AWS Management & Governance Blog

Category: AWS Organizations

CloudFormation StackSets delegated administration

If you are using AWS CloudFormation StackSets, you are having to manage your stacks from the AWS Organizations management account. According to best practice, the management account should be used only for tasks that require it. Until today, you had to use the management account to manage your AWS CloudFormation stack sets. To help limit […]

Read More

Best practices for creating and managing sandbox accounts in AWS

Organizations use multiple environments, each with different security and compliance controls, as part of their deployment pipeline. Following the principle of least privilege, production environments have the most restrictive security and compliance controls. They tightly limit who can access the environment and which actions each user (or principal) can perform. Development and test environments also […]

Read More
ReadOnly SCP Post Featured Image

How to implement a read-only service control policy (SCP) for accounts in AWS Organizations

Customers who manage multiple AWS accounts in AWS Organizations can use service control policies (SCPs) to centrally manage permissions in their environment. SCPs can be applied to an organization unit (OU), account, or entire organization to restrict the maximum permissions that can be applied in the scoped AWS accounts. In this post, we are going to explore the use of SCPs to restrict an AWS account to read-only access.

Read More

How to aggregate and visualize AWS Health events using AWS Organizations and Amazon Elasticsearch Service

In this post, I show you how to aggregate AWS Health events centrally from all accounts in your organization using AWS Organizations, AWS Lambda, and AWS Health API, and then build automation to ingest and visualize the operations data using Amazon Elasticsearch Service. As your organization grows, the number of operational emails and AWS Personal […]

Read More

AWS Management and Governance at Re:Invent 2020

AWS re:Invent is always an exciting time of the year to engage with our customers to learn, and share information about our services and features. Due to the current pandemic, re:Invent is pivoting to a free and virtual format presented across 3 weeks from November 30 to December 18 this year. Yes, you read that […]

Read More
Example Dashboard

View AWS Trusted Advisor recommendations at scale with AWS Organizations

Since 2014, AWS Trusted Advisor has been providing customers with visibility into an individual AWS account and providing recommendations based on known AWS best practices. Trusted Advisor makes recommendations to help customers achieve a better security posture, control their costs, optimize application performance, design better fault tolerance, and maintain control over their AWS service limits […]

Read More

AWS Organizations, AWS Config, and Terraform

In this post, I show how you can use AWS Organizations, AWS Config, and HashiCorp’s Terraform to deploy guardrails at scale. AWS Config provides configuration, compliance, and auditing features that are required for governing your resources and providing security posture assessment at scale. With its recent support for AWS Organizations, AWS Config makes it possible […]

Read More

AWS CloudFormation StackSet Orchestration: Automated deployment using AWS Step Functions

We often use AWS CloudFormation StackSets to automatically deploy infrastructure into many different accounts. Whether they are managed by AWS Control Tower or AWS Organizations, StackSets provide a simple and automated way to handle the creation of resources and infrastructure right after provisioning a new account. You can automatically deploy StackSets to accounts that belong […]

Read More

How BBVA USA delivered security and governance at scale using management tools

As BBVA USA began its digital transformation journey, the security operations team had to improve its processes around provisioning and baselining of AWS accounts. The demand for new AWS accounts continued to increase from multiple application teams within the bank. In an effort to standardize new accounts within the enterprise, BBVA USA built an automated […]

Read More

Simplifying permissions management at scale using tags in AWS Organizations

AWS Organizations has extended its existing tagging support for AWS accounts to include all Organizations resources, such as organizational units (OUs) and your root and organization-level policies. You can tag these resources as you create them, giving you a convenient way to make sure that your Organizations resources are categorized from the start, without needing […]

Read More