AWS Organizations

Table of Contents

Central governance and management across AWS accounts. AWS Organizations provides central billing. It provides several key governance and security controls and should be leveraged by any company with more than one AWS account.

From the AWS Service Description:

AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts. Through integrations with other AWS services, you can use Organizations to define central configurations and resource sharing across accounts in your organization. AWS Organizations is available to all AWS customers at no additional charge.. (source)

Service Summary

Service Name: AWS Organizations
Service Family: Management & Governance
Supports Resource Policies: No
Service Pricing: Free
Service Webpage: https://aws.amazon.com/organizations/

Security Risks

There are minimal security risks with AWS Organizations. Things to be concerned with are:

  1. AWS accounts can be created without verification of the root email address. This can lead to the inability to close accounts or remove them from the organization.

Effectively Leveraging Organizations

Organizations is a key tool in our cloud governance and cloud security arsenal. All AWS accounts should be part of your Organization, and all features should be enabled. GuardDuty and IAM Access Analyzer both use AWS Organizations to deploy across all of your AWS accounts from a central Security Account.

Service Control Policies are IAM policies that are enforced on AWS Accounts via AWS Organizations. These policies can be used to deny specific IAM actions to all administrators (including the root user). They’re a key tool in protecting against account compromise. An attacker would need to compromise the AWS Organization master account in order to disable security features in a child account.

Accounts can be organized in Organizational Units (OUs) and SCPs can be applied to OUs. In addition to Service Control Policies, Tagging Policies and Backup Policies can be enforced by AWS Organizations on member accounts.

Suggested Compliance Rules around Organizations

  1. All organization should leverage all features
  2. Accounts should have SCPs that prohibit removal of security controls and prevent accounts from leaving the organization.
  3. InfoSec should have Delegated Administration of security services

CloudTrail events of significance

The CloudTrail eventSource is “organization.amazonaws.com”

(Note: some of these CloudTrail events would trigger when Tagging and Backup policies are applied or modified, so some amount of false positives can be expected, however the typical volume of these changes shouldn’t be too noisy )

  • AttachPolicy The risk here is granting access to services if you don’t apply the FullAccess policy
  • DeleteOrganization This would delete the organization and would probably be prohibited by AWS unless all the member accounts were removed
  • DeletePolicy Delete an SCP, this would probably indicate the removal of a key security control
  • DeregisterDelegatedAdministrator If you’re relying on a security account, this API call would disconnect that security account impacting your security visibility.
  • DetachPolicy Detaches a SCP from a specific account or OU.
  • DisableAWSServiceAccess Disables the service linked roles having access to the child accounts. If you’re relying on a security account, this API call would disconnect that security account impacting your security visibility.
  • DisablePolicyType This call could be used to disable support for SCPs and removing that critical security control
  • LeaveOrganization This call is executed in Organization Member accounts to leave the organization. If you see this, someone is trying to steal an account.
  • RegisterDelegatedAdministrator If you see this and it was not instigated by your cloud security program, you should investigate.
  • RemoveAccountFromOrganization This call is similar to LeaveOrganization, but this call is made when the master account wants to boot a member account.