Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article explains how to add AWS Organizations is a Policyto Cloudaware. AWS Organization is policy-based management for multiple AWS accounts.

...

AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of AWS accounts, automate account creation, apply and manage policies for those groups. Organizations enables enable you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.

Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. AWS Organizations helps simplify the billing for multiple accounts by enabling you to setup set up a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge. More information can be found here.

...

Benefits Of Using AWS Organizations In Cloudaware

  1. No need to manually add every AWS account

  2. Automate

...

  1. the onboarding of your AWS Accounts into Cloudaware

  2. Ability to see which AWS Organizational Accounts exist but are not in Cloudaware CMDB as AWS Accounts.

...

Requirements

...

AWS Organization Master Account has been added to Cloudaware CMDB.

...

Adding AWS Organization To Cloudaware

1. Log in to Cloudaware account → Admin → Amazon Organizations & Accounts. Click +Add.

2. Address Cloudaware AWS Start Guide to add AWS Organizations Master Account using IAM Role integration type.

3. Ensure that Cloudaware CloudFormation template you will apply has the following permissions in place:

Code Block
"organizations:DescribeOrganizationDes*"
"organizations:ListRoots
organizations:ListOrganizationalUnitsForParent
organizations:ListAccountsForParent

Overview Checklist

...

Li*"

4. Click CheckSave. Go back to Admin → Organizations & Amazon Accounts → N configured → the tab ‘Accounts' to ensure AWS Organization Master Account has a green status indicator

...

Deploy the Cloudaware CloudFormation template to all AWS Organizational Accounts

...

Request auto-adding of all AWS Organizational Accounts to Cloudaware CMDB

...

AWS Organizational Accounts are now visible as AWS Account objects.

STEP 1. Cloudaware Access To AWS Organizations Master Account

1. Log in to your Cloudaware account and navigate to AWS Organizations.

...

2. You should see at least one AWS Organization and N number of AWS Organizational Accounts.

...

If you do not see any AWS Organizations, there are two possible reasons:

  1. Insufficient permissions on AWS Organizations Master Account.

  2. AWS Organizations Master Account has not been added to Cloudaware.

...

STEP 2. Cloudaware Access To AWS Organizations Sub-Accounts

1. Download the Cloudaware CloudFormation Template with IAM policy from the Cloudaware Admin panel or use your custom template with policy.

2. Deploy CloudFormation template on every AWS Organizations Sub-Account.

Note

When granting Cloudaware access to AWS Organizations Sub-Account, IAM External ID must be either blank or the same value for all AWS Organizations Sub Accounts. See the screenshot below.

Image Removed

...

Adding multiple AWS accounts with CloudFormation StackSets

...

Self-Managed Permissions

1. Log in to your AWS Console and locate the root account where the stack set is to be created.

2. In the root account, create an IAM role AWSCloudFormationStackSetAdministrationRole using this template: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml

...

Note

When creating the trust relationship between each target account and a customized administration role, you can control which users and groups can perform stack set operations in which target accounts. You can also define:

  • Which resources users and groups can include in their stack sets.

  • Which stack set operations specific users and groups can perform. Read more

4. Ensure that the root account has been added to Cloudaware. Any new AWS account where the stack set is deployed will show up in Cloudaware automatically.

Service-Managed Permissions

AWS Organizations provides you with the centralized governance over your AWS accounts creation and management. Before creating a stack set in your AWS Organizations Master Account:

1. Sign in to the AWS Console as an administrator of the master account. Select AWS Organizations under Management & Governance.

2. Enable all features in AWS Organizations: go to Settings tab → select Begin process to enable all features.

...

Warning

This action is irreversible! Read more

...

.

5. Select the tab 'Organizations' → click +Add Amazon Organization. Fill out the form selecting your Organization Master Account in Trusted Account and providing other account-related data. Click CheckSave.

6. In Cloudaware, navigate to AMAZON WEB SERVICES → Security, Identity, Compliance → Organizations. AWS Organization should be visible in Cloudaware.

...

Note

Collection of AWS Organizational Accounts may take up to 6 hours.

Using AWS CloudFormation StackSets With AWS Organizations

Use AWS CloudFormation StackSets to roll out Cloudaware CloudFormation stack over multiple AWS accounts in your AWS Organization and allow Cloudaware to collect AWS Organization Sub-Accounts.

