Configure AWS Organization

[dsiguero]

This has been setup, making the mgmt account the root of the Organization, and creating 2 OU (Organizational Units) for prod and nonprod and placing the accounts with the same alias there.

However, there are more things we can take advantage of:

• Centralized billing: seems to be enabled by default, we'll see whenever we get a new bill
• IAM Identity center: to simplify user access between Organization accounts
• SCPs (Service control policies):
  • Deny root account use: probably not, because we might lock ourselves out.
  • Restrict allowed regions to eu-west-1

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "DenyUnsupportedRegions",
              "Effect": "Deny",
              "Action": "*",
              "Resource": "*",
              "Condition": {
                  "StringNotEquals": {
                      "aws:RequestedRegion": "eu-west-1"
                  }
              }
          }
      ]
    }
    

  • Block IAM user creation (enforcing IAM Identity center):

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyIAMUser",
                "Effect": "Deny",
                "Action": [
                    "iam:CreateUser",
                    "iam:DeleteUser",
                    "iam:UpdateUser",
                    "iam:CreateLoginProfile",
                    "iam:DeleteLoginProfile",
                    "iam:UpdateLoginProfile"
                ],
                "Resource": "*"
            }
        ]
    }
    

  • Protect sensible services in prod: ie, don't delete logs, don't allow deletion of dynamo tables, etc.
  • Disallow services we're not using: ie, RDS, etc...