AWS Organizations

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301370

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301371

AWS Organizations - Overview

🔧 Multi-account management service
- 1 management/master account & 0+ member accounts
- 💡 When you start having multiple accounts, having many IAM users and payment methods is not scalable → AWS Organizations becomes very useful
Benefits (more details in sections below)
- 👍 SwitchRole feature → allows switching between accounts without the hassle of logging out and logging in
- 👍 Easier management of permissions via SCPs attached to OUs
- 👍 Consolidated billing → get one AWS monthly bill for the whole organization, instead of one bill per account
- 👍 Can benefit more easily from discounts via aggregated usage of AWS services
- 👍 Account creation can be automated (e.g. via API)
Limitations
- 👎 AWS Free Tier usage is consolidated through all accounts
  - Instead of benefitting from AWS Free Tier in each account, all usage is aggregated, and you only benefit from AWS Free Tier as if it all were one, single account

Create the management account of a new AWS Organization from a standard account
- Standard AWS account = AWS account that is NOT yet part of an AWS Organization
  - All standard accounts have the potential to become management accounts
- ‼️ You don't create the AWS Organization inside an account!!
  - You log in to the standard account, create an organization inside AWS Organizations, and then this standard account has become the management account of the brand new organization
The management account can add member accounts to its AWS Organization in two ways:
1. Invite other existing standard accounts to join the organization
  - Standard account needs to accept the invite before becoming a member account
2. Create new accounts inside the organization

OrganizationAccountAccessRole → IAM role inside a member account that gives admin permissions to the management account
- Created by default in new member accounts (created inside the organization)
- ‼️ NOT there by default in previously standard accounts! → if a member account used to be a standard account before, you will need to manually create this role!
From AWS Management Console of management account, you can now click “Switch Role”, follow the wizard, and then seamlessly switch between accounts (role switching happens transparently to the user)
- AWS gives an alias (e.g. PROD with red background) to the role you switch to, stores it in your browser → easy for you to know in which account you are assuming which role
Best Practice for identity administration in AWS Organizations:
- Centralized logins → Two options:
  1. Only 1 account contains IAM users (account dedicated for logins)
  2. Identity Federation (for external IDPs like Microsoft Active Directory)
- Access to other accounts done with roles → users assume account roles (with Switch Roles feature)
- Example: on-premise users sign in to the account that stores users. Access to the other accounts implies assuming a new role.