Infrastructure OU – Shared Services account - AWS Prescriptive Guidance

Infrastructure OU – Shared Services account

The following diagram illustrates the AWS security services that are configured in the Shared Services account.

        Security services for Shared Services account

The Shared Services account is part of the Infrastructure OU, and its purpose is to support the services that multiple applications and teams use to deliver their outcomes. For example, directory services (Active Directory), messaging services, and metadata services are in this category. The AWS SRA highlights the shared services that support security controls. Although the Network accounts are also part of the Infrastructure OU, they are removed from the Shared Services account to support the separation of duties. The teams that will manage these services don’t need permissions or access to the Network accounts.

AWS Systems Manager

AWS Systems Manager (which is also included in the Org Management account and in the Application account) provides a collection of capabilities that enable visibility and control of your AWS resources. One of these capabilities, Systems Manager Explorer, is a customizable operations dashboard that reports information about your AWS resources. You can synchronize operations data across all accounts in your AWS organization by using AWS Organizations and Systems Manager Explorer. Systems Manager is deployed in the Shared Services account through the delegated administrator functionality in AWS Organizations.

AWS Directory Service

AWS Directory Service enables administrators to connect their self-managed Microsoft Active Directory (AD) or their AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) directory to AWS Single Sign-On (AWS SSO). (See also AWS organization and account structure of the AWS SRA earlier in this document.) This Microsoft AD directory defines the pool of identities that administrators can pull from when using the AWS SSO console to assign SSO access. After administrators connect their corporate directory to AWS SSO, they can grant their AD users or groups access to AWS accounts, cloud applications, or both. AWS Directory Service helps you set up and run a standalone AWS Managed Microsoft AD directory that is hosted in the AWS Cloud. You can also use AWS Directory Service to connect your AWS resources with an existing, self-managed AD.

Security service guardrails

In the AWS SRA, AWS Security Hub, Amazon GuardDuty, AWS Config, AWS IAM Access Analyzer, AWS CloudTrail organization trails, and Amazon EventBridge are deployed with appropriate delegated administration to the Security Tooling account. This enables a consistent set of guardrails and provides centralized monitoring, management, and governance across your AWS organization.