Features and benefits
The Account Assessment for AWS Organizations solution provides the following features.
Access the solution using a web UI
This solution provides a web UI to help you view scan results. For more details, see Use the solution.
Identify enabled services with AWS Organizations
In your AWS Organization, you can enable more than 30 compatible AWS services to perform operations across all of the AWS accounts. This solution finds enabled services and delegated admin accounts per service (if activated).
Explore your policies to find actions and conditions
This feature allows you to search through all the policies across your AWS Organization to find specific conditions and actions. In case an action is deprecated you need to remove or update a given action or condition across all accounts or a specific set of accounts, you can quickly find and review the policies in the solutions UI, and update them across your environment to meet your needs.
The policies included in the scans are identity-based policies, resource-based policies, and organization-based policies (such as service control policies). The daily scan will store representations of all the policies in your environment in DynamoDB on a daily basis, so you can search through them, and find the attributes you are looking for in the solution’s web UI.
Assess IAM policy conditions
The Condition policy element lets you use keys to specify conditions for when a policy is in effect. You can use specific keys to compare the identifier or path of the requesting principal’s Organization in AWS Organizations with the identifier specified in the policy. This helps you identify existing conditions and dependencies. If desired, you can use global condition keys. This solution scans conditions in the following types of policies and presents them for your review in the solution’s web UI.
Assume role (trust relationship) conditions
With IAM roles, you can establish trust relationships between your trusting account (the account that owns the resource) and other AWS trusted accounts (the accounts that contain the users that need to access the resource). In this trust relationship, you can use condition keys to grant permissions to any principal in your AWS Organization.
Identity-based policy conditions
Identity-based policies are attached to a user, group, or role. Use these policies to specify permissions for a given identity.
Resource-based policy conditions
Resource-based policies are attached to a resource. Use these policies to specify who has access to the resource and what actions they can perform on it. For example, you can attach resource-based policies to Amazon Simple Storage Service
The following table provides a list of services supported by this solution.
| AWS service | Policy type |
|---|---|
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Amazon Elastic Container Registry |
Resource-based |
|
Amazon Elastic File System |
Resource-based |
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Identity-based |
|
|
Resource-based |
|
|
AWS Key Management Service |
Resource-based |
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Resource-based |
|
|
Amazon Simple Email Service |
Resource-based |
|
Amazon Simple Notification Service |
Resource-based |
|
Amazon Simple Queue Service |
Resource-based |
|
Amazon Simple Storage Service |
Resource-based |
|
Resource-based |
|
|
Resource-based |
|
|
Amazon Virtual Private Cloud |
Resource-based |
|
AWS Resource Access Manager (Amazon RAM) |
Resource-based |
|
Amazon EventBridge Schemas |
Resource-based |
|
AWS Systems Manager Incident Manager Contacts |
Resource-based |
|
Amazon Lex |
Resource-based |
|
ACM-PCA (AWS Certificate Manager Private Certificate Authority) |
Resource-based |