Requirements

  • Ensure that you are using AWS Organizations. Read more

  • Ensure all features are enabled in your AWS Organization. NOTE: this action is irreversible! Read more

Pre-configuration

1. Sign in to AWS Console as an administrator.

2. Enable trusted access with AWS Organizations:

2.1. Select CloudFormation under Management & Governance.

2.2. Select StackSets. Click Enable trusted access.

...

Once it is done, StackSets creates the necessary IAM roles in the AWS Organizations master account and target accounts where stack instances will be deployed.

The IAM service-linked role created in the

...

Organization master account has the suffix CloudFormationStackSetsOrgAdmin. You can modify or delete this role only if trusted access with AWS Organizations is disabled. 

The IAM service-linked role created in each target account has the suffix CloudFormationStackSetsOrgMember. You can modify or delete this role only if trusted access with AWS Organizations is disabled, or if the account is removed from the target organization or organizational unit (OU).

...

StackSet Creation

1. Log in to your Cloudaware account → Admin → Amazon Organizations & Accounts. Click +Add.

...

2. Select 'Using IAM Role'. Download the Cloudaware CloudFormation template ensuring the following permissions are in place:

Code Block
"organizations:Des*"
"organizations:Li*"

3. Gо back to AWS Console. Select Services → CloudFormation under Management & Governance StackSets.

4. Click Create StackSet.

...

5. Select 'Template is ready' and 'Upload a template file'. Click Choose file to upload the Cloudaware CloudFormation template you downloaded earlier. Click Next.

...

6. Give a name to the stack set. Replace 'auto-generate' role with a custom Role Name in CloudAware Role Name. Insert External ID*.

...

*Get External ID generated by clicking ‘Generate Random’ button in 'Add Amazon Details' form in Cloudaware.

 3.3. Select StackSets. Click Enable trusted access.

...

Once it is done, StackSets creates the necessary IAM roles in the AWS Organizations master account and target accounts to which stack instances will be deployed. Otherwise, check Requirements.

STEP 3. Notify Cloudaware Support

1. Contact your dedicated account manager or support@cloudaware.com to provide the Role Name and External ID (or indicate whether it was left blank) used when setting up the CloudFormation stack for your Master AWS Organizations Account.

2. Once the request has been resolved, all AWS Organization Sub-Accounts will show up in the Admin panel.

...

...

7. Select the policies to be enabled. Click Next.

8. Select 'Service-Managed Permissions'*. Click Next.

...

*If you prefer using Self-Managed permissions, set up:

9. Optional: set deployment options*. Click Next.

*You can limit the stackset deployment to specific OUs to limit account discovery in the AWS Organization. Read more to learn how to specify the OUs as deployment targets. 

IMPORTANT: If you already have a specific OU onboarded by Cloudaware and would like to add another one(s) - please create a stackset with new OU(s) specified using the same Role Name and External ID as you used when adding your first OU.

10. Review the stackset details. Click Submit. Wait for the stackset to be created.

11. Contact your dedicated account manager at tam@cloudaware.com to provide the custom Role Name and External ID used during the stackset creation, along with your AWS Organization Master Account ID.

Note

The auto-collection of AWS Organizational Sub-Accounts in Cloudaware may take time.

Identify AWS Organizational Accounts That Got Onboarded Successfully

1. In Cloudaware CMDB Navigator, go to AMAZON WEB SERVICES → Security, Identity, Compliance → Organizations.

2. You should see at least one AWS Organization and N number of AWS Organizational Accounts.

Identify AWS Organizational Accounts That Didn't Get Onboarded Successfully

1.  Navigate to Cloudaware CMDB → AWS Organizations In Cloudaware CMDB Navigator, go to AMAZON WEB SERVICES → Security, Identity, Compliance → AWS Organizational Accounts.

2. Click Click Browse Objects.:Image Removed 

...

3. Paste the following query and click Search:

Code Block
`Deleted From AWS` equals null -> `AWS Organization Account Name` ASC, `Account`.`Account Name` as "Actual Account", `Account ID`, `Email`, `Joined Method`, `Joined Timestamp`, `Parent Root ARN`, `Status`

Any AWS Organizational Account accounts where 'Actual Account' is blank will not not can't be automatically added since Cloudaware since Cloudaware is unable to assume an IAM role in itits IAM role.

Troubleshooting

If you do not see any AWS Organizations, there are two possible reasons:

  1. Insufficient permissions on AWS Organizations Master Account.

  2. AWS Organizations Master Account has not been added to Cloudaware.

If the AWS Organization master account has been added to Cloudaware but auto-collection doesn't take place, check if Role Name and External ID are custom, as they shouldn't be left auto-populated by Cloudaware during the StackSet creation.