ra2 studio - Fotolia

How can AWS Organizations help secure cloud accounts?

A new tool called AWS Organizations aims to make cloud account management more secure. Expert Matthew Pascucci explains how the tool works and how it compares to AWS IAM.

At AWS re:Invent, Amazon introduced a new tool to help administrators and security managers control multiple cloud...

accounts. The tool, called AWS Organizations, allows admins to create groups of AWS accounts. What are the security benefits of AWS Organizations, and how does it compare to and/or complement existing security tools like AWS IAM?

AWS Organizations was designed to allow cloud administrators working in Amazon Web Services (AWS) to manage accounts more securely and efficiently. Essentially, AWS Organizations creates custom policies that can be applied to users/groups to manage security, create better automation and simplify billing. There is some overlap with AWS IAM (Identity and Access Management) services, but it is more complementary, and it builds off of the IAM policies already in place.

AWS Organizations allows the management of accounts under a new entity. This entity is built into a hierarchy, and the policies and organizational units can be built within each other for management. I couldn't help but think of Microsoft's Active Directory when looking at it the first time, but that goes for anything with organizational units (OU) and hierarchy. Each particular OU can have policy applied to it, and the user/group will inherit the policy of the OU in which they reside. This also means that each user/group can only be in one OU at a time, but can have multiple policies applied to it since the OUs can be nested. The groups can be created by region, user, group or other elements.

With both AWS IAM and AWS Organizations, there can be a little overlap, but you can think of Organizations as a way of containing the rights of users. The IAM policies can still be created and even pushed through Organizations, but it's the guardrail to determine least privilege. If users go against these policies, it's possible to contain or restrict them with blacklist or whitelist policies. This helps to keep the permissions and security of users to what's deemed necessary by hierarchical policy enforcement. AWS Organizations is the framework that IAM policies can use to tighten security.

Using AWS Organizations limits the manual process of account creation or scripting of users and allows for a more streamlined push of account creation and policy enforcement. This will allow groups to be created with the proper permissions and limit what the account is able to perform. Using service control policies (SCPs) allows an administrator to create policy and have it applied to whatever OU or user account they chose.

When AWS Organizations is set up, a master account is created that allows for consolidated billing and that provides the ability to manage organizations and SCPs. It's not recommended that you perform work under this one account; delegate what you actually do with it. The master account has control over everything. It may also be wise to enable AWS CloudTrail to validate the account's actions.

Last, but not least, the AWS Organization service allows for consolidated billing to set up a single method of payment throughout your entire organization. AWS account creation is difficult to manage, since it's so easy to use, but AWS Organizations allows you to tie these accounts back to one location and to use a single method of payment. The accounts have to accept being a part of this method, but it helps create an easier way to see what's being billed to keep track of your AWS payment.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out whether AWS IAM tools are enough for public cloud security

Check out the top AWS security features for enterprises

Learn whether using multiple cloud accounts provides security benefits

Dig Deeper on Public Cloud Computing Security