Post Syndicated from Matt Luttrell original https://aws.amazon.com/blogs/security/deploy-aws-organizations-resources-by-using-cloudformation/
AWS recently announced that AWS Organizations now supports AWS CloudFormation. This feature allows you to create and update AWS accounts, organizational units (OUs), and policies within your organization by using CloudFormation templates. With this latest integration, you can efficiently codify and automate the deployment of your resources in AWS Organizations.
You can now manage your AWS organization resources using infrastructure as code (iaC) and make changes in a central place. This can help reduce the time required to build a new organization, expand or modify the existing organization, replicate your organization infrastructure, or apply and update policies across multiple accounts and OUs. You can also delete organization resources by deleting the stacks.
In this blog post, we will show you how to create various AWS Organizations resources for a multi-account organization by using a CloudFormation template.
How does it work?
A CloudFormation template describes your desired resources and their dependencies so that you can launch and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit instead of managing resources individually.
With CloudFormation support for AWS Organizations, you can now do the following:
- Create, delete, or update an organizational unit (OU). An OU is a container for accounts that allows you to organize your accounts to apply policies according to your needs.
- Create accounts in your organization, add tags, and attach them to OUs.
- Add or remove a tag on an OU.
- Create, delete, or update a service control policy (SCP), backup policy, tag policy and artificial intelligence (AI) services opt-out policy.
- Add or remove a tag on an SCP, backup policy, tag policy, and AI services opt-out policy.
- Attach or detach an SCP, backup policy, tag policy, and AI services opt-out policy to a target (root, OU, or account).
To create AWS Organizations resources using CloudFormation, you will need to use your organization’s management account. As of this writing, the new resource types may only be deployed from the organization’s management account or delegated administration account.
Overview of the new resource types
The following are the three new resource types available for the implementation and management of an account, OU, and organizations policy in CloudFormation:
- AWS::Organizations::Account – Creates an account that is automatically a member of the organization whose credentials made the request.
- AWS::Organizations::OrganizationalUnit – Creates an OU within a root or parent OU.
- AWS::Organizations::Policy – Creates a policy of a specified type that you can attach to a root, OU, or individual account.
Prerequisites
This blog post assumes that you have AWS Organizations enabled in your management account. You also need the tag policy and service control policy types enabled in your management account. For instructions on how to create an organization, see Create your organization.
You should also review the following important points for creating resources in AWS Organizations:
- AWS Organizations supports the creation of a single account at a time. If you include multiple accounts in a single CloudFormation template, you should use the DependsOn attribute so that your accounts are created sequentially.
- Before you can create a policy of a given type, you must first enable that policy type in your organization.
- The number of levels deep that you can nest OUs depends on the policy types that you have enabled for the root. For SCPs, the limit is five.
- To modify the AccountName, Email, and RoleName for the account resource parameters, you must sign in to the AWS Management Console as the AWS account root user.
- Since the CloudFormation template in this blog deploys Account and Organization Unit resources, you must deploy it in your organization’s management account.
For a complete list of dependencies, see the AWS Organizations resource type reference.
Use a CloudFormation template with the new AWS Organizations resources
In this section, we will walk you through a sample CloudFormation template that incorporates the newly supported AWS Organizations resources. CloudFormation provisions and configures the resources for you, so that you don’t have to individually create and configure them and determine resource dependencies.
The template will create the following resources and structure.
- Three organizational units
- Infrastructure – Within the organizational root
- Production – Within the Infrastructure OU
- Security – Within the organizational root
- One account
- AccountA – Within the Production child OU
- Two service control policies
- PreventLeavingOrganization – Attached to the organizational root
- PreventCloudTrailDisablement – Attached to the Security OU
- One tag policy
- DefineTagKeyCase – Attached to the Production child OU
Note: The above OU and account layout is only an example for the purpose of this blog post. Please refer to Organizing Your AWS Environment Using Multiple Accounts whitepaper for more information on multi-account strategy best practices & recommendations.
Download the template
- Download the CloudFormation template. The following shows the contents of the template:
AWSTemplateFormatVersion: '2010-09-09' Description: "AWS Organizations using Cloudformation - Creates OU, nested OU, account and organizations policies" Parameters: OrganizationRoot: Description: 'Organization ID' Type: String Resources: InfrastructureOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Infrastructure ParentId: !Ref OrganizationRoot SecurityOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Security ParentId: !Ref OrganizationRoot ProductionOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Production ParentId: { "Ref" : "InfrastructureOU" } DependsOn: InfrastructureOU AccountA: Type: AWS::Organizations::Account Properties: AccountName: AccountA Email: [email protected] ParentIds: [{"Ref": "ProductionOU"}] PreventLeavingOrganizationSCP: Type: AWS::Organizations::Policy Properties: TargetIds: [{"Ref": "OrganizationRoot"}] Name: PreventLeavingOrganization Description: Prevent member accounts from leaving the organization Type: SERVICE_CONTROL_POLICY Content: >- { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "organizations:LeaveOrganization" ], "Resource": "*" } ] } Tags: - Key: DoNotDelete Value: True PreventCloudTrailDisablementSCP: Type: AWS::Organizations::Policy Properties: TargetIds: [{"Ref": "SecurityOU"}] Name: PreventCloudTrailDisablement Description: Prevent users from disabling CloudTrail or altering its configuration Type: SERVICE_CONTROL_POLICY Content: >- { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": "*" } ] } TagPolicy: Type: AWS::Organizations::Policy Properties: TargetIds: [{"Ref": "ProductionOU"}] Name: DefineTagKeyCase Description: CostCenter tag should comply with case specified in the policy Type: TAG_POLICY Content: >- { "tags": { "CostCenter": { "tag_key": { "@@assign": "CostCenter", "@@operators_allowed_for_child_policies": ["@@none"] } } } }
Create a stack with the template
In this section, you will create a stack by using the CloudFormation template that you downloaded.
To create the stack
- Create the AWS Organizations resources outlined in the template by creating an IAM role for CloudFormation using the following IAM permissions policy and trust policy.
Permissions policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyPermissions",
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"account:GetContactInformation",
"account:GetAlternateContact"
],
"Resource": "*"
},
{
"Sid": "AllowCreationOfResources",
"Effect": "Allow",
"Action": [
"organizations:CreateAccount",
"organizations:CreateOrganizationalUnit",
"organizations:CreatePolicy"
],
"Resource": "*"
},
{
"Sid": "AllowModificationOfResources",
"Effect": "Allow",
"Action": [
"organizations:UpdateOrganizationalUnit",
"organizations:AttachPolicy",
"organizations:TagResource",
"account:PutContactInformation"
],
"Resource": "*"
}
]
}Trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}- Sign in to the management account for your organization, navigate to the CloudFormation console, and choose Create stack.
- Choose With new resources (standard), upload the template file, and choose Next.
Figure 1: CloudFormation console showing creation of stack
- Enter a name for the stack (for example, CloudFormationForAWSOrganizations). For OrganizationRoot, enter your organizations root ID. You can find the root ID in the AWS Organizations console.
- Choose Create stack.
- On the Configure stack options page, in the Permissions section, choose the IAM role that you granted permissions to previously, as shown in Figure 2. Then choose Next.
Figure 2: Set IAM role permissions for CloudFormation
You will see a screen showing stack creation in progress.
Figure 3: CloudFormation console showing stack creation in progress
- When the stack has been created, choose the Resources tab to see the resources created.
Figure 4: CloudFormation console showing stack resources created
Confirm and visualize the resources created by using the console
In this section, you will use the console to confirm and visualize the resources created.
To confirm and visualize the resources
- Navigate to the AWS Organizations console.
- In the left navigation pane, choose AWS accounts to see the OUs and account that were created.
Figure 5: AWS Organizations console showing the organization structure
Confirm the service control policy created and attached to the organization’s root
In this section, you will confirm that the SCP was created and attached to the organization’s root.
Note: When you enable SCPs on an organization, an AWS full access policy is attached by default at each level (root, OU, and account) of your organization. Because you can attach policies to multiple levels of the organization, accounts can inherit multiple policies with an effect of deny. For more details, see inheritance for service control policies.
To confirm the SCP was created and attached to the root
- To view the service control policy, choose Root, and then in the section Applied policies, review the list of policies. The PreventLeavingOrganization SCP prevents the use of the LeaveOrganization API so that member accounts can’t remove their accounts from the organization.
Figure 6: AWS Organizations console showing the organization’s root
- To confirm that the DoNotDelete tag was attached to the PreventLeavingOrganization SCP, choose the policy name and then choose the Tags tab.
Figure 7: SCP with tags attached to it in Organizations
Confirm the service control policy created and attached to the Security OU
In this section, you will confirm that the PreventCloudTrailDisablement SCP was created and attached to the Security OU, thus preventing users or roles in the accounts in the security OU from disabling an AWS CloudTrail log.
To confirm that the SCP was created and attached to the Security OU
- From the left navigation pane, choose AWS accounts, and then choose Security.
- On the Security page, choose the Policies tab to see a list of policies.
- To review and confirm the contents of the policy, choose PreventCloudTrailDisablement.
Figure 8: SCP attached to the Security OU in Organizations
Confirm the account and tag policy created and attached to the Production OU
In this step, you will confirm that the account and tag policy were created and attached to the Production OU.
To confirm creation of the account and tag policy in the Production OU
- On the Production page, choose the Children tab to confirm that the account named AccountA was created.
Figure 9: The Production OU and account A in Organizations
- To confirm that the DefineTagKeyCase tag policy was attached to the Production OU, do the following:
- From the left navigation pane, choose AWS accounts, and then choose Production.
- Choose the Policies tab to see the list of policies.
- In the Tag policies section, under Applied policies, choose DefineTagKeyCase to confirm the contents of the policy. This policy defines the tag key and the capitalization that you want accounts in the production OU to standardize on.
Figure 10: SCP and tag policy attached to the Production OU in Organizations
Conclusion
In this blog post, you learned how to create AWS Organizations resources, including organizational units, accounts, service control policies, and tag policies by using CloudFormation. You can use this new feature to model the state of your infrastructure as code and to help deploy your AWS resources in a safe, repeatable manner at scale.
To learn more about managing AWS Organizations resources with CloudFormation, see AWS Organizations resource type reference in the CloudFormation documentation.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Want more AWS Security news? Follow us on Twitter.