • AWS CloudTrail should be set up and configured to log AWS Organizations changes

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the AWS Organizations Console.

  2. Ensure that AWS CloudTrail is configured to log changes within AWS Organizations. Review the Event History for any recorded changes.

  3. Verify that all changes, such as account creation, removal, or policy updates, are being tracked by CloudTrail.

Using AWS CLI :

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>']" --output table

To check if AWS Organizations events are being captured:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table
Implementation Plan:

Using AWS Console:

  1. Enable CloudTrail to log AWS Organizations changes:

    • Go to the CloudTrail Console.

    • Click Create trail if no trail is already configured, or select an existing trail to modify.

    • Ensure that the Management Events section includes Write-only or All events to capture changes to AWS Organizations, such as account creation, modification, and removal.

    • Enable logging for the AWS Organizations service and ensure that logs are delivered to an S3 bucket.

  2. Verify logging and monitoring:

    • Once CloudTrail is configured, ensure that it captures all changes within AWS Organizations and review the logs periodically.

Using AWS CLI:

  1. Create or modify a CloudTrail to log AWS Organizations changes:

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --include-global-service-events
aws cloudtrail add-tags --trail-name <trail-name> --tags "key=organization-monitoring,value=true"

  1. Check if AWS Organizations events are being logged:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>']" --output table

  1. Review CloudTrail logs for AWS Organizations changes:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=organizations.amazonaws.com

Backout Plan:

Using AWS Console:

  1. If logging changes causes performance or cost issues:

    • Go to the CloudTrail Console.

    • Disable logging or reduce the logging scope (e.g., reduce the number of event types being captured).

  2. Modify the CloudTrail configuration if it is found to be over-logging or unnecessary.

Using AWS CLI:

  1. Disable CloudTrail logging if needed:

aws cloudtrail stop-logging --name <trail-name>

  1. Re-enable CloudTrail logging or adjust the settings once issues are resolved:

aws cloudtrail start-logging --name <trail-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services