| Info |
|---|
AWS Organizations is a Policy-based management for multiple AWS accounts. |
...
Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. Organizations helps simplify the billing for multiple accounts by enabling you to setup a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge. More information can be found here.
...
Benefits Of Using AWS Organizations In Cloudaware
...
2. You should see at least one AWS Organization and N number of AWS Organizational Accounts.
[screen]
Identify AWS Organizational Accounts That
...
Didn't Get Onboarded Successfully
1. In Cloudaware menu navigate to AMAZON WEB SERVICES → Security, Identity, Compliance → AWS Organizational Accounts.
...
If AWS Organization Master Account has been added to Cloudaware but auto-collection doesn't take place, check if Role Name and External ID are custom as they shouldn't be left auto-populated by Cloudaware during the StackSet creation.
--
STEP 2. Cloudaware Access To AWS Organizations Sub-Accounts
1. Download the Cloudaware CloudFormation Template with IAM policy from the Cloudaware Admin panel or use your custom template with policy.
2. Deploy CloudFormation template on every AWS Organizations Sub-Account.
| Note |
|---|
When granting Cloudaware access to AWS Organizations Sub-Account, IAM External ID must be either blank or the same value for all AWS Organizations Sub Accounts. See the screenshot below. |
...
Self-Managed Permissions
1. Log in to your AWS Console and locate the root account where the stack set is to be created.
2. In the root account, create an IAM role AWSCloudFormationStackSetAdministrationRole using this template: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml
...
| Note |
|---|
When creating the trust relationship between each target account and a customized administration role, you can control which users and groups can perform stack set operations in which target accounts. You can also define:
|
4. Ensure that the root account has been added to Cloudaware. Any new AWS account where the stack set is deployed will show up in Cloudaware automatically.
Service-Managed Permissions
...
1. Sign in to the AWS Console as an administrator of the master account. Select AWS Organizations under Management & Governance.
2. Enable all features in AWS Organizations: go to Settings tab → select Begin process to enable all features.
...
| Warning |
|---|
This action is irreversible! Read more |
...
| Note |
|---|
The IAM service-linked role created in the organization master account has the suffix CloudFormationStackSetsOrgAdmin. You can modify or delete this role only if trusted access with AWS Organizations is disabled. The IAM service-linked role created in each target account has the suffix CloudFormationStackSetsOrgMember. You can modify or delete this role only if trusted access with AWS Organizations is disabled, or if the account is removed from the target organization or organizational unit (OU). |
3.2. Select CloudFormation under Management & Governance.
3.3. Select StackSets. Click Enable trusted access.
...
STEP 3. Notify Cloudaware Support
1. Contact your dedicated account manager or support@cloudaware.com to provide the Role Name and External ID (or indicate whether it was left blank) used when setting up the CloudFormation stack for your Master AWS Organizations Account.
2. Once the request has been resolved, all AWS Organization Sub-Accounts will show up in the Admin panel.
STEP 4. Identify AWS Organizational Accounts That Didn't Get Onboarded Successfully
1. Navigate to Cloudaware CMDB → AWS Organizations → AWS Organizational Accounts.
2. Click Browse Objects.
Paste the following query and click Search:
| Code Block |
|---|
`Deleted From AWS` equals null -> `AWS Organization Account Name` ASC, `Account`.`Account Name` as "Actual Account", `Account ID`, `Email`, `Joined Method`, `Joined Timestamp`, `Parent Root ARN`, `Status` |
Any AWS Organizational Account where Actual Account is blank will not not be automatically added since Cloudaware is unable to assume an IAM role in it.