Overview
Account Assessment for AWS Organizations allows you to centrally manage and evaluate all AWS accounts within your AWS Organizations, helping you to better understand and navigate the dependencies of AWS Organizations. The process to manually evaluate AWS Organizations dependencies can be time consuming—potentially involving reviews of tens or even hundreds of AWS resources of individual accounts. Now, you can run three types of scans to find delegated administrator accounts, identity-based and resource-based policies, and AWS services that have trusted access enabled for your AWS Organizations—all from a simple UI.
Benefits
View, examine, and troubleshoot your scan results in an intuitive web UI.
Use more than 25 AWS services enabled with trusted access to perform operations across all of the AWS accounts in your AWS Organizations.
Scan for resource-based policies, delegated admin accounts, and trusted access with the web UI.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
Step 1
Users log in to the hub account by using the web UI, and the Amazon Cognito user pool authenticates each user. Amazon CloudFront delivers the web UI content from an Amazon Simple Storage Service (Amazon S3) bucket.
Step 2
The S3 bucket hosts the web UI.
Step 3
When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. The AWS WAF protects the application programming interfaces (APIs) from attacks.
This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
Note: Steps 3-6 repeat for each type of scan.
Step 4
An API Gateway provides the solution’s API layer.
Note: Steps 3-6 repeat for each type of scan.
Step 5
Amazon Cognito authenticates the token in the header of the API requests.
Note: Steps 3-6 repeat for each type of scan.
Step 6
AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.
Note: Steps 3-6 repeat for each type of scan.
Delegated Admin Accounts scan
Step 7
The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.
Delegated Admin Accounts scan
Step 8
This microservice gets the information from the Organizations management account.
Trusted Access scan
Step 9
The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.
Trusted Access scan
Step 10
This microservice gets the information from the AWS Organizations management account.
Resource-Based Policies scan
Step 11
The Resource-Based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.
Resource-Based Policies scan
Step 12
The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organizations and identify resource dependencies.
Resource-Based Policies scan
Step 13
Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.
Step 1
Users log in to the hub account by using the web UI, and the Amazon Cognito user pool authenticates each user. Amazon CloudFront delivers the web UI content from an Amazon Simple Storage Service (Amazon S3) bucket.
Step 2
The S3 bucket hosts the web UI.
Step 3
When you start a scan, the web UI gets a token from Amazon Cognito and sends a request to the Amazon API Gateway. The AWS WAF protects the application programming interfaces (APIs) from attacks.
This solution configures a set of rules called a web access control list (ACL) that allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
Note: Steps 3-6 repeat for each type of scan.
Step 4
An API Gateway provides the solution’s API layer.
Note: Steps 3-6 repeat for each type of scan.
Step 5
Amazon Cognito authenticates the token in the header of the API requests.
Note: Steps 3-6 repeat for each type of scan.
Step 6
AWS Lambda serves the microservices and routes API requests to each microservice. The Job management microservice handles creation, deletion, and history of each scan job initiated by the user in the web UI.
Note: Steps 3-6 repeat for each type of scan.
Delegated Admin Accounts scan
Step 7
The Delegated Admin Accounts scan microservice finds and stores the delegated administrator account information for all the enabled AWS services in an Amazon DynamoDB table. These accounts can call the AWS Account Management API operations for other member accounts in the Organization.
Delegated Admin Accounts scan
Step 8
This microservice gets the information from the Organizations management account.
Trusted Access scan
Step 9
The Trusted Access scan microservice finds and stores the services in AWS Organizations with trusted access that allows the service to perform tasks in your Organization and its accounts on your behalf. This microservice stores the service principals in a DynamoDB table.
Trusted Access scan
Step 10
This microservice gets the information from the AWS Organizations management account.
Resource-Based Policies scan
Step 11
The Resource-Based Policies scan microservice uses a Lambda function to start an asynchronous job and invoke AWS Step Functions.
Resource-Based Policies scan
Step 12
The Step Functions state machine scans multiple accounts and AWS Regions in parallel to find and store resource details in the DynamoDB table. This microservice can scan up to 25 AWS services across accounts in your Organizations and identify resource dependencies.
Resource-Based Policies scan
Step 13
Each iteration in the state machine will invoke a Lambda function to assume a role in each spoke account. This microservice checks conditions in the policies that may contain Organization IDs or Organization Unit IDs.
Related content
Identify some of the account, reporting, billing, and other considerations you will need to take when migrating accounts.
Learn how to migrate our accounts configured with consolidated billing to a new organization that has all features.
Was this page helpful?
- Publish Date