This course explores the AWS Organizations service, and in particular how you can use Service Control Policies to help you centrally manage and control the highest level of security permissions within your AWS accounts in which they are associated to.
For any feedback relating to this course, please contact us at firstname.lastname@example.org.
- To gain a high-level understanding of AWS Organizations
- To understand how service control policies can play an integral part in your multi-account security strategy
This course has been designed for those who are responsible for managing and maintaining the overall security of multiple AWS accounts.
This is an intermediate-level course on AWS Organizations and requires you to have some basic knowledge of IAM and JSON policies. Any previous experience or exposure to AWS Organizations would also be advantageous, but not essential.
Hello and welcome to this lecture which will explain how to initially set up and configure AWS organizations. Setting up an organization is a very simple process that starts from a master AWS account. Your master account is a standard AWS account that you have chosen to create the AWS organization. It's best practice to use this AWS account solely as a master account, and not to use it to provision any other resources such as EC2 instances, et cetera. This allows you to restrict access to the master account at a greater level. The few users who need access to it, the better, and you need to do this because the master account carries certain administrative level capabilities such as being able to create additional AWS accounts within your organization, invite other accounts to join your organization, remove AWS accounts from your organization, and apply security features via policies to different levels within your organization.
Once you have selected your AWS account to be used as a master account, you can create an organization. From here, you have two choices when creating an organization type: enable all features or enable only consolidated billing. If you want to set up service control policies, then you need to select enable all features.
The second option allows you to control payments and manage costs centrally from that master account across all associated AWS accounts within the organization. When the organization is created, the master account can create organizational units for AWS account management as required. The master account can also invite other member AWS accounts to join the organization. During this invitational process, the account owner of these invited AWS accounts will receive an email requesting that their AWS account join the organization. Once the accounts have joined the organization, the master account can then move these accounts into the corresponding OUs that have been created and associate relevant service control policies with them.
Let me now show you via demonstration on how to create a new organization and invite an existing account to join it. Now I'm logged into my AWS management console in the AWS account that I want to be the master account, and the first thing I need to do is go to AWS organizations, which is under the management and governance category, and you can see, it's just at the top here.
So if I go into organizations, and at the moment, I don't have any organizations set up or created. So the first thing I need to do is click on create organization, and this gives you a quick, high-level screenshot just to explain what creating an organization does. So it provides single payer and centralized cost tracking, it lets you create and invite accounts, it allows you to apply policy-based controls, and it helps you simplify organization-wide management of AWS services.
Now, as I mentioned previously, there's two options when you create your organization. You can only create it with all features enabled, which is what I just listed, or as you can see here, you can just create your organization to consolidate your billing features. With this demonstration, I'm going to create it with all features. So let's go ahead and create our organization, and that's effectively it. So it's very easy to create your AWS organization to start with, and because this is a brand new organization, this is my master account, which is signified by this star here, and this is my account name, and my account ID.
So, to actually create the organization is very simple, but now I want to add another account as a member account, so let me go ahead and do that. So if I select add account, now I have two options here. I can invite an existing account or create a new account. Now I already have another AWS account, so I'm going to invite an existing account. Now I need to enter the email or account ID, so I'll just paste in my account, and you can add any notes here, for example, please join my organization, and then you select invite.
Okay, now we can see that we have a request that's been sent as an invitation. The status is currently open. So now the email address that was registered with this account will get an invitation and they must accept that invite into this organization. So let's take a look and see if I got that email. So here we can see the email that's been sent to the owner of that member account, and it says, Stuart would like to add your AWS account to their organization as a member account, and then it just gives some additional blurb about AWS organizations, but to accept the invitation, and to understand what features have been enabled, we need to click on this link here.
So if I select that link, and sign in to my account using my details and MFA code, then I can see that I have an invitation from AWS organizations. We can see the organization ID, the master account name, and the requested controls, which is enable all features. So here, I can either accept or decline and I'm going to accept. I just need to confirm the confirmation message about joining the organization.
Okay, now this member account is now a part of that organization. So if I go back to my master account now, I can see now that within my AWS organization of my master account, I have the CA demo account, which is the name of my other account, and we can see that it's not a master because it hasn't got the star whereas this account has the, this is the master account. So as you can see, it's a very simple process to invite other accounts to your organization.
Now I also mentioned previously about organizing accounts and using organizational units. So if we select organize accounts, at the moment, we only have the root in here. So I can create the new organizational unit and assign each of these accounts into those. So, for example, let me create a new organizational unit called production.
Now I'm also going to create a second organizational unit called test. So let me create another one. At the moment, under root, we have our two accounts. So we have our master account and our member account here. Now I want to move my master account into the production organizational unit, just to make things a little more organized. So I can select the account, click on move, and then simply select where I want it to reside within the tree, and then click move, and we can see, it's now been removed from the root location, and I want to do the same with the member account, but this time, I want to move that into the test OU. So now, if I click on production over here, this organizational unit, we can see the account that it has inside it, and again, if we go back to the root and click on test, we can see that we have the member account. So I just wanted to show you that quickly just to show you how you can easily and quickly organize your different AWS accounts.
Okay, and that's the end of the demonstration.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.