Setting Up AWS Organizations
Recipe 1

This guide provides a step-by-step approach to setting up AWS Organizations, enabling you to efficiently manage multiple AWS accounts with centralized governance, security, and cost management. By following this recipe, you will create a well-structured, secure, and cost-effective multi-account AWS environment that scales with your business needs. The guide also covers common pitfalls and troubleshooting tips to help you avoid potential issues.

Objective

Efficiently set up AWS Organizations to manage multiple AWS accounts with centralized governance, security, and cost management.

Difficulty Level

Intermediate

Estimated Time

  • Initial setup: 4-6 hours
  • Full implementation and optimization: 2-3 weeks

Note: The time can vary significantly depending on the size and complexity of your organization, as well as your familiarity with AWS services.

Ingredients

  • AWS Organizations
  • Service Control Policies (SCPs)
  • AWS Identity and Access Management (IAM)
  • AWS CloudFormation (for automation)
  • Tagging Strategy
  • AWS Cost Explorer and AWS Budgets
  • AWS Config
  • AWS CloudTrail
  • AWS Control Tower (optional)

Steps

Step 1: Create AWS Organizations

1.1 Create an Organization

  • Navigate to AWS Organizations in the AWS Management Console.
  • Create a new organization if you don't already have one.

1.2 Enable All Features

  • Enable all features to utilize the full capabilities of AWS Organizations, including SCPs.

Step 2: Define Organizational Units (OUs)

2.1 Structure Your Organization

  • Create OUs based on your business structure. Common structures include:
    • Core: For shared services like IAM and networking.
    • Sandbox/Development: For development and testing environments.
    • Production: For production workloads.
    • Security: For accounts focused on security monitoring and auditing.

Step 3: Implement Service Control Policies (SCPs)

3.1 Define SCPs

  • Create SCPs to enforce governance across your organization. Example policies include:

    a. Restrict EC2 Instance Types

    Enhanced Code Block Example 
    {
        
    "Version": "2012-10-17",
        
    "Statement": [
            
        {
                
            "Sid": "LimitEC2InstanceTypes",
                
            "Effect": "Deny",
                
            "Action": "ec2:RunInstances",
                
            "Resource": "arn:aws:ec2:*:*:instance/*",
                
            "Condition": {
                    
                "StringNotLike": {
                        
                    "ec2:InstanceType": ["t3.*", "m5.*"]
                    
                }
                
            }
            
        }
        
    ]
    }

  • b. Enforce MFA for IAM Users

    Enhanced Code Block Example 
    {
        
    "Version": "2012-10-17",
        
    "Statement": [
            
        {
                
            "Sid": "EnforceMFA",
                
            "Effect": "Deny",
                
            "NotAction": [
                    
                "iam:CreateVirtualMFADevice",
                    
                "iam:EnableMFADevice",
                    
                "iam:GetUser",
                    
                "iam:ListMFADevices",
                    
                "iam:ListVirtualMFADevices",
                    
                "iam:ResyncMFADevice",
                    
                "sts:GetSessionToken"
                
            ],
                
            "Resource": "*",
                
            "Condition": {
                    
                "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
                
            }
            
        }
        
    ]
    }

  • c. Prevent Deletion of CloudTrail Trails

    Enhanced Code Block Example
    pythonCopy codeimport boto3
    def lambda_handler(event, context):
    ec2 = boto3.resource('ec2')
    instance = ec2.Instance(event['detail']['instance-id'])
    # Default tags
    tags = [
    {'Key': 'Environment', 'Value': 'Development'},
    {'Key': 'Project', 'Value': 'DefaultProject'},
    {'Key': 'Owner', 'Value': 'unknown@example.com'},
    {'Key': 'CostCenter', 'Value': 'CC000'}
    ]
    # Apply tags
    instance.create_tags(Tags=tags)
    return {
    'statusCode': 200,
    'body': f"Tags applied to instance {instance.id}"
    }
    {
    
    "Version": "2012-10-17",
    
    "Statement": [
    
        {
    
            "Sid": "ProtectCloudTrail",
    
            "Effect": "Deny",
    
            "Action": [
    
                "cloudtrail:DeleteTrail",
    
                "cloudtrail:StopLogging"
    
            ],
    
            "Resource": "*"
    
        }
    
    ]

    }

3.2 Apply SCPs to OUs

  • Attach relevant SCPs to each OU. For example, stricter policies for production OUs and more relaxed policies for development OUs.

Step 4: Implement a Tagging Strategy

4.1 Define Tags

  • Establish a standard tagging strategy to categorize resources. Example mandatory tags:
    • Environment: [Production, Development, Testing, Staging]
    • Project: [ProjectName]
    • Owner: [EmailAddress]
    • CostCenter: [CostCenterID]

4.2 Enforce Tagging

  • Use SCPs and AWS Config rules to enforce mandatory tagging of resources.

