Amazon Organizations

This topic was edited by a BMC Contributor and has not been approved.  More information.


Product Description

AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations help you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.

Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts. Through integrations with other AWS services, you can use Organizations to define central configurations and resource sharing across accounts in your organization. AWS Organizations are available to all AWS customers at no additional charge. For more information, see https://aws.amazon.com/organizations/.

Important Note for BMC Discovery

If you use BMC Discovery 12.0 (20.02), you must install Patch 2 before you install the August TKU. More information on the patch is available here, Patch 2 for version 20.02.

AWS Organizations terminology and concepts

Organization

An entity that you create to consolidate your AWS accounts so that you can administer them as a single unit. You can use the AWS Organizations console to centrally view and manage all of your accounts within your organization. An organization has one master account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.

Root

Root is the parent container for all the accounts for your organization. If you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization.

Currently, you can have only one root. AWS Organizations automatically create it when you create an organization.

Organization unit (OU)

A container for accounts within a root. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently, each account can be a member of exactly one OU.

Account

A standard AWS account that contains your AWS resources. You can attach a policy to the account to apply controls specifically for that one account.

There are two types of accounts in an organization: a single account that is designated as the master account and a member account.

  • The master account is the account that creates the organization. From the organization's master account, you can do the following:
    - Create accounts in the organization.
    - Invite other existing accounts to the organization.
    - Remove accounts from the organization.
    - Manage invitations.
    - Apply policies to entities (roots, OUs, or accounts) within the organization.
    The master account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's master account.
  • The rest of the accounts that belong to an organization are called member accounts. An account can be a member of only one organization at a time.

For more information, see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html.

Modelling coverage

AWS typeServicePatternTypeNode type
AWS OrganizationorganizationsAmazonWebServices.OrganizationsAmazon OrganizationCloudManagementGroup
AWS Organization unitorganizationsAmazonWebServices.OrganizationalUnitsAmazon Organizational UnitCloudManagementGroup
AWS Accountorganizations

AmazonWebServices.AccountsAmazon Master AccountCloudManagementGroup
Amazon AccountCloudManagementGroup

Pre-requisites

Since the discovery goes from top to bottom (from the top of the tree to the leaves), it is necessary to grant certain rights for the cloud credentials in BMC Discovery conducting the scan.


Permissions

IAM policy permissions required:

        ‘ReadOnlyAccess’      

   "Action": [

      "organizations:List*",

      "organizations:Describe*        

    ],

For more information, see AWS Identity and Access Management.

This policy allows discovery to run the following requests:

  • organizations.describe_organization
  • organizations.list_accounts
  • organizations.list_roots
  • organizations.list_organizational_units_for_parent
  • organizations.list_children

For information on how to manage IAM permissions, see Manage IAM permissions.

Discovery scope

Discovery run must include at least us-east-1 (N.Virginia) region or us-gov-west-1 AWS GovCloud (US-West) for gov discovery.

TKU

ADDM Appliance with TKU August 2020 or newer.

Patch 2 for BMC Discovery - Patch 2 for version 20.02.

Troubleshooting

Summary:

Nodes of certain type were not discovered.

Resolution:

Permissions to run requests are required. If no nodes of a certain type were discovered, check permissions to perform corresponding request using aws cli.

Amazon Accounts

     • organizations.list_accounts

Amazon Organizations

    • organizations.describe_organization

Amazon Organizational Units

   • organizations.list_roots

   • organizations.list_organizational_units_for_parent

   • organizations.list_children

If any query did not return results - check permissions in IAM management and assigned policy's.


Summary:

Script Failure in request (TooManyRequestsException).

Example:

Description:

This error indicates that you have reached available AWS Batch API limits.

Resolution:

Since the amount of requested data is more than AWS can return, try to allocate the region us-east-1 (N.Virginia) or us-gov-west-1 AWS GovCloud (US-West) into a separate discovery_run.

Amazon Organization Discovery

Triggers

PatternTrigger NodeAttributeConditionArgument
AmazonWebServices.OrganizationsDiscoveredCloudAPIResultList
'discovery_method'
=AWS.Organizations.DescribeOrganization
UpdateFailureTimeDiscoveredCloudAPIResultList
'discovery_method'
=AWS.Organizations.DescribeOrganization
'and'
'failure_reason exists'

Software pattern summary

Patterns AmazonWebServices.Organizations models 'organizations' CloudService for us-east-1 (N.Virginia) and us-gov-west-1 AWS GovCloud (US-West) regions, If organizations were found in them.

