...
...
...
...
...
| Info |
|---|
...
AWS Organizations |
...
is a Policy-based management for multiple AWS accounts. |
| Table of Contents |
|---|
About AWS Organizations
AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.
Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. Organizations helps simplify the billing for multiple accounts by enabling you to setup a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge.
More information can be found here
...
Benefits Of Using AWS Organizations In Cloudaware
...
No need to manually add every AWS account
Automate on-boarding of your AWS Accounts into Cloudaware
Ability to see which AWS Organizational Accounts exist but are not in Cloudaware CMDB as AWS Accounts.
Requirements
AWS Organization Master Account has been added to Cloudaware CMDB.
Cloudaware has the following IAM permissions on AWS Organizations Master Account:
| Code Block |
|---|
organizations:DescribeOrganization organizations:ListRoots organizations:ListOrganizationalUnitsForParent organizations:ListAccountsForParent |
Overview Checklist
Ensure AWS Organizations Master Account has a green status indicator in the Admin panel.
Deploy the Cloudaware CloudFormation template to all AWS Organizational Accounts
Request auto-adding of all AWS Organizational Accounts to Cloudaware CMDB
AWS Organizational Accounts are now visible as AWS Account objects.
STEP 1. Cloudaware Access To AWS Organizations Master Account
...
1. Log in to your Cloudaware account and navigate to AWS Organizations.
...
2. You should see at least one AWS Organization and N number of AWS Organizational Accounts.
...
| Note |
|---|
If you do not see any AWS Organizations, there are two possible reasons:
|
...
If you need instructions on how to download the template and execute CloudFormation Stack, click here.
Adding multiple AWS accounts with CloudFormation StackSets
A stack set can be used to deploy Cloudaware CloudFormation template to multiple AWS accounts at once. Since stack sets perform stack operations across multiple accounts, you should have the necessary permissions defined in your AWS accounts before you create your first stack set.
Self-Managed Permissions
1. Log in to your AWS Console and locate the root account where where the stack set is to be created.
2. In the root account, create an IAM role AWSCloudFormationStackSetAdministrationRole using this template: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml
3. In each (!) target account where individual stacks are to be created, create a service role named AWSCloudFormationStackSetExecutionRolethat trusts the root account using this template: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml
| Note |
|---|
When creating the trust relationship between each target account and a customized administration role, you can control which users and groups can perform stack set operations in which target accounts. You can also define:
|
4. Ensure that the root account has been added to Cloudaware. Any new AWS account where the stack set is deployed will show up in Cloudaware automatically.
...
Service-Managed Permissions
AWS Organizations provides you with the centralized governance over your AWS accounts creation and management. Before Before creating a stack set in your AWS Organizations Master Account:
1. Sign in to the AWS Console as an administrator of the master account. Select AWS Organizations under Management & Governance.
2. Enable all features in AWS Organizations: go to Settings tab → select Begin process to enable all features.
...
...
| Warning |
|---|
This action is irreversible! Read more |
3. Enable trusted access with AWS Organizations:
3.1. Open AWS Console as administrator of your AWS Organizations Master Account.
| Note |
|---|
The IAM service-linked role created in the organization master account has the suffix CloudFormationStackSetsOrgAdmin. You can modify or delete this role only if trusted access with AWS Organizations is disabled. The IAM service-linked role created in each target account has the suffix CloudFormationStackSetsOrgMember. You can modify or delete this role only if trusted access with AWS Organizations is disabled, or if the account is removed from the target organization or organizational unit (OU). |
3.2. Select CloudFormation under Management & Governance.
3.3. Select StackSets. Click Enable trusted access.
...
Once it is done, StackSets creates the necessary IAM roles in the AWS Organizations master account and target accounts to which stack instances will be deployed. Otherwise, check Requirements.
...
STEP 3. Notify Cloudaware Support
1. Contact Contact your dedicated account manager or support@cloudaware.com to provide the Role Name and External ID (or indicate whether it was left blank) used when setting up the CloudFormation stack for your Master AWS Organizations Account.
2. Once the request has been resolved, all AWS Organization Sub-Accounts will show up in the Admin panel.
...