About AWS Organizations
AWS Organizations is a Policy-based management for multiple AWS accounts. AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.
Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. Organizations helps simplify the billing for multiple accounts by enabling you to setup a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge.
More information can be found here
Benefits Of Using AWS Organizations In Cloudaware
No need to manually add every AWS account
Automate on-boarding of AWS Accounts into Cloudaware
Ability to see which AWS Organization Accounts exist but are not in Cloudaware CMDB as AWS Accounts.
Requirements
- Cloudaware AWS Organization Master account has been added to Cloudaware CMDB.
- Cloudaware has following IAM permission on AWS Organization Master Account
organizations:DescribeOrganization
organizations:ListRoots
organizations:ListOrganizationalUnitsForParent
organizations:ListAccountsForParent
Overview Checklist
- Ensure AWS Organizations Master Account has a green status indicator in the Admin Panel.
- Deploy Cloudaware CloudFormation template to all Organization Accounts
- Request auto-adding of all AWS Organization Accounts to Cloudaware CMDB
- AWS Organization Accounts are now visible as AWS Account objects.
STEP 1. Cloudaware Access To AWS Organizations Master Account
- Log in to Cloudaware CMDB and navigate to AWS Organizations.
- You should see at least one AWS Organization and N number of AWS Organizational Accounts.
- If you do not see any AWS Organizations, there are two possible reasons:
- Insufficient permissions on AWS Organization Master Account.
- AWS Organization Master Account has not been added to Cloudaware.
Double check Requirements and Overview checklist sections above.
STEP 2. Cloudaware Access To AWS Organizations Sub-Accounts
- Download Cloudaware Cloudformation Template with IAM policy from the Cloudaware Admin Panel or use your custom template with policy.
- Deploy Cloudformation template on every AWS Organizations Sub-Account.
When granting Cloudaware access to AWS Organization Sub-Account IAM External ID must be either same value or blank for all AWS Organizational Sub Accounts. See screenshot below.
If you need instructions on how to download template and execute cloudformation stack, click here.
STEP 3. Notify Cloudaware Support
- Provide External ID or indicate whether it was left blank.
- Once the request has been resolved, all AWS Organization Sub-Accounts will show up in the admin panel
STEP 4. Identify AWS Organization Accounts That Didn't Get Onboarded Successfully
- Navigate to CMDB → AWS Organizations → AWS Organizational Accounts
- Click on Browse Objects
Paste the following query:
`Deleted From AWS` equals null -> `AWS Organization Account Name` ASC, `Account`.`Account Name` as "Actual Account", `Account ID`, `Email`, `Joined Method`, `Joined Timestamp`, `Parent Root ARN`, `Status`
Any AWS Organizational Account where Actual Account is blank could not be auto-added successfully because Cloudaware was unable to assume IAM role in it.