π This is not properly displayed? Read all of our issues online! π‘
Hi Reader ππ½
We've said it more than once and we still stand with it:
Overwhelmingly, engineers look at the way of least resistance via "Which permissions do I have to grant to make this work? π€" or directly using wildcards for actions and resources on all policies, instead of diving into all the aspects of the service and its possibilities.
Nevertheless, it's not optional to work with AWS IAM as by default all actions to all resources are denied in the first place.
So you have to put in at least some explorative work to get to know the basics.
But that's often where it ends. π ββοΈ
And if it does, you'll maybe never notice that there's a crucial service that can immensely elevate your IAM management, operations, and general security of one or several AWS accounts: AWS Organizations!
In this issue, we'll explore this unsung hero of the AWS ecosystem! π¦ΈββοΈ
Buckle up and take your time βοΈ
β
P.S.: Before directly jumping into this, you can also give yourself an overview with one of our infographics π
β
When we're making the first steps with a new project on AWS, we can easily put all of our workloads into a single account...
Surely, you can also work your way up to an ecosystem of hundreds or thousands of resources in a single account - even perfectly secure - but maybe this is not the ideal way to go.
AWS accounts come with natural security barriers that we should utilize! π
This is where AWS Organizations come into play: a service to split your infrastructure into multiple accounts while still keeping control in a single place.
β
Using multiple accounts comes with multiple benefits. Amongst them, but not limited to:
Additionally, for enterprises, it's easily possible to map down their organizational structure into their AWS Organization!
This can simplify things immensely.
β
Using AWS Organizations is better than just one account for security, access control, and billing purposes.
Within our Management Account, we'll then keep control over all of our Member Accounts - we're even able to define Service Control Policies and apply them to one or several Organizational Units. With billing in a single place - via consolidated billing!
But now we've introduced a lot of new fancy words πββοΈ
βWhat do they mean and what are organizations all about?
βοΈ Management Account: The initial account used to create the organization with full access to all AWS resources and services, intended for setup and account management tasks.
ποΈ Organization: A container for managing multiple AWS accounts centrally, allowing policy and permission application across all accounts.
ποΈ Organizational Units: Logical groupings within an organization that can contain accounts and other units, used for structured management.
π Service Control Policies: Policies that restrict access to AWS resources and services, applicable to the organization, organizational units, or individual accounts for compliance and security.
πΈ Consolidated Billing: A feature that centralizes payment for all member accounts to the management account, providing a unified view of billing and spending.
π Federated and Delegated Access: Allows users to access multiple accounts with a single set of credentials and manage permissions and roles centrally.
β
Service Control Policies (SCPs) are one of the greatest features of AWS Organizations.
They are a type of policy that you can use to manage permissions in your AWS Organization.
SCPs offer central control over the maximum available permissions for one or several accounts / organizational units in your organization, allowing you to ensure your accounts stay within your organizationβs access control guidelines.
SCPs are used to allowlist or denylist permission for AWS services and actions and do not grant permissions but instead act as a guardrail π.
They can be applied to...
Service Control Policies are fundamental in AWS security because they provide a mechanism to centrally manage permissions and prevent unauthorized use of AWS services, which can be crucial in the context of security breaches.
For instance, if an AWS account gets compromised, the attacker might attempt to launch instances in regions that the account owner does not typically use, to mine cryptocurrency.
AWS Hero Yan Cui recently made us aware of this π
This kind of activity can go unnoticed for a significant period, incurring substantial costs! πΈ
An SCP can mitigate this risk by explicitly denying the ability to perform actions related to EC2 and ECS in regions that are not typically used by your organization.
Here's an example of how to create an SCP to deny certain EC2/ECS actions in all regions except for us-east-1 π
You would attach this policy to the root of your AWS Organization (or to specific OUs or accounts as needed).
This way, even if an account gets compromised, the attacker would be unable to launch resources in any region that the SCP does not explicitly allow.
If you're anyway going full Serverless with Lambda Ζ, you can even remove the condition and completely avoid any EC2/ECS usage! π€
With the applied policy from above, we could not try to start an EC2 instance in a region that is not us-east-1.
And certainly, this action will be denied! π
β
Let's wrap up this issue with best practices for your most critical asset: your management account!
β
We wrote a detailed article about AWS Organizations, explicitly showing how you can enable SCPs and how to set up everything in one of our articles: AWS Organizations - The Key to Managing Your Cloud Infrastructure Effectivelyβ
Feel free to check it out and get your hands on it immediately! π§βπ»
β
Thanks for making it this far and we hope you enjoyed this issue and learned something new!
See you in two weeks!
Sandro & Tobi βοΈ
β
β
β
Join our community of over 8,800 readers delving into AWS. We highlight real-world best practices through easy-to-understand visualizations and one-pagers. Expect a fresh newsletter edition every two weeks.
β Reading time: 11 minutes π Main Learning: Step Functions - Express vs. Standard πΎ GitHub Code βοΈ Blog Post Hey Reader while Sandro is learning something new at the AWS Community Day in Munich today, we'll explore Express and Standard Step Functions, the two types of workflows offered by AWS Step Functions. Weβll break down their differences, when to use each, and the benefits of both. Example Application: running both workflow types to see their performance differences If you want to try...
Hey Reader First things first: we apologize for not providing updates on The CloudWatch Book for a while! π’ Sometimes, things don't go as planned and unexpected obstacles arise. But now, we're back in action, creating videos and putting the final touches on the book's content! π₯ Don't just take our word for it! As an early subscriber, here's a free video from one of our favorite chapters: Anomaly Detection π In this deep-dive, you'll learn how to detect unusual patterns in metrics without...
β Reading time: 11.5 minutes π Main Learning: Host Web Applications on AWS with the CloudFront Hosting Toolkit π¨π½π» GitHub Code π Blog Post Hey Reader ππ½ Happy New Week! I (Sandro) will attend the Serverless Days in Milano next week where Jeremy Daley will hold the keynote. I look forward to meeting many of you and the overall AWS community. This week's newsletter is all about hosting your frontend on AWS. AWS launched a new way of deploying your frontend to it: The CloudFront Hosting Toolkit....