AWS Cloud Operations Blog

The latest from AWS Organizations (Spring 2021)

AWS Organizations provides features customers can use to manage their AWS environment across accounts. When paired with other AWS services, AWS Organizations helps you manage permissions, create and share resources, govern your environment, and centrally control your security requirements. Here’s what the team has been up to since our virtual 2020 re:Invent season.

Use attribute-based access controls to provide cross-account permissions 

You can tag your organization, organizational units (OUs), and policies. With these tags, you can add policies that allow custom access to tagged resources across accounts. You can also author policies that enforce a proper tag upon resource creation.

Attribute-based access control (ABAC) is a powerful customization option for your permissions management. For example, if you have multiple accounts for a specific project, such as a prototype or beta application, you can add a common tag to each account and provide an attribute-based access policy. This will allow users to access all accounts with a specific tag. As new accounts are added and tagged, users will already have permissions to the new accounts where the tag is applied.

For information about how to implement these new tagging features, see the Simplifying permissions management at scale using tags in AWS Organizations blog post.

Centrally view and manage security alerts, AWS Trusted Advisor checks, Amazon S3 usage recommendations, and health events across accounts in your organization

You can now take advantage of four new service features, which provide you central views across accounts for your security alerts, optimization recommendations, storage usage, or events that might impact your AWS environment.

  • Improve your security posture across accounts and services with AWS Security Hub. When you use this service, all of your AWS security alerts from various security services are hosted in the same dashboard. Security Hub supports delegated administration, which means you can designate a member account to view centralized security alerts and recommendations in your organization.
  • You can now view checks or recommendations from AWS Trusted Advisor across accounts in a single organizational view. This feature helps your team save money, improve system performance, and close security gaps for accounts in the organization.
  • Amazon S3 Storage Lens is a new Amazon S3 feature that provides a centralized view of object storage usage and activity trends across accounts in an organization. In addition, you can review recommendations for cost-efficiency and storage usage. You can also designate an account in your organization to manage S3 Storage Lens on behalf of your organization.
  • AWS Personal Health Dashboard provides you with an organization-wide view of health events. You can learn about maintenance events, security vulnerabilities, and AWS service degradations that affect any account in your AWS organization.

Simplify cloud audits and ensure configuration consistency across accounts

Auditing your cloud environment across accounts usually requires a manual effort between multiple teams to ensure compliance with regulations and industry standards. AWS Audit Manager now makes auditing a whole lot easier. It helps you assess if your policies, procedures, and activities are operating effectively and within common established guidelines (such as HIPAA, GDPR, and PCI DSS). AWS Audit Manager can run assessments across accounts in your organization, and then consolidate all of the evidence in a designated account. When it comes time for an audit, you can use AWS Audit Manager to manage stakeholder reviews and build audit-ready reports.

AWS Config helps ensure that your resource configurations match your compliance standards. You can aggregate configuration data across AWS Regions and accounts, and then designate an account in your organization to view and enforce required configuration changes.

Add another layer of protection by copying backups across accounts

You can now securely copy backups across accounts in your organization. These copies provide you with another layer of protection for your backups. You can copy across accounts and AWS Regions, which helps you meet security, compliance, and business continuity requirements. For more information about this feature, see the Secure data recovery with cross-account backup and cross-Region copy using AWS Backup blog post.

Designate an account to manage stacks across your organization

And finally, one of our most popular 2020 integrations, AWS CloudFormation StackSets now supports delegated administration. CloudFormation StackSets is a simple way to provision permissions and resources to new accounts or modify roles and access broadly across existing accounts in your organization. With this you feature, you can designate up to five accounts in your organization to create or modify stacks, and apply these stacks to accounts, organizational units (OUs), or across the organization.

If you aren’t yet familiar with AWS Organizations, please visit the AWS Organizations page. For information about future releases for AWS Organizations, see What’s New with AWS and the Management and Governance blog.

 

About the Author

Andrew Blackham is a Product Manager for AWS Organizations. He’s worked with Amazon over 6 years and is currently focused on assisting customers with building and scaling their AWS multi-account infrastructure.