AWS Organizations Security
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: AWS Organizations Security and Governance
Introduction: The Multi-Account Strategy
In the early days of cloud computing, many organizations started their journey with a single AWS account. It seemed simple: one account, one set of credentials, and one billing dashboard. However, as organizations grow, this single-account approach becomes a massive bottleneck and a significant security risk. When you have production, development, testing, and sandbox environments sharing the same account, a misconfiguration in a sandbox can potentially compromise your production database. This is where AWS Organizations becomes essential.
AWS Organizations is a service that allows you to manage multiple AWS accounts centrally. It provides a hierarchical structure for your accounts, enabling you to apply security policies, manage billing, and enforce governance across your entire cloud footprint. By moving to a multi-account environment, you gain the ability to isolate workloads, delegate administration, and apply different security postures to different departments or projects. This lesson will guide you through the intricacies of securing an AWS multi-account environment, ensuring that your organization remains both agile and protected.
Understanding this topic is critical because security in the cloud is no longer just about firewalls and passwords; it is about the structural integrity of your account architecture. A well-designed AWS Organizations setup acts as the foundation for your entire security program. Without it, you are likely to suffer from "permission creep," where users have access to resources they do not need, or "governance drift," where individual accounts evolve into unique, unmanaged entities that are difficult to audit.
The Fundamentals of AWS Organizations
At its core, AWS Organizations is about structure. You have an Organization, which is the entity that contains all your accounts. Within this organization, you have an Organization Root, which is the parent container. From the root, you can create Organizational Units (OUs). Think of OUs as folders in a file system; they allow you to group accounts that share similar security or compliance requirements.
Key Components
- Management Account: This is the primary account that creates the organization. It handles billing and has the power to manage other accounts. It should be treated with the highest level of security, as it is the "keys to the kingdom."
- Member Accounts: These are the accounts that perform the actual work. They reside within OUs and inherit policies from their parents.
- Service Control Policies (SCPs): These are the primary tool for governance. Unlike IAM policies, which grant permissions, SCPs act as guardrails that restrict what actions can be performed, even by account administrators.
Callout: IAM Policies vs. Service Control Policies It is vital to understand the difference between these two. IAM policies define what a user or role can do within a specific account. Service Control Policies define the maximum permissions that any user or role in an account can have. If an IAM policy grants "Full Access" but an SCP denies "S3 Delete," the user will be unable to delete S3 buckets, regardless of their IAM permissions.
Architecting for Security: The Landing Zone
A "Landing Zone" is a well-architected, multi-account environment that serves as the starting point for your cloud journey. When you set up an organization, you should not just create accounts at random. Instead, you should follow a structured OU hierarchy that reflects your business needs and security requirements.
Recommended OU Structure
- Security OU: Contains accounts dedicated to security functions, such as a centralized logging account (where all CloudTrail logs are aggregated) and a security tooling account (where you run vulnerability scanners or threat detection services).
- Infrastructure OU: Holds shared services like network accounts (for Transit Gateways) and CI/CD pipeline accounts.
- Workload OU: Divided further into sub-OUs based on environment type (e.g., Production, Staging, Development).
- Sandbox OU: A place for developers to experiment. This OU often has the strictest SCPs to prevent costly or insecure configurations, while offering the most freedom for testing.
Tip: The Principle of Least Privilege Even within your own organization, apply the principle of least privilege to the Management Account. Limit access to the Management Account to a small team of infrastructure administrators and use delegated administration for other services like AWS Config or GuardDuty.
Implementing Service Control Policies (SCPs)
SCPs are the most powerful tool in your security arsenal within AWS Organizations. They allow you to enforce compliance across hundreds of accounts with a single policy. For example, if your organization is subject to GDPR or HIPAA, you can use SCPs to restrict the AWS regions in which data can be stored.
Practical Example: Restricting Regions
If your company only operates in the US, you can create an SCP that prevents any user—including root users—from launching resources in other regions. This prevents data residency violations and stops attackers from spinning up expensive infrastructure in regions you do not monitor.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegions",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"route53:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
Explaining the Code
- Effect: Deny: This explicitly forbids the action.
- NotAction: We exclude services like IAM and Organizations because these are global services that do not reside in a specific region. If we denied them, we might break the ability to manage the organization itself.
- Condition: This checks the
aws:RequestedRegionkey. If the region is notus-east-1orus-west-2, the action is denied.
Centralized Logging and Monitoring
In a multi-account environment, visibility is the biggest challenge. If you have 50 accounts, you cannot log into each one individually to check CloudTrail logs. You need a centralized strategy.
Step-by-Step: Centralizing CloudTrail
- Create a dedicated Log Archive account: This account should be locked down, with access restricted to only the most senior security personnel.
- Enable CloudTrail in the Management Account: Configure it to create an organization trail.
- Point logs to an S3 bucket in the Log Archive account: Ensure that the bucket has a restrictive bucket policy that prevents the deletion of logs.
- Enable Object Lock: For compliance, use S3 Object Lock in "Compliance" mode to ensure that once a log file is written, it cannot be modified or deleted by anyone, including the root user, for a specified period.
Warning: The Root User Trap Do not attempt to use the root user for daily operations. Even in a multi-account environment, the root user should be protected with a hardware MFA device and stored in a secure physical vault. The root user is only for tasks that cannot be performed by an IAM user, such as deleting the account or modifying specific billing settings.
Security Automation with AWS Control Tower
While you can build an organization manually using SCPs and IAM, it is often better to use AWS Control Tower. Control Tower is a service that automates the setup of a landing zone based on best practices. It automatically creates the OU structure, sets up centralized logging, and applies "Guardrails."
Guardrails in Control Tower
Guardrails are pre-packaged SCPs that help you maintain compliance. They come in two flavors:
- Preventive Guardrails: These use SCPs to stop non-compliant actions before they happen.
- Detective Guardrails: These use AWS Config rules to monitor your accounts and alert you when something non-compliant occurs.
By using Control Tower, you avoid the common pitfall of "configuration drift," where manual changes to one account make it different from the rest of your fleet. Control Tower ensures that every new account created via the Account Factory is automatically enrolled in your security baseline.
| Feature | Manual Setup | AWS Control Tower |
|---|---|---|
| Setup Time | Days/Weeks | Hours |
| Consistency | Hard to maintain | Automated |
| Scalability | Manual effort increases with accounts | Handles thousands of accounts |
| Policy Management | Manual SCP creation | Pre-defined Guardrails |
Handling Common Pitfalls
Even with a solid plan, many organizations fall into common traps. Recognizing these early can save you from a major security incident.
1. The "Too Many Admins" Problem
It is tempting to give developers full administrator access in their sandbox accounts. While this promotes innovation, it also means that if a developer's credentials are leaked, the attacker has full control over that account.
- Solution: Use IAM Identity Center (formerly AWS SSO) to manage access. Instead of creating IAM users with long-term access keys, grant developers temporary, short-lived credentials that rotate automatically.
2. Ignoring Cross-Account Roles
Many teams try to share resources by creating IAM users in multiple accounts. This is a nightmare to manage.
- Solution: Use IAM Roles. If Account A needs to access a bucket in Account B, create a role in Account B that trusts the account ID of Account A. This allows users in Account A to "assume" the role in Account B without needing a separate set of credentials.
3. Neglecting "Shadow" Accounts
Sometimes, teams will sign up for their own AWS accounts using corporate credit cards, bypassing the organization entirely. These "shadow" accounts are invisible to your security team.
- Solution: Use AWS Organizations to enforce a policy that requires all new accounts to be created through the central management account. You can also use AWS Billing alerts to monitor for any accounts that are not part of your organization.
Deep Dive: IAM Identity Center (SSO)
Managing users in a multi-account environment by creating IAM users in every account is not sustainable. It leads to fragmented identities and makes offboarding employees nearly impossible. IAM Identity Center is the standard for managing access in AWS Organizations.
How it works:
- Identity Source: You connect your existing identity provider (like Okta, Azure AD, or Google Workspace) to IAM Identity Center.
- Permission Sets: Instead of managing IAM policies, you create "Permission Sets." These are templates that define what a user can do.
- Assignments: You assign users or groups from your identity provider to specific accounts with specific permission sets.
This approach ensures that when an employee leaves the company and is deactivated in your central identity provider, their access to all AWS accounts is revoked instantly. This is a massive improvement over the old way of manually deleting IAM users in dozens of accounts.
Network Security Across Accounts
Security is not just about identity; it is about network isolation. In a multi-account setup, you must decide how your accounts communicate. Should they have direct internet access, or should all traffic flow through a central inspection point?
Centralized Inspection Strategy
For high-security environments, you should implement a "Network Hub" account.
- Use a Transit Gateway to connect your VPCs across different accounts.
- Route all traffic destined for the internet through a central VPC in the Network Hub account.
- Deploy AWS Network Firewall or third-party firewall appliances in this central VPC to inspect traffic for threats before it reaches the internet or moves between accounts.
