AWS Cloud Operations Blog

Protect your AWS resources from unauthorized access using AWS Organizations integrations

In today’s digital landscape, customers have complex and distributed workloads running on AWS, involving a large number of AWS resources across multiple services. Tackling security risks across numerous resources can seem daunting, but with the right approach following best practices, can be addressed in a timely manner.

AWS offers tools and services designed to help streamline and automate the process of securing your cloud infrastructure, enabling you to efficiently mitigate vulnerabilities and fortify your defenses, also ensuring the resilience and integrity of your critical systems and data. Before you can protect resources effectively, you need to identify your security risks. To learn more, you can refer best practices to identify security risks with AWS Organizations.

In this blog post, we will explore strategies and best practices for effectively protecting your AWS resources proactively against security risks across your multi-account environment. We will discuss the best practices for using AWS services such as AWS Identity and Access Management Access Analyzer, AWS IAM Identity Center, AWS Resource Access Manager (AWS RAM), and AWS Config integrated with AWS Organizations, that can help protect your AWS resources from security risks across your organization. AWS Control Tower is a landing zone service that helps customers set up and govern a secure, multi-account AWS environment based on best practices. If you wish to deploy a multi-account environment with some of these services automatically configured, we recommend using AWS Control Tower.

Prerequisite

  • You are familiar with AWS Organizations service along with the multi-account strategy concepts.
  • You have set up a multi-account environment with Security and Sandbox organizational units (OUs) with respective accounts.

Walkthrough

We’ll dive into the security features offered by AWS, including best practices and recommendations covering the following topics in this blog post.

  • Overview of security controls.
  • Securely accessing your AWS accounts, protecting root users, and securely granting access to the workforce in your organization.
  • And finally, centrally managing the services mentioned in this blog post with AWS Organizations.

Let’s get started!

Implement security controls in your AWS environment

AWS offers proactive, preventative, detective, and responsive controls to help you protect your AWS resources. Using a combination of security controls can help you employ a layered approach for protecting your AWS resources from potential security risks and abide by your organization’s security policy guidelines.

AWS Control Tower gives you 500+ managed controls powered by AWS Security Hub, AWS Config, and service control policies (SCPs) to streamline governance processes, and protect your AWS resources. For example, you might have a detective control in place that notifies you if configuration changes on an Amazon Simple Storage Service (Amazon S3) bucket that makes it publicly accessible. You might also have a responsive control that remediates it. Even though you already have these two controls in place, you can add another layer of protection by adding a proactive control to prevent the creation or allow configuration update of any Amazon S3 bucket that can make it publicly accessible.

As preventive controls or SCPs cannot be applied to the management account in an organization, you can create a permission boundary policy and apply it to the IAM entities (users or roles) within the management account (as shown in the Image 1). This enables the management account’s entities to operate within the defined boundaries, regardless of the permissions granted to them through other IAM policies.

Image 1: An example of a permission boundary applied for IAM entities in the management account

Image 1: An example of a permission boundary applied for IAM entities in the management account

Please note that this policy is considering a single service Amazon S3 as an example and will not allow access to any other service. If you are using other services, please add those services to the ALLOW statement “ServiceBoundaries” to allow access and adjust the permission boundary accordingly.

Securely access your AWS accounts to protect your AWS resources

Once you have security controls in place, you can allow users the access to your AWS environment to start building. Adhering to the principle of least privilege, you should keep AWS account access to the minimum necessary. AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) can help you to refine and reduce permissions. You can identify unused IAM permissions that can be removed, enabling you to grant only the minimum permissions to users necessary to perform their tasks. This reduces the risk of unauthorized access and potential security breaches and enhances your security posture.

You can enable IAM Access Analyzer, in your organization with one click in the IAM Console as shown in the Image 2. Once enabled, IAM Access Analyzer analyzes the policies, and reports a list of findings for resources that grant public or cross-account access from outside your organization in the IAM console and through APIs.

Image 2: Enabling IAM Access Analyzer across organization

Image 2: Enabling IAM Access Analyzer across organization

You can set up IAM Access Analyzer custom policy checks to validate IAM policies against your specified security standards and also identify resources that are accessible to an external entity.

Protect your AWS account’s root users

The management account has administrator rights to your organization and root user login to the management account brings highly privileged access. To raise the security bar and help protect your AWS resources, best practices include enabling multi-factor authentication (MFA) and setting a strong, unique password. MFA is one of the most effective ways to enhance account security, providing an additional layer of protection against unauthorized access to systems or data. We now enforce MFA for root users, starting with management accounts with administrator rights, to enable better protection for your AWS accounts. This enforcement will expand to remaining standalone and management accounts in 2024.

You can set up MFA with passkey for your root and IAM users using your fingerprints, face, or a PIN code. Passkeys are more resistant to phishing attacks than passwords and are bound to a specific web domain, providing a more secure authentication method and reduced scope of unintended disclosure. For more information on passkey with latest announcements, read AWS adds passkey multi-factor authentication (MFA) for root and IAM users. When MFA is not enabled, users will be prompted to set it up, with a grace period before it becomes mandatory. We highly recommend you to utilize MFA to significantly enhance the security of your AWS accounts and resources.

Additionally, you can protect root user actions across the member accounts in your organization by implementing an SCP as mentioned in Image 3, to disallow actions as the root user. You can apply this SCP in your organization either at the OU level or account level, depending on your use case to prevent root actions in your organization.

Image 3: SCP example to disallow root actions

Image 3: SCP example to disallow root actions

Next, you can create alerts using tools like Amazon EventBridge, Amazon CloudWatch, and Amazon GuardDuty to announce the login and use of the management account root user credentials.

Enable IAM Identity Center for single sign-on for the workforce in your organization

We recommend you use AWS IAM Identity Center to provide workforce access for your organization. It provides secure single sign-on, centralized identity management, and access control, reducing IT overhead and improves security and productivity.

Moreover, IAM Identity Center provides short lived temporary credentials to allow federated user access to AWS accounts instead of using the long-lived credentials associated with an IAM user. This is a security best practice to curtail unauthorized access to your resources. Consider enabling Identity Center from the AWS console in your management account. The identities in your organization can then be linked to specific member accounts, along with Permission Sets to define the access they should have in those accounts.

Secure your AWS resources using IAM Roles

IAM roles provide a secure and efficient way to grant permissions to resources within an AWS account. By using roles, you can grant access to services or applications without sharing long-term access keys. IAM roles promote security best practices, simplify access management, and enable granular control over resource access.

You can use IAM roles to enable temporary, role-based access control, ensuring that permissions are granted only when needed and revoked automatically after use. For example, you can enable trusted entities like Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda functions, or other AWS services to access resources you need, following the principle of least privilege. IAM roles help implement strong security practices and simplify access management across your AWS environment and eliminate the need of inherent risks of long-lived access keys. For more information, refer to EC2 Instance Profiles, Lambda Execution Roles and IAM Roles Anywhere.

Additionally, Identity Center allows federated users from external identity providers (IdPs) like Microsoft Active Directory or Okta to assume IAM roles without the need for creating individual IAM users. This enables users to authenticate with their existing corporate credentials, eliminating the need to manage separate AWS IAM user accounts.

You can also use IAM roles to securely access resources in one account from another. Let’s discuss in the next section sharing resources across your organization for a secure and optimized usage of AWS resources.

Securely share resources across your organization

AWS Resource Access Manager (RAM) helps you securely share AWS resources across AWS accounts in your organization. We recommend you enable RAM integrated with AWS Organizations to share the resources securely within your organization as shown in the Image 4.

Image 4: Enabling RAM with AWS Organizations

Image 4: Enabling RAM with AWS Organizations

Additionally, you can define cross-account access permissions on individual resources using AWS IAM resource-based policies for the supported resources.

We recommend you to use global condition keys such as aws:PrincipalOrgID, aws:PrincipalOrgPaths, aws:ResourceOrgId, and aws:ResourceOrgPaths in IAM policies and SCPs to constrain access to resources based on the organization or organizational unit (OU) structure. These condition keys are particularly useful in large organizations with complex OU structures, where you need to enforce strict access controls based on organizational boundaries. Using these condition keys, you can implement governance policies and enable resource access by authorized principals within the intended organizational context.

Manage these services in your organization, and register delegated administrator

By integrating security services with AWS Organizations, you can implement consistent security measures across your entire AWS environment. You can set up service control policies in such a way that prevents IAM users and roles making any configuration changes to AWS resources in your organization. With SCPs you can specify the services, resources, and actions that are allowed or denied. For example, you can create an SCP that denies all IAM users and roles the ability to perform certain actions, such as creating, modifying, or deleting specific AWS resources like Amazon VPC, subnets, or security groups.

This way, you can keep your organization’s resources protected from unintended or unauthorized changes, and maintain a consistent security posture across your AWS accounts and resources.

Having AWS Config integrated with AWS Organizations, you can enforce consistent security policy and security best practices using service control policies (SCPs) to prevent changes to security services like AWS Config or AWS Security Hub in your organization. For example, the SCP in Image 5 prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

Image 5: An SCP example to prevent AWS Config changes

Image 5: An SCP example to prevent AWS Config changes

You can enable the services discussed in this blog post with AWS Organizations using the specific service’s console, or API operations/CLI command equivalents. This enables the AWS services to perform all required initialization steps for your organization, such as creating any required resources. For example, if you integrate AWS Config with AWS Organizations, you’ll be able to track configurations of all your AWS resources across all the accounts in your organization.

You can delegate the administration of many of the security services in this blog post, such as AWS Config, IAM Access Analyzer, and IAM Identity Center. This limits access to the management account and gives privileges to delegated member accounts so they can manage the AWS service across your organization.

For example, a security account in your security OU can be the delegated admin for AWS Config and the other security services. You can use these commands from the management account to designate your security account or another member account as a delegated administrator for AWS Config.

aws organizations register-delegated-administrator --account-id <delegated account id> --service-principal config-multiaccountsetup.amazonaws.com

aws organizations register-delegated-administrator --account-id <delegated account id> --service-principal config.amazonaws.com

Please note that not all the AWS services support designating a delegated administrator. Before you plan to appoint a delegated administrator, see the table in AWS services that you can use with AWS Organizations to learn which services support delegated administrators.

Conclusion

Following the guidance covered in this post, you can protect your AWS resources from risks of unauthorized access in your organization. To avail these benefits, we recommend you integrate the services discussed in this post with AWS Organizations and set up delegated administrators for decentralizing the management. By leveraging the guidance and best practices in this post, you can significantly reduce the risk of unauthorized access and data breaches. Read how Volkswagen Financial Services scaled its governance and security management practices using AWS Organizations.

To learn more about security services, refer to Security Learning plan in skill builder. AWS Control Tower is a fully managed service which enables you to set up various controls and deploy services such as AWS Config, Identity Center, and Security Hub for a secure, and managed multi-account environment. The AWS Control Tower controls library offers a centralized source of managed controls across AWS with 500+ controls including preventative, proactive, and detective. If you are interested in prescriptive guidance with best practices to set up the controls recommended in this post, consider using AWS Control Tower.

About the Author

Pujah Goviel

Pujah Goviel is a Technical Account Manager at Amazon Web Services (AWS). She spends her day working with the Enterprise Support customers, solving their operational challenges, and helping them to accelerate innovation on AWS. She was a DevOps specialist prior to joining AWS and actively contributed to various technical blogs on her own blog site as well as developed various Terraform modules in the Terraform registry.

Amey Bhavsar

Amey Bhavsar is a Sr. Solutions Architect at AWS, specializing in guiding enterprise clients across diverse industries. He is a core member of the Next Gen Developer Experience TFC, a Segment Retail Ambassador, and a GenAI Hero. He helps accelerate AWS cloud adoption by designing and implementing scalable and resilient architectures.

Sailesh Kadam

Sailesh Kadam is a Sr. Solutions Architect at Amazon Web Services. He works with customers early in their AWS journey help them migrate and modernize their applications in the cloud. Outside of work, he loves to make and eat sourdough bread.