Managed Organizations

In most AWS environments, you are likely using AWS Organizations to manage the different AWS accounts. Adding a managed organization enables you to:

  1. Onboard multiple AWS Accounts under an Organizations quickly by deploying permissions in one go with CloudFormation StackSets

  2. View a comprehensive view of all security findings and recommendations for all managed AWS accounts under an Organization

  3. View Organization specific recommendations (such as SCP suggestions)

Adding an Organization

When you scan an Organization's Management Account with ASecureCloud, a prompt to add an organization is displayed:

When an organization is added, the Managed Organizations table displays the following:

  • Management Account Id

  • Description

  • Total Member Accounts: Total number of AWS accounts under the organization

  • Managed Member Accounts: Number of AWS accounts onboarded to ASecureCloud

Organization Settings

You can access a managed organization's settings by clicking on Edit to bring up the Organization Settings window. In this page, you can update the following:

  • Organization description

  • Configure Authentication with CloudFormation StackSets

  • Review member account settings

Authentication with CloudFormation StackSets

Configuring authentication using CloudFormation StackSets enables you to provision an IAM role across all (or some) of the Organization's AWS accounts.

Click on the Configure Authentication with CloudFormation StackSets button, then click on Edit StackSet Details to edit the IAM role settings and permissions. Once all details are provided, you can either:

  • Launch StackSets as a CloudFormation Stack

  • Download Template & Launch StackSet Manually

Member AWS Accounts

Once the CloudFormation StackSet is deployed, you will be able to onboard accounts using the Add with StackSet Credentials option

If you didn't deploy a CloudFormation StackSet, you can select the Add with Dedicated Credentials to manage separate IAM role definitions for the AWS accounts (which will be the same process as onboarding a standalone AWS account)

It's recommended to manage the IAM role as a StackSet and add member accounts with the StackSet credentials.

Last updated