This creates a "chokepoint" that makes it much easier to monitor traffic and apply security rules. Instead of managing 50 security groups and 50 network ACLs, you manage the inspection at the hub.
Incident Response in a Multi-Account Environment
When a security incident occurs, speed is everything. If you are not prepared, you will spend your first hour just trying to figure out which account the incident is happening in.
The "Security Tooling" Account
You should designate one account as your Security Tooling account. This account should have:
- Amazon GuardDuty: Enabled for all accounts in the organization. GuardDuty will aggregate findings from all member accounts and send them to the Security Tooling account.
- AWS Security Hub: This provides a single pane of glass view of your security posture across the entire organization. It integrates with GuardDuty, Inspector, and Config.
- Automated Remediation: Use EventBridge to trigger Lambda functions when a security finding occurs. For example, if GuardDuty detects an unauthorized API call, a Lambda function can automatically disable the compromised IAM user or revoke their session tokens.
Callout: The Importance of Forensic Readiness In a multi-account environment, you must ensure that your logs are immutable. If an attacker gains administrative access to a member account, the first thing they will try to do is delete the logs to cover their tracks. By using a separate Log Archive account with S3 Object Lock, you ensure that even if the attacker compromises the member account, they cannot delete the evidence of their activity.
Best Practices Checklist
To ensure your AWS Organizations setup is secure, review this checklist regularly:
- Enable AWS CloudTrail for the entire organization: Ensure it is configured to send logs to a dedicated, locked-down account.
- Use SCPs to enforce guardrails: Start with broad policies (like region restrictions) and move to more granular ones as you mature.
- Centralize identity: Use IAM Identity Center integrated with your corporate directory.
- Automate account creation: Use AWS Control Tower or Infrastructure as Code (Terraform/CloudFormation) to ensure every account is created with the same security baseline.
- Monitor for drift: Use AWS Config to ensure that your resource configurations do not drift from your security standards.
- Restrict root user usage: Ensure MFA is enabled, and store the credentials in a secure, physical location.
- Implement a "Security Account": Centralize your security tooling and monitoring to gain a unified view of your organization.
Common Questions (FAQ)
Q: Can I move an account from one OU to another? A: Yes, you can move accounts between OUs at any time. Keep in mind that when you move an account, it will immediately inherit the SCPs of the new parent OU. Be careful, as this might inadvertently block access to resources if the new OU has stricter policies.
Q: Should I put every account in a separate OU? A: That would be overkill. OUs are for grouping accounts that share the same policy requirements. If you have 50 development accounts that all need the same level of access, put them in a single "Development" OU.
Q: Does AWS Organizations cost extra? A: AWS Organizations itself is free. However, the services you use within it (like GuardDuty, Security Hub, or Config) will incur costs based on usage.
Q: What happens if I reach the account limit? A: By default, you can have a limited number of accounts in an organization. You can request a quota increase through the AWS Support Center if you need to scale beyond the default limit.
Conclusion: Building for the Future
Security in a multi-account environment is not a "set it and forget it" task. It is a continuous process of refinement. As your organization grows and your cloud footprint expands, your security policies must evolve to match. By leveraging the hierarchical nature of AWS Organizations, the automation power of Control Tower, and the centralized visibility of Security Hub, you can build a cloud environment that is both highly secure and highly productive.
Remember that the ultimate goal is to remove the "human element" from security enforcement. Instead of relying on individuals to follow rules, use SCPs and automated guardrails to make the secure way the only way to operate. When you build this foundation correctly, you stop worrying about individual account breaches and start focusing on the resilience of your entire organization.
Key Takeaways
- Structure is Security: Use a hierarchical OU structure to organize your accounts based on function and security needs, not just department names.
- SCPs are Guardrails: Use Service Control Policies to enforce top-down security constraints that cannot be overridden by account-level administrators.
- Centralize Everything: Centralize your identity (IAM Identity Center), your logs (Log Archive account), and your security findings (Security Tooling account) to maintain full visibility.
- Automate Compliance: Use tools like AWS Control Tower and AWS Config to ensure that every account adheres to your organization's security baseline from the moment it is created.
- Minimize Human Access: Avoid long-term IAM users. Use short-lived, role-based access through an identity provider to reduce the risk of credential theft.
- Immutable Logs: Treat your log storage as a high-security vault. Use S3 Object Lock and cross-account access to ensure logs cannot be tampered with, even by an attacker with local admin privileges.
- Constant Vigilance: Security in the cloud is dynamic. Regularly audit your SCPs and Guardrails to ensure they remain relevant as your business requirements change.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons