Skip to content

Configure AWS Organization #121

Open
Open
Configure AWS Organization#121
@dsiguero

Description

@dsiguero
dsiguero
opened on Sep 4, 2025

This has been setup, making the mgmt account the root of the Organization, and creating 2 OU (Organizational Units) for prod and nonprod and placing the accounts with the same alias there.

However, there are more things we can take advantage of:

  • Centralized billing: seems to be enabled by default, we'll see whenever we get a new bill
  • IAM Identity center: to simplify user access between Organization accounts
  • SCPs (Service control policies):
    • Deny root account use: probably not, because we might lock ourselves out.
    • Restrict allowed regions to eu-west-1 
      {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "DenyUnsupportedRegions",
          "Effect": "Deny",
          "Action": "*",
          "Resource": "*",
          "Condition": {
              "StringNotEquals": {
                  "aws:RequestedRegion": "eu-west-1"
              }
          }
      }
  ]
}
    • Block IAM user creation (enforcing IAM Identity center): 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyIAMUser",
            "Effect": "Deny",
            "Action": [
                "iam:CreateUser",
                "iam:DeleteUser",
                "iam:UpdateUser",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*"
        }
    ]
}
    • Protect sensible services in prod: ie, don't delete logs, don't allow deletion of dynamo tables, etc.
    • Disallow services we're not using: ie, RDS, etc...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions