Org Management account - AWS Prescriptive Guidance

Org Management account

The following diagram illustrates the AWS security services that are configured in the Org Management account.


        Security services for Org Management account

The sections Using AWS Organizations for security and The management account, trusted access, and delegated administrators earlier in this guide discussed the purpose and security objectives of the Org Management account in depth. You should follow the security best practices for your Org Management account. These include using an email address that is managed by your business, maintaining the correct administrative and security contact information (such as attaching a phone number to the account in the event that AWS needs to contact the owner of the account), enabling multi-factor authentication (MFA) for the root user, and regularly reviewing who has access to the Org Management account. Services deployed in the Org Management account should be configured with appropriate roles, trust policies, and other permissions so that the administrators of those services (who must access them in the Org Management account) cannot also inappropriately access other services.

Service control policies

Apply service control policies (SCPs) in the Org Management account to ensure that member AWS accounts stay within your account governance strategy and access control guidelines. SCPs do not grant any permissions. Instead, SCPs deployed in the Org Management account specify the maximum permissions for this AWS organization. Additional SCPs are deployed for each OU to establish more specific guardrails for each type of account. Read more about SCPs in the Using AWS Organizations for security section earlier in this reference.

Design consideration

SCPs affect only member accounts in the AWS organization. They have no effect on users or roles in the Org Management account.

AWS CloudTrail

AWS CloudTrail is a service that supports governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail is integrated with AWS Organizations, and that integration can be used to create a single trail that logs all events for all accounts in the AWS organization. This is referred to as an organization trail. When you create an organization trail, a trail with the name that you specify is created in every AWS account that belongs to your AWS organization. The trail logs activity for all accounts in the AWS organization and stores the logs in a single S3 bucket. All accounts in the AWS organization can see the organization trail in their list of trails, but member AWS accounts have limited access to this trail. Additionally, by default, only the Org Management account has access to the S3 bucket. For more information about these protections, see the Amazon S3 as central log store section. For additional security best practices, see the AWS CloudTrail documentation.

Design consideration

If member accounts need to use CloudTrail information in a way that isn’t permitted by the organization trail, the managers of each AWS account can create a local trail with the appropriate controls.

AWS SSO

AWS Single Sign-On (AWS SSO) serves as your identity source and enables federation to multiple accounts in your AWS organization. You should rely on an identity provider that lets you manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. For example, if someone leaves your team, you can revoke their access to all applications and services (including AWS accounts) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with your human resources (HR) processes.

You can use AWS SSO to quickly and easily assign your employees’ access to AWS accounts that are managed with AWS Organizations, business cloud applications, and custom applications that support Security Assertion Markup Language (SAML) 2.0. AWS SSO natively integrates with AWS Organizations and is enabled in the Org Management account. Accounts are displayed by OU within the AWS SSO console. This enables you to quickly discover your AWS accounts, deploy common sets of permissions, and manage access from a central location.

Design considerations
  • Administrators can use the default AWS SSO directory to manage their users. Or, they can connect their self-managed Active Directory (AD) or their AWS Managed Microsoft AD directory by using AWS Directory Service (in the Shared Services account). This Microsoft AD directory defines the pool of identities that administrators can pull from when they use the AWS SSO console to assign SSO access. AWS Directory Service helps you set up and run a standalone AWS Managed Microsoft AD directory hosted in the AWS Cloud. You can also use AWS Directory Service to connect your AWS resources with an existing self-managed AD.

  • AWS SSO is one option for implementing an SSO authentication strategy. Many enterprise customers integrate SSO with their existing identity provider (IdP). If you’re using another IdP with SSO, we recommend using the System for Cross-domain Identity Management (SCIM) for better security, consistency, and convenience.

  • Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer of verification. For example, when using AWS SSO as the identity source, configure the context-aware or always-on setting for MFA, and allow users to enroll their own MFA devices to accelerate adoption.

IAM access advisor

IAM access advisor provides traceability data in the form of service last accessed information for your AWS accounts and OUs. Use this detective control to contribute to a least privilege strategy. For IAM principals, you can view two types of last accessed information: allowed AWS service information and allowed action information. The information includes the date and time when the attempt was made.

From the Org Management account, you can also view service last accessed data for the Org Management account, OU, member account, or IAM policy in your AWS organization. A programmatic report for an AWS organizational entity includes a list of services that are allowed by any SCPs that apply to the entity. Last accessed information provides insight for actual service usage (see example scenarios), so you can reduce IAM permissions to only those services that are actually used.

Design consideration

Service last accessed information for an AWS Organizations entity or policy can be accessed only from the Org Management account. For this reason, we recommend that you follow both a least privilege and separation of duties approach when you set the permissions for the identities who will access this information.

AWS Systems Manager

AWS Systems Manager Quick Setup and Systems Manager Explorer both support AWS Organizations and operate from the Org Management account.

Quick Setup is an automation feature of Systems Manager. It enables the Org Management account to easily define configurations for Systems Manager to engage on your behalf across accounts in your AWS organization. You can enable Quick Setup across your entire AWS organization or choose specific OUs. Among other things, Quick Setup can schedule AWS Systems Manager Agent (SSM Agent) to run biweekly updates on your EC2 instances and can set up a daily scan of those instances to identify missing patches.

Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data for your AWS accounts and across AWS Regions. This includes data about your EC2 instances and patch compliance details. After you complete Integrated Setup (which also includes Systems Manager OpsCenter) within AWS Organizations, you can aggregate data in Explorer by OU or for an entire AWS organization. Systems Manager aggregates the data into the AWS Org Management account before displaying it in Explorer.

The Workloads OU section later in this guide discusses the use of the Systems Manager Agent (SSM Agent) on the EC2 instances in the Application account.