- Introduction
- Prerequisites
- Tools and services
- Usage
- Use Cases
- Clean up
- Reference
- Contributing
- License
This repository contains a collection of AWS CloudFormation templates to create up an AWS Organizations structure.
- Python 3, installed
- AWS Command Line Interface (AWS CLI) version 2, installed
- AWS Serverless Application Model (SAM), installed
- AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
- AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
- AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
- AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
| Parameter | Type | Default | Description |
|---|---|---|---|
| pSSOInstanceId | String | None | Optional - AWS IAM Identity Center instance ID |
| pDeveloperPrefix | String | app | Prefix used by developers when creating IAM roles and CloudFormation stacks |
| pCloudFormationRoleName | String | CloudFormationRole | Name of the IAM role used by AWS CloudFormation |
| pServiceCatalogRoleName | String | ServiceCatalogRole | Name of the IAM role used by AWS Service Catalog |
| pRegions | String | us-east-1 | Comma-delimited list of AWS Regions |
| pSandboxOuName | String | Sandbox | Name of the organizational unit for sandbox AWS accounts |
| pSecurityOuName | String | Security_Prod | Name of the organizational unit for security-related AWS accounts |
To deploy the template, you first need to install the AWS Serverless Application Model (AWS SAM).
git clone https://github.com/aws-samples/orgs-prescriptive-guidance
cd orgs-prescriptive-guidance
sam build
sam deploy \
--guided \
--tags "GITHUB_ORG=aws-samples GITHUB_REPO=orgs-prescriptive-guidance"
In the event that there are any issues with AWS IAM Identity Center, an EmergencyAccess_RO and EmergencyAccess_Ops users have been deployed in the management account. These users can assume IAM roles EmergencyAccess_Ops and EmergencyAccess_RO in every account. These users thus have privileged access to all accounts which necessitates that they be used sparingly in a secure manner.
There are no credentials associated with these users. To set credentials, and enable multi-factor authentication for these users, follow these instructions to configure MFA devices for each EmergencyAccess user.
After installing the AWS CLI, install the AWS Systems Manager Session Manager plugin.
aws sso login --profile <profile-name>
aws --profile <profile-name> ssm start-session --target <instance-id> --document-name SSM-SessionManagerRunShellDeleting the CloudFormation Stack will remove the CloudFormation StackSets and IAM Identity Center Permission Sets, but it will retain the AWS Organizations.
sam delete
This solution is inspired by these references:
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.