4.3 Automate Tagging

  • Implement AWS Lambda functions to automatically tag resources based on predefined rules. Example function:

    Enhanced Code Block Example 
    import boto3

    def lambda_handler(event, context):
        ec2 = boto3.resource('ec2')
        instance = ec2.Instance(event['detail']['instance-id'])
        # Default tags
        tags = [
            {'Key': 'Environment', 'Value': 'Development'},
            {'Key': 'Project', 'Value': 'DefaultProject'},
            {'Key': 'Owner', 'Value': 'unknown@example.com'},
            {'Key': 'CostCenter', 'Value': 'CC000'}
        ]
        # Apply tags
        instance.create_tags(Tags=tags)
        return {
            'statusCode': 200,
            'body': f"Tags applied to instance {instance.id}"
        }

4.4 Implement AWS Config Rule for Tag Compliance

Enhanced Code Block Example 
{

  "ConfigRuleName": "required-tags",

  "Description": "Checks if resources have the required tags",

  "Source": {

    "Owner": "AWS",

    "SourceIdentifier": "REQUIRED_TAGS"

  },

  "Scope": {

    "ComplianceResourceTypes": [

      "AWS::EC2::Instance",

      "AWS::S3::Bucket"

    ]

  },

  "InputParameters": {

    "tag1Key": "Environment",

    "tag2Key": "Project",

    "tag3Key": "Owner"

  }

}

Step 5: Optimize Cost Management

5.1 Enable Cost Explorer and Budgets

  • Set up AWS Cost Explorer and create budgets to monitor and control spending across your organization.

5.2 Consolidate Billing

  • Use consolidated billing to centralize payment for all accounts, simplifying financial management.

5.3 Allocate Costs by Tags

  • Leverage the tagging strategy to allocate costs accurately and identify areas for potential savings.

5.4 Implement Cost Anomaly Detection

  • Use AWS Cost Anomaly Detection to identify unusual spending patterns.

Step 6: Implement Security Best Practices

6.1 Enable AWS Config

  • Set up AWS Config to assess, audit, and evaluate the configurations of your AWS resources.

6.2 Implement AWS CloudTrail

  • Enable CloudTrail in all accounts to log API activity for auditing and compliance purposes.

6.3 Use AWS Security Hub

  • Implement AWS Security Hub to manage security alerts and compliance checks across accounts.

Step 7: Automate Account Provisioning

7.1 Use AWS Control Tower

  • Consider implementing AWS Control Tower for automated account provisioning and governance.

7.2 Develop CloudFormation Templates

  • Create CloudFormation templates for standardized resource deployment across accounts.

Step 8: Continuous Improvement

8.1 Regular Audits

  • Conduct regular audits of your AWS environment to ensure compliance with policies and identify areas for improvement.

8.2 Adjust Policies as Needed

  • Continuously refine SCPs, tagging strategies, and other configurations based on changing business needs and AWS updates.

8.3 Stay Informed

  • Keep up with AWS updates and best practices to evolve your organization structure and policies.

Troubleshooting

Common Issues and Solutions

  1. Issue: Unable to enable all features in AWS Organizations

    • Solution: Ensure that the root account has the necessary permissions. Check if there are any pending invitations or handshakes that need to be accepted.

  2. Issue: SCP not taking effect

    • Solution:
      • Verify that the SCP is attached to the correct OU or account
      • Check for conflicting policies (remember, SCPs use a "deny by default" approach)
      • Ensure the policy JSON is valid and properly formatted

  3. Issue: Consolidated billing not showing all accounts

    • Solution:
      • Verify that all accounts are part of the organization
      • Check if there's a delay in data propagation (it can take up to 24 hours)
      • Ensure that the management account has the necessary permissions to view billing data

  4. Issue: Unable to move an account between OUs

    • Solution:
      • Check if the account has the required permissions
      • Verify that moving the account doesn't violate any SCPs
      • Ensure that the target OU exists and is accessible

  5. Issue: Tags not propagating across the organization

    • Solution:
      • Verify that tag policies are correctly set up and applied to the relevant OUs
      • Check if there are any conflicts with existing resource-level tags
      • Ensure that the tagging service has the necessary permissions to modify resources

  6. Issue: AWS Config rules not applying across all accounts

    • Solution:
      • Verify that AWS Config is enabled in all relevant accounts
      • Check if the necessary permissions are granted to AWS Config
      • Ensure that the rules are correctly defined and associated with the right resource types

Debugging Tips

  1. Use AWS CloudTrail to audit API calls and identify any permission issues or unexpected actions.
  2. Leverage AWS Config to assess the compliance of your resources against your defined rules and policies.
  3. Utilize the AWS Organizations CLI for troubleshooting. Commands like list-policies and list-targets-for-policy can provide valuable insights.
  4. When troubleshooting SCPs, remember to check policies at all levels of the OU hierarchy, as they are inherited and combined.
  5. For billing issues, use the AWS Cost Explorer to drill down into specific accounts or services that might be causing discrepancies.

Key Organization Structure Pitfalls to Avoid

  1. Lack of Clear Organizational Structure
  2. Insufficient Use of Organizational Units (OUs)
  3. Overly Complex OU Hierarchies
  4. Improper Use of Root Account
  5. Ineffective Service Control Policies (SCPs)
  6. Ignoring Centralized Logging and Monitoring
  7. Neglecting Cost Management
  8. Poor Tagging Practices
  9. Insufficient Access Management
  10. Not Regularly Reviewing and Auditing Accounts

Conclusion

Setting up AWS Organizations is a crucial step in optimizing your AWS environment. By following this recipe and avoiding common pitfalls, you can create a well-structured, secure, and cost-effective multi-account AWS environment that scales with your business needs. Remember that this is an ongoing process, and regular reviews and adjustments will ensure your organization continues to meet your evolving requirements.

More Resources


Sign up to get free recipes

We send out four to five recipes a month to help you optimize your AWS resources.

Subscribe Thanks
James Phipps 21 July, 2024
Share this post
Tags
Our blogs
Archive
Sign in to leave a comment

  


Using AWS CloudHSM with SSE-C and KMS
Recipe 9