README.md

Guidance for Organization on AWS

Table of contents

1. Introduction
2. Prerequisites
3. Tools and services
4. Usage
5. Use Cases
6. Clean up
7. Reference
8. Contributing
9. License

Introduction

This repository contains a collection of AWS CloudFormation templates to create up an AWS Organizations structure.

Prerequisites

• Python 3, installed
• AWS Command Line Interface (AWS CLI) version 2, installed
• AWS Serverless Application Model (SAM), installed

Tools and services

• AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
• AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
• AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
• AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.

Usage

Parameters

Parameter	Type	Default	Description
pSSOInstanceId	String	None	Optional - AWS IAM Identity Center instance ID
pDeveloperPrefix	String	app	Prefix used by developers when creating IAM roles and CloudFormation stacks
pCloudFormationRoleName	String	CloudFormationRole	Name of the IAM role used by AWS CloudFormation
pServiceCatalogRoleName	String	ServiceCatalogRole	Name of the IAM role used by AWS Service Catalog
pRegions	String	us-east-1	Comma-delimited list of AWS Regions
pSandboxOuName	String	Sandbox	Name of the organizational unit for sandbox AWS accounts
pSecurityOuName	String	Security_Prod	Name of the organizational unit for security-related AWS accounts

Installation

To deploy the template, you first need to install the AWS Serverless Application Model (AWS SAM).

git clone https://github.com/aws-samples/orgs-prescriptive-guidance
cd orgs-prescriptive-guidance
sam build
sam deploy \
  --guided \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=orgs-prescriptive-guidance"

Use Cases

Emergency Access

In the event that there are any issues with AWS IAM Identity Center, an EmergencyAccess_RO and EmergencyAccess_Ops users have been deployed in the management account. These users can assume IAM roles EmergencyAccess_Ops and EmergencyAccess_RO in every account. These users thus have privileged access to all accounts which necessitates that they be used sparingly in a secure manner.

There are no credentials associated with these users. To set credentials, and enable multi-factor authentication for these users, follow these instructions to configure MFA devices for each EmergencyAccess user.

To Access an EC2 Instance

After installing the AWS CLI, install the AWS Systems Manager Session Manager plugin.

aws sso login --profile <profile-name>
aws --profile <profile-name> ssm start-session --target <instance-id> --document-name SSM-SessionManagerRunShell

Clean up

Deleting the CloudFormation Stack will remove the CloudFormation StackSets and IAM Identity Center Permission Sets, but it will retain the AWS Organizations.

sam delete

Reference

This solution is inspired by these references:

• AWS Security Reference Architecture

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.