What is AWS Organizations
AWS Organizations is a service that aims to make managing and billing multiple AWS accounts easier. With AWS Organizations, you can consolidate your accounts under one umbrella, improving their management and billing processes. Creating new accounts within this organizational structure becomes a simple and fast task. What’s more, AWS Organizations provides governance features that are not available when using standalone AWS accounts. This service streamlines account management, allowing you to have centralized billing capabilities. Additionally, it simplifies the complex task of managing permissions and access controls across multiple accounts, making it more efficient and convenient.
Ogranization
An organization is formed with the purpose of bringing together several AWS accounts for streamlined management. It consists of a master account and can include multiple units. Typically, organizations are organized in a hierarchical structure resembling a tree, with the root account positioned at the top and child accounts branching out beneath it. The root account acts as the primary container for all other accounts within the organization. By applying a Service Control Policy (SCP) to the root account, the policy’s effects propagate down the hierarchy, affecting all organizational accounts and child accounts. This ensures that the policy’s restrictions and permissions are enforced consistently across the entire organization.
SCPs
SCPs, also known as Service Control Policies, play a crucial role in managing policies within an organization. They can be applied to specific Organizational Units (OUs) or the entire organization, using the concept of inheritance to propagate policies across multiple accounts. SCPs offer the flexibility to enhance or restrict user permissions according to the specific requirements of the organization. To maximize their effectiveness, SCPs can be combined with advanced IAM constructs such as Condition, ArnNotLike, StringNotLike, and specific regions. By acting as guardrails, SCPs help prevent users from intentionally or unintentionally engaging in inappropriate actions, ensuring a secure and compliant environment.
AWