A Comprehensive Guide to Setting Up AWS Organizations with Child Accounts

Introduction

Managing multiple AWS accounts can become a complex task as your organization grows. AWS Organizations offers a centralized way to manage and govern multiple AWS accounts under a single master account, making it easier to enforce policies, simplify billing, and enhance security.

In this guide, we'll explore how to set up AWS Organizations with child accounts, access them, define minimal permissions for different account types, understand pricing considerations, and cover everything you need to know about the AWS Organizations service.

---

Table of Contents

• Why Use AWS Organizations?
• Understanding AWS Organizations Pricing
• Setting Up AWS Organizations
  • Prerequisites
  • Creating Your Organization
  • Organizational Units (OUs)
  • Creating Child Accounts
• Accessing Child Accounts
  • Using AWS Single Sign-On (AWS SSO)
  • Assuming Roles Across Accounts
• Minimal Permissions for Account Types
  • Management Account
  • Member Accounts
  • Service Control Policies (SCPs)
• Best Practices
• Conclusion
• References

---

Why Use AWS Organizations?

• Centralized Management: Manage multiple AWS accounts from a single point.
• Consolidated Billing: Simplify billing by aggregating charges across accounts.
• Policy Enforcement: Apply Service Control Policies (SCPs) to enforce compliance.
• Resource Isolation: Isolate resources for different teams or projects.
• Scalability: Easily add or remove accounts as your organization evolves.

---

Understanding AWS Organizations Pricing

AWS Organizations is available at no additional cost. However, costs are incurred based on the services used within your AWS accounts.

• Consolidated Billing: Take advantage of volume discounts and savings plans across accounts.
• Cost Allocation Tags: Use tags to track and allocate costs efficiently.
• Monitoring Tools: Utilize AWS Cost Explorer and AWS Budgets to keep track of spending.

For detailed pricing, visit the AWS Organizations Pricing page.

---

Setting Up AWS Organizations

Prerequisites

• An AWS account to serve as the management account.
• Appropriate permissions to create an organization (typically, full administrative access).

Creating Your Organization

1. Sign In: Log in to the AWS Management Console with your management account credentials.
2. Navigate: Go to AWS Organizations service.
3. Create Organization:
   • Click on "Create organization".
   • Choose "Enable All Features" for full functionality.
4. Confirmation: Confirm the creation of your organization.

Image Credit: AWS Documentation

Organizational Units (OUs)

Organizational Units help you group accounts for better management.

1. Access OUs: In the AWS Organizations console, select "Organize accounts".
2. Create OU:
   • Click on "Create organizational unit".
   • Provide a name (e.g., Development, Production).
3. Finalize: Click "Create organizational unit".

Creating Child Accounts

You can create new accounts or invite existing accounts into your organization.

Creating a New Account

1. Select OU: Choose the OU where the new account will reside.
2. Add Account:
   • Click "Add an AWS account".
   • Choose "Create account".
3. Provide Details:
   • Account Name: Give your account a meaningful name.
   • Email Address: Must be unique and not associated with another AWS account.
   • IAM Role Name: Optional, defaults to OrganizationAccountAccessRole.
4. Create: Click "Create".

Inviting an Existing Account

1. Add Account:
   • Click "Add an AWS account".
   • Choose "Invite account".
2. Provide Details:
   • Account ID or Email Address of the existing account.
3. Invite: Click "Invite".

---

Accessing Child Accounts

Accessing child accounts can be streamlined using AWS Single Sign-On or by assuming IAM roles.

Using AWS Single Sign-On (AWS SSO)

AWS SSO provides centralized access management.

1. Enable AWS SSO:
   • Navigate to AWS Single Sign-On service.
   • Click "Enable AWS SSO".
2. Configure Directory:
   • Use the default directory or integrate with an existing identity provider.
3. Assign Access:
   • Create user groups and assign them to AWS accounts.
   • Set permission sets defining the level of access.

For detailed steps, refer to the AWS SSO User Guide.

Assuming Roles Across Accounts

Set up cross-account access by creating IAM roles.

In the Child Account

1. Create IAM Role:
   • Go to IAM > Roles > Create Role.
   • Select "Another AWS account" as the trusted entity.
2. Specify Trusted Account:
   • Enter the Account ID of the management account.
3. Attach Policies:
   • Choose the necessary permissions (e.g., AdministratorAccess).
4. Name the Role:
   • Give the role a descriptive name (e.g., AdminAccessFromMaster).

In the Management Account

1. Create IAM Policy:
   • Go to IAM > Policies > Create Policy.
   • Define a policy that allows sts:AssumeRole on the child account role.
2. Attach Policy to User/Group:
   • Assign the policy to the users or groups who need access.

Switching Roles

• In the AWS console, click on your username and select "Switch Role".
• Provide the Account ID and Role Name of the child account.

---

Minimal Permissions for Account Types

Management Account

The management account has overarching control.

• Secure Access:
  • Enable Multi-Factor Authentication (MFA).
  • Implement strong password policies.
• Restrict Usage:
  • Avoid using the management account for daily operations.
• Permissions:
  • Grant minimal necessary permissions to IAM users.

Member Accounts

Member accounts operate under the policies set by the management account.

• Least Privilege Principle:
  • Only grant permissions necessary for specific tasks.
• Role Separation:
  • Create roles for different functions (e.g., admin, developer).
• Access Management:
  • Regularly review and update IAM policies.

Service Control Policies (SCPs)

SCPs allow you to set permission boundaries.

• Apply at OU or Account Level:
  • SCPs can be attached to OUs or individual accounts.
• Restrictive Policies:
  • Deny access to unnecessary services.
• Example SCP: Deny access to AWS regions not in use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRegions",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2"
          ]
        }
      }
    }
  ]
}

---

Best Practices

• Multi-Account Strategy:
  • Use separate accounts for development, testing, and production.
• Enable CloudTrail:
  • Track all API calls for auditing purposes.
• Regular Audits:
  • Periodically review IAM roles and permissions.
• Security Services:
  • Utilize AWS Config, Security Hub, and GuardDuty.
• Backup and Recovery:
  • Implement robust backup strategies using AWS Backup.

---

Conclusion

Setting up AWS Organizations with child accounts provides a scalable and secure way to manage multiple AWS accounts. By following best practices and leveraging AWS services like AWS SSO and SCPs, you can maintain control over your organization's cloud environment, ensure compliance, and optimize costs.

---

References

• AWS Organizations Documentation
• Getting Started with AWS Organizations
• AWS Single Sign-On (SSO) User Guide
• IAM Best Practices
• Service Control Policies

---

Feel free to leave comments or ask questions below!