Automated AWS Group Creation | by Teri Radichel | Cloud Safety | Feb, 2023 | Tech Deck

ACM.152 Automating the creation of an AWS Group, OU, Account, and Delegated Administrator

A part of my collection on Automation of cybersecurity metrics. He Code.

In my final put up, I thought of an alternate method to an AWS IAM Id Heart implementation, for the explanations I defined.

Now that I’ve reviewed how AWS implements SCIM and decided that I do not need to use AWS IAM Id Heart presently, I went again to the brand new account I created and arrange my group and AWS IAM.

I already defined how I created a brand new AWS account right here with safe default settings:

I’m going to check Okta with out SCIM and with AWS IAM. Earlier than I try this, I will do just a few different issues that I’ve proven you create prior to now, however mechanically as a substitute of manually. I’m not utilizing AWS Management Tower for the explanations talked about within the earlier put up.

• Create a company.
• Create a authorities organizational unit.
• Create a authorities account within the organizational unit.
• Make that governance account a delegated administrator for AWS Organizations.

Manually creating a company within the AWS console

You can create the group manually. Easy as that.

Check in to your AWS account. Search organizations.

Click on Create a company.

That is all.

Automated creation of a company.

I need to automate the above. What are my choices?

Properly, if I have a look at the AWS Organizations in CloudFormation, these are the sources I can create:

I am unable to create the org with CloudFormation, however that might most likely be overkill since you create an org as soon as and needn’t modify it after that time.

Let’s have a look at what we will do with the AWS CLI.

You could find the total record of AWS Organizations CLI instructions right here:

You may also get all of the instructions for AWS Organizations by typing:

aws organizations assist

Scroll all the way down to see the record of instructions:

We will create a company via the AWS CLI utilizing the create-organization command.

The query is, how are you going to run that command in a brand new account when all you could have is the AWS root person?

AWS finest apply is to NEVER create an AWS Entry Key ID or Secret Entry Key for programmatic actions for the foundation account. If we do not try this, how would we run the above command?

Properly should you keep in mind in a earlier put up I confirmed you use CloudShell (and the dangers related to that). Can we use CloudShell with the foundation account? Properly, the CloudShell icon is there, so click on on it.

Sure, we have now CloudShell and may entry it. The AWS CLI is pre-installed via the foundation person in an AWS account:

So despite the fact that you are by no means supposed to make use of long-lived credentials, an attacker who positive factors entry to your browser whenever you log in to AWS as root to make use of the AWS CLI in your account. You’ve got been warned. Keep away from logging in as root and save the important thing as defined within the earlier put up the place I created my new account.

However because it’s right here, we might use it to create our group. There’s nothing in our account in the mean time, so there may be not a lot threat. So long as we do it shortly and an attacker does not have an opportunity to interrupt in and create a backdoor person or entry whereas logged in, we ought to be fantastic. I already arrange MFA on the foundation person within the earlier put up the place I created the brand new account.

So let’s run the command to create a company and see what occurs:

aws organizations create-organization

See the output:

The worth beginning with “o-” is your group ID. we’ll want it for among the different instructions.

navigate again to organizations panel.

Pay attention to three issues on this display screen.

1. He Group Identification that you simply noticed after we created the group is within the menu on the left.
2. TO “Root” was created in your organizational hierarchy. Your root node has an id beginning with “r-“.
3. The account below which you ran the command to create the group is now the administration account.

I discussed earlier after we created an organizational service management coverage that doesn’t apply to the managerial account.

Due to this fact, any protections and restrictions that we attempt to apply organization-wide could be bypassed within the root account. That is good, should you make a mistake you’re blocking everybody out of your account. That is unhealthy whether or not somebody can log in and carry out actions in your grasp account. Your insurance policies don’t have any impact. That’s the reason it’s higher to create a brand new account and work from there. Lock down these root credentials and MFA keys!

Keep in mind that I beforehand wrote in regards to the idea of root of belief that it would be best to set up in your group.

We’ll attempt to do it within the subsequent posts.

Create a brand new OU programmatically

We have now completely different choices to create organizational items. We might use CloudFormation or the AWS CLI. If we use CloudFormation, we would want to create a template, test it out from supply management, push it into AWS CloudShell, and run it from there. Then, to handle that CloudFormation stack, we would want to log in to the foundation account once more.

For that reason, I am solely going to create the primary governance OU from the command line. Utilizing the command line reference above, I can see that I can create an OU with this command:

The required parameters embody the primary id and a reputation:

Bear in mind I informed you to be aware of the previous root ID to your group? That’s the dad or mum OU and you will have to move that worth because the dad or mum ID together with no matter title you need to your new OU.

Along with looking out the console, you too can get the foundation id with the next command:

aws organizations list-roots | grep "Id"

Run your command with the suitable worth:

aws organizations create-organizational-unit --parent-id r-xxxxx 
--name Governance

Return to the group dashboard.

You’ll be able to see the brand new OU within the AWS group hierarchy.

Discover the worth that begins with “ou-” in our new Governance OU. That’s the OU ID. We will want that worth subsequent.

Create a brand new account programmatically

Subsequent, we’re going to create the Governance account. Once more, we will see right here that it is fairly easy to do it with the AWS CLI.

Run the command. Substitute [email protected] with an electronic mail alias to your new account, the identical method I defined creating an alias to your AWS root account within the earlier put up.

aws organizations create-account --email [email protected] --account-name Governance

Return to the organizations dashboard. Do you see an issue?

We created the brand new account, however we did not specify an organizational unit, so the account is on the identical degree because the grasp account. We might apply insurance policies to the federal government account immediately, however insurance policies utilized to the federal government OU wouldn’t apply to the federal government account.

Transfer an account to an organizational unit

To repair that drawback, we might delete and recreate the account. Alternatively, we will transfer the account to the Governance OU. Now that is the place you’ll have a large number when utilizing Management Tower. In case you transfer the account to a brand new OU issues get a bit messy and it’s a must to run some processes to wash issues up in Management Tower. Since we aren’t utilizing Management Tower right here, we will transfer the account with none drawback.

Let’s use the move-account command. We’ll want the Governance OU ID and the Root ID.

Run the command to maneuver the account to the governance ou:

aws organizations move-account --account-id xxxxxxxxxxxx
--source-parent-id r-xxxxx --destination-parent-id ou-xxxxx-xxxxxx

Return to the group dashboard.

Click on the down arrow subsequent to your governance OU.

Now you can see that the Governance account is within the Governance organizational unit. You’ll be able to apply insurance policies to the Governance OU and people insurance policies could be utilized to the Governance account.

Programmatically create a delegated group administrator

As you recall, the final time I attempted to create a delegated administrator, I ended up simply manually creating one for my AWS group.

Let’s strive to try this programmatically now. See the record of instructions for AWS organizations. There’s one known as registry-administrator-delegated.

At this level, it seems like we want a service principal which, as you may keep in mind from the final put up, was an IAM function:

What’s attention-grabbing about this command is that it does not appear to have the choice to create a restrictive coverage like we did right here within the AWS Organizations configuration:

Is that command serving our supposed goal? It is not clear.

Properly, should you keep in mind, within the put up earlier than that I needed to reverse engineer create a delegated admin coverage for the federal government from the data in CloudTrail.

That is as a result of the one instance AWS supplies is for a backup supervisor and that is not what I used to be attempting to create:

Maybe we will use the above command to automate the deployment of the fallback admin coverage for our deleted governance admin coverage.

aws organizations put-resource-policy --content  [policy]

Keep in mind that I formulated this coverage within the earlier put up and manually utilized it to my group by way of the configure choice within the console:

"Model": "2012-10-17",
"Assertion": [

"Sid": "ViewAWSOrganizationsResources",
"Effect": "Allow",
"Principal": 
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
,
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Useful resource": "*"
,

"Sid": "DelegatingAllActionsForServiceControlPolicies",
"Impact": "Enable",
"Principal": 
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
,
"Motion": [
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy",
"organizations:EnablePolicyType",
"organizations:DisablePolicyType"
],
"Useful resource": "arn:aws:organizations::*:coverage/*/service_control_policy/*"

]

Let’s strive utilizing that coverage, however exchange the previous xxxxxxxxxxxx values ​​together with your new authorities account.

It’s now at this level the place I’m unable to run the above command in AWS CloudShell. I have been attempting for some time. I do not know if it is CloudShell, a problem with the AWS documentation, or one thing else.

I’m copying the command precisely as written within the documentation and I copied the coverage that labored on my different account and altered the account numbers. I’ve tried quite a lot of variations and have already spent an excessive amount of time on this, so I will must strive once more later or simply manually add the coverage like I did in my earlier weblog put up. I can nonetheless test the coverage in supply management despite the fact that I needed to apply it manually.

Add MFA to the foundation person in your new account

There are numerous different issues we will do to additional safe new accounts by default as they’re created, however for now, add MFA to the foundation person of your new authorities account. It is advisable signal out of the account you’re in or go to a separate incognito window. Check in with the foundation electronic mail of your new account, however click on the forgot password hyperlink. Log in and reset the password and add MFA to the foundation person.

again to okta

Whats Subsequent? She was taking a look at Okta. Now that I’ve this new account construction, possibly I can look into Okta a bit extra and see if it is smart to make use of it and the way it maps to AWS constructs like group, accounts, OUs, customers, roles, and the teams. I need to create my governance person within the governance account and learn how IAM administration will work if I take advantage of the exterior IdP.

Observe for updates.

Teri Radichel | © second sight lab 2023

In case you preferred this story ~ use the hyperlinks beneath to point out your assist. Thanks!

Assist:
Clap for this story or refer others to observe me.
Observe on Medium: Teri Radichel
Join Electronic mail Listing: Teri Radichel
Observe on Twitter: @teriradichel
Observe on Mastodon: @[email protected]
Observe on Put up: @teriradichel
Like on Fb: 2nd Sight Lab
Purchase a Ebook: Teri Radichel on Amazon
Purchase me a espresso: Teri Radichel
Request providers by way of LinkedIn: Teri Radichel or via IANS Analysis

About:
Slideshare: Displays by Teri Radichel 
Speakerdeck: Displays by Teri Radichel
Recognition: SANS Distinction Makers Award, AWS Hero, IANS College
Certifications: SANS
Schooling: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I obtained into safety: Girl in tech
Firm (Penetration Exams, Assessments, Coaching): 2nd Sight Lab

Cybersecurity for executives within the cloud period at Amazon

Cloud Safety Coaching (digital now out there):

2nd Sight Lab Cloud Safety Coaching

Is your cloud safe?

Rent 2nd Sight Lab for a penetration check or safety evaluation.

Do you could have a query about cybersecurity or cloud safety?

Ask Teri Radichel by scheduling a name with IANS Analysis.

Extra from Teri Radichel:

Cybersecurity and cloud safety courses, articles, white papers, displays, and podcasts