| Info |
|---|
AWS Organizations is a Policy-based management for multiple AWS accounts. |
...
Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. Organizations helps simplify the billing for multiple accounts by enabling you to setup a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge. More information can be found here.
...
Benefits Of Using AWS Organizations In Cloudaware
...
2.2. Select StackSets. Click Enable trusted access.
[screen]
Once it is done, StackSets creates the necessary IAM roles in the AWS Organizations master account and target accounts where stack instances will be deployed.
The IAM service-linked role created in the Organization master account has the suffix CloudFormationStackSetsOrgAdmin. You can modify or delete this role only if trusted access with AWS Organizations is disabled.
The IAM service-linked role created in each target account has the suffix CloudFormationStackSetsOrgMember. You can modify or delete this role only if trusted access with AWS Organizations is disabled, or if the account is removed from the target organization or organizational unit (OU).
StackSet Creation
1. Log in to your Cloudaware account → Admin → Amazon Accounts. Click +Add.
[screen]
2. Select 'Using IAM Role'. Download the Cloudaware CloudFormation template ensuring the following permissions are in place:
| Code Block |
|---|
"organizations:Des*" "organizations:Li*" |
3. Gо back to AWS Console. Select Services → CloudFormation under Management & Governance → StackSets.
4. Click Create StackSet.
[screen]
5. Select 'Template is ready' and 'Upload a template file'. Click Choose file to upload the Cloudaware CloudFormation template you downloaded earlier. Click Next.
[screen]
6. Give a name to the stack set. Replace 'auto-generate' role with a custom Role Name in CloudAware Role Name. Insert External ID*.
[screen]
*Get External ID generated by clicking in 'Add Amazon Details' form in Cloudaware.
[screen]
7. Select the policies to be enabled. Click Next.
8. Select 'Service-Managed Permissions'. Click Next.
If you prefer using Self-Managed permissions, set up:
AWSCloudFormationStackSetAdministrationRole in the master account using the template https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml
AWSCloudFormationStackSetExecutionRole which trusts the root account in each(!) sub-account using the template https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml
Read more
9. Optional: set deployment options. Click Next. Read more
10. Review the stackset details. Click Submit. Wait for the stackset to be created.
11. Contact your dedicated account manager at tam@cloudaware.com to provide the custom Role Name and External ID used during the stackset creation, along with your AWS Organization Master Account ID.
...
2. You should see at least one AWS Organization and N number of AWS Organizational Accounts.
[screen]
Identify AWS Organizational Accounts That Didn’t Get Onboarded Successfully
...
1. In Cloudaware menu navigate to AMAZON WEB SERVICES → Security, Identity, Compliance → AWS Organizational Accounts.
2. Click Browse Objects:
[screen]
3. Paste the following query and click Search:
...
If you need instructions on how to download the template and execute CloudFormation Stack, click here.
Adding multiple AWS accounts with CloudFormation StackSets
...