- 1Product Description
- 2AWS Organizations terminology and concepts
- 3Modelling coverage
- 6Amazon Organization Discovery
- 8Amazon Accounts Discovery
- 9Amazon Organizational Units Discovery
- 11CMDB Mapping
AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations help you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts. Through integrations with other AWS services, you can use Organizations to define central configurations and resource sharing across accounts in your organization. AWS Organizations are available to all AWS customers at no additional charge. For more information, see https://aws.amazon.com/organizations/.
Important Note for BMC Discovery
If you use BMC Discovery 12.0 (20.02), you must install Patch 2 before you install the August TKU. More information on the patch is available here, Patch 2 for version 20.02.
AWS Organizations terminology and concepts
An entity that you create to consolidate your AWS accounts so that you can administer them as a single unit. You can use the AWS Organizations console to centrally view and manage all of your accounts within your organization. An organization has one master account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.
Root is the parent container for all the accounts for your organization. If you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization.
Currently, you can have only one root. AWS Organizations automatically create it when you create an organization.
Organization unit (OU)
A container for accounts within a root. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently, each account can be a member of exactly one OU.
A standard AWS account that contains your AWS resources. You can attach a policy to the account to apply controls specifically for that one account.
There are two types of accounts in an organization: a single account that is designated as the master account and a member account.
- The master account is the account that creates the organization. From the organization's master account, you can do the following:
- Create accounts in the organization.
- Invite other existing accounts to the organization.
- Remove accounts from the organization.
- Manage invitations.
- Apply policies to entities (roots, OUs, or accounts) within the organization.
The master account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's master account.
- The rest of the accounts that belong to an organization are called member accounts. An account can be a member of only one organization at a time.
For more information, see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html.
|AWS type||Service||Pattern||Type||Node type|
|AWS Organization||organizations||AmazonWebServices.Organizations||Amazon Organization||CloudManagementGroup|
|AWS Organization unit||organizations||AmazonWebServices.OrganizationalUnits||Amazon Organizational Unit||CloudManagementGroup|
|AWS Account||organizations||AmazonWebServices.Accounts||Amazon Master Account||CloudManagementGroup|
Since the discovery goes from top to bottom (from the top of the tree to the leaves), it is necessary to grant certain rights for the cloud credentials in BMC Discovery conducting the scan.
IAM policy permissions required:
For more information, see AWS Identity and Access Management.
This policy allows discovery to run the following requests:
For information on how to manage IAM permissions, see Manage IAM permissions.
Discovery run must include at least us-east-1 (N.Virginia) region or us-gov-west-1 AWS GovCloud (US-West) for gov discovery.
ADDM Appliance with TKU August 2020 or newer.
Patch 2 for BMC Discovery - Patch 2 for version 20.02.
Nodes of certain type were not discovered.
Permissions to run requests are required. If no nodes of a certain type were discovered, check permissions to perform corresponding request using aws cli.
Amazon Organizational Units
If any query did not return results - check permissions in IAM management and assigned policy's.
Script Failure in request (TooManyRequestsException).
This error indicates that you have reached available AWS Batch API limits.
Since the amount of requested data is more than AWS can return, try to allocate the region us-east-1 (N.Virginia) or us-gov-west-1 AWS GovCloud (US-West) into a separate discovery_run.
Amazon Organization Discovery
Software pattern summary
Patterns AmazonWebServices.Organizations models 'organizations' CloudService for us-east-1 (N.Virginia) and us-gov-west-1 AWS GovCloud (US-West) regions, If organizations were found in them.
|name||Amazon Organizations (%region.short_name%) : %account_id%|
Pattern AmazonWebServices.Organizations models CloudManagementGroup node for each Amazon Organization
Amazon Organization <result.Id>
Amazon Accounts Discovery
Pattern AmazonWebServices.Accounts models CloudManagementGroup node for each Amazon Master Account and Amazon Account
|CloudManagementGroup||type||or||Amazon Master Account|
|master_account_id||from result.Arn||regex expression: 'organizations::(\S+):'|
|organization_id||from result.Arn||regex expression: 'organizations::\S+?:account/(\S+)/'|
Amazon Organizational Units Discovery
Since discovery is top-down (from the top of the tree to the leaves), if read access is denied to a specific OU, Discovery will not be able to detect and model all of its child OUs.
The following flowchart represents detected and modeled objects marked in green.
As displayed in the flowchart, one of two OUs at the top level was not granted access. Therefore, all child OUs were not found.
If the organizations.list_roots request doesn't return results, OUs modeling will not be possible, since the top-level OUs are children of the ROOT.
Pattern AmazonWebServices.OrganizationalUnits models CloudManagementGroup node for each Amazon Organizational Unit
|CloudManagementGroup||type||Amazon Organizational Unit|
Amazon Organizational Unit <organizational_unit.Name>
|nesting_level||number in [1,2,3,4,5]|
CloudService relationship between CloudProvider and Cloud Management Groups.
Ownership relationship between Cloud Management Groups and Cloud Regions that belong to these Cloud Management Groups.
Hierarchy relationship between Organization and Acccounts / Organizational Units in this organization.
Ownership relationship between Cloud Management Groups (Amazon Master Account) and owned Cloud Management Groups (Amazon Accounts).
All Cloud Services managed by this Cloud Management Group:
Please refer to this page: CDM Mapping for Cloud