Architecture overview - Account Assessment for AWS Organizations
Architecture diagram

Architecture overview

This section provides a reference implementation architecture diagram for the components deployed with this solution.

Architecture diagram

Deploying this solution with the default parameters deploys the following components in your AWS account.

Graphic depicting Account Assessment for AWS Organizations architecture

Account Assessment for AWS Organizations architecture on AWS

  1. Users log in to the hub account by using the web UI, and the Amazon Cognito user pool authenticates each user. Amazon CloudFront delivers the web UI content from an Amazon S3 bucket.

  2. The Amazon S3 bucket hosts the web UI.

  3. When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. AWS WAF protects the application programming interfaces (APIs) from attacks. This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.

  4. An Amazon API Gateway provides the solution’s API layer.

  5. Amazon Cognito authenticates the token in the header of the API requests.

  6. AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.

    Note

    Steps 3–6 are repeated for each type of scan.

Delegated Admin Accounts scan

  1. The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.

  2. This microservice gets the information from the Organizations management account.

Trusted Access scan

  1. The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.

  2. This microservice gets the information from the AWS Organizations management account.

Resource-Based Policies scan

  1. The Resource-Based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.

  2. The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organization and identify resource dependencies.

  3. Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.