We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
К сожалению, данный материал на выбранном языке не доступен. Мы постоянно работаем над расширением контента, предоставляемого пользователю на выбранном языке. Благодарим вас за терпение!
Account Assessment for AWS Organizations allows you to centrally manage and evaluate all AWS accounts within your AWS Organizations, helping you to better understand and navigate the dependencies of AWS Organizations. The process to manually evaluate AWS Organizations dependencies can be time consuming—potentially involving reviews of tens or even hundreds of AWS resources of individual accounts. Now, you can run three types of scans to find delegated administrator accounts, identity-based and resource-based policies, and AWS services that have trusted access enabled for your AWS Organizations—all from a simple UI.
Benefits
Intuitive web UI
View, examine, and troubleshoot your scan results in an intuitive web UI.
Compatible with over 25 AWS services
Use more than 25 AWS services enabled with trusted access to perform operations across all of the AWS accounts in your AWS Organizations.
Three types of scans
Scan for resource-based policies, delegated admin accounts, and trusted access with the web UI.
Step 3 When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. The AWS WAF protects the application programming interfaces (APIs) from attacks.
This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
Note: Steps 3-6 repeat for each type of scan.
Step 4 An API Gateway provides the solution’s API layer.
Note: Steps 3-6 repeat for each type of scan.
Step 5 Amazon Cognito authenticates the token in the header of the API requests.
Note: Steps 3-6 repeat for each type of scan.
Step 6 AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.
Note: Steps 3-6 repeat for each type of scan.
Delegated Admin Accounts scan
Step 7 The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.
Delegated Admin Accounts scan
Step 8 This microservice gets the information from the Organizations management account.
Trusted Access scan
Step 9 The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.
Trusted Access scan
Step 10 This microservice gets the information from the AWS Organizations management account.
Resource-Based Policies scan
Step 11 The Resource-Based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.
Resource-Based Policies scan
Step 12 The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organizations and identify resource dependencies.
Resource-Based Policies scan
Step 13 Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.
Step 7 The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.
Delegated Admin Accounts scan
Step 8 This microservice gets the information from the Organizations management account.
Trusted Access scan
Step 9 The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.
Trusted Access scan
Step 10 This microservice gets the information from the AWS Organizations management account.
Resource-Based Policies scan
Step 11 The Resource-Based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.
Resource-Based Policies scan
Step 12 The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organizations and identify resource dependencies.
Resource-Based Policies scan
Step 13 Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.
Step 3 When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. The AWS WAF protects the application programming interfaces (APIs) from attacks.
This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
Note: Steps 3-6 repeat for each type of scan.
Step 4 An API Gateway provides the solution’s API layer.
Note: Steps 3-6 repeat for each type of scan.
Step 5 Amazon Cognito authenticates the token in the header of the API requests.
Note: Steps 3-6 repeat for each type of scan.
Step 6 AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.
Note: Steps 3-6 repeat for each type of scan.
Delegated Admin Accounts scan
Step 7 The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.
Delegated Admin Accounts scan
Step 8 This microservice gets the information from the Organizations management account.
Trusted Access scan
Step 9 The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.
Trusted Access scan
Step 10 This microservice gets the information from the AWS Organizations management account.
Resource-Based Policies scan
Step 11 The Resource-Based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.
Resource-Based Policies scan
Step 12 The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organizations and identify resource dependencies.
Resource-Based Policies scan
Step 13 Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.
Step 3 When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. The AWS WAF protects the application programming interfaces (APIs) from attacks.
This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
Note: Steps 3-6 repeat for each type of scan.
Step 4 An API Gateway provides the solution’s API layer.
Note: Steps 3-6 repeat for each type of scan.
Step 5 Amazon Cognito authenticates the token in the header of the API requests.
Note: Steps 3-6 repeat for each type of scan.
Step 6 AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.
Note: Steps 3-6 repeat for each type of scan.
Related content
AWS Knowledge Center
How do I move accounts between organizations in AWS Organizations?
Identify some of the account, reporting, billing, and other considerations you will need to take when migrating accounts.