Overview

Presented in a web UI, this AWS Solution runs configurable scans on all AWS accounts in your AWS Organizations to help you identify dependencies in your underlying resource-based policies.
Benefits

View, examine, and troubleshoot your scan results in an intuitive web UI.
Use more than 25 solution-compatible AWS services enabled with trusted access to perform operations across all of the AWS accounts in your Organization.
Scan for resource-based policies, delegated admin accounts, and trusted access with the solution’s web UI.
Technical details

Account Assessment for AWS Organizations programmatically scans all AWS accounts in an AWS Organization for identity-based and resource-based policies with Organization-based conditions.
Step 1
Users log in to the hub account by using the web UI, and the Amazon Cognito user pool authenticates each user. Amazon CloudFront delivers the web UI content from an Amazon Simple Storage Service (Amazon S3) bucket.
Step 2
The Amazon S3 bucket hosts the web UI.
Step 3
When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. The AWS WAF protects the application programming interfaces (APIs) from attacks.
This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
Note: Steps 3-6 repeat for each type of scan.
Step 4
An Amazon API Gateway provides the solution’s API layer.
Note: Steps 3-6 repeat for each type of scan.
Step 5
Amazon Cognito authenticates the token in the header of the API requests.
Note: Steps 3-6 repeat for each type of scan.
Step 6
AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.
Note: Steps 3-6 repeat for each type of scan.
Delegated Admin Accounts scan
Step 7
The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.
Delegated Admin Accounts scan
Step 8
This microservice gets the information from the Organizations management account.
Trusted Access scan
Step 9
The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.
Trusted Access scan
Step 10
This microservice gets the information from the AWS Organizations management account.
Resource-based Policies scan
Step 11
The Resource-based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.
Resource-based Policies scan
Step 12
The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organization and identify resource dependencies.
Resource-based Policies scan
Step 13
Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.
Related content

Identify some of the account, reporting, billing, and other considerations you will need to take when migrating accounts.
Learn how to migrate our accounts configured with consolidated billing to a new organization that has all features.