NodeKindAttributeDefault value/Comments
ClusterService

typeAccount Management
codeorganizations
nameAmazon Organizations (%region.short_name%) : %account_id%




Pattern AmazonWebServices.Organizations models CloudManagementGroup node for each Amazon Organization

NodeKindAttributeDefault value/Comments
CloudManagementGroup











typeAmazon Organization
keyresult.Arn
name

Amazon Organization <result.Id>

short_nameresult.Id
feature_setresult.FeatureSet
available_policy_typesresult.AvailablePolicyTypes
master_account_arnresult.MasterAccountArn
master_account_emailresult.MasterAccountEmail
master_account_idresult.MasterAccountId
cloud_idresult.Arn
cloudboolean (true)
__provider'aws'


Amazon Accounts Discovery

Triggers

Pattern

Trigger Node

Attribute

Condition

Argument

AmazonWebServices.AccountsDiscoveredCloudAPIResultList
'discovery_method'
=AWS.Organizations.ListAccounts

Pattern AmazonWebServices.Accounts models CloudManagementGroup node for each Amazon Master Account and Amazon Account

NodeKindAttributeDefault value/Comments
CloudManagementGroup











typeorAmazon Master Account
Amazon Account
keyresult.Arn
nameor

<TYPE> <result.Name>

<TYPE> <result.Id>
short_nameresult.Name
idresult.properties.version
full_versionresult.properties.version
cloudboolean
idresult.Id
cloud_idresult.Arn
emailresult.Email
statusresult.Status
joined_methodresult.JoinedMethod
master_account_idfrom result.Arn regex expression: 'organizations::(\S+):'
is_master_accountortrue
false
cloudbooleantrue
organization_idfrom result.Arnregex expression: 'organizations::\S+?:account/(\S+)/'
__provideraws
arnresult.Arn
joined_timestampresult.JoinedTimestamp

Amazon Master Account:

Amazon Account:

Amazon Organizational Units Discovery

Annotation

Since discovery is top-down (from the top of the tree to the leaves), if read access is denied to a specific OU, Discovery will not be able to detect and model all of its child OUs.

The following flowchart represents detected and modeled objects marked in green.

As displayed in the flowchart, one of two OUs at the top level was not granted access. Therefore, all child OUs were not found.

If the organizations.list_roots request doesn't return results, OUs modeling will not be possible, since the top-level OUs are children of the ROOT.


Triggers

Pattern

Trigger Node

Attribute

Condition

Argument

AmazonWebServices.OrganizationalUnitsDiscoveredCloudAPIResultList
'discovery_method'
=AWS.Organizations.ListRoots

REST APIs

REST APIs

Comments

AWS.Organizations.ListOrganizationalUnitsForParent
AWS.Organizations.ListChildren

Pattern AmazonWebServices.OrganizationalUnits models CloudManagementGroup node for each Amazon Organizational Unit

NodeKindAttributeDefault value/Comments
CloudManagementGroup











typeAmazon Organizational Unit
keyorganizational_unit.Arn
name

Amazon Organizational Unit <organizational_unit.Name>

short_nameorganizational_unit.Name
idorganizational_unit.Id
rootresult.Id
arnorganizational_unit.Arn
cloud_idorganizational_unit.Arn
nesting_levelnumber in [1,2,3,4,5]
__provider'aws'
cloudboolean (true)


Relationships

CloudService relationship between CloudProvider and Cloud Management Groups.

Ownership relationship between Cloud Management Groups and Cloud Regions that belong to these Cloud Management Groups.

Hierarchy relationship between Organization and Acccounts / Organizational Units in this organization.

Ownership relationship between Cloud Management Groups (Amazon Master Account) and owned Cloud Management Groups (Amazon Accounts).

display relationships

All Cloud Services managed by this Cloud Management Group:

Owner:Ownership:OwnedItem:CloudRegion

ServiceProvider:CloudService:Service:CloudService


CMDB Mapping

Please refer to this page: CDM Mapping for Cloud

Was this page helpful? Yes No Submitting... Thank you

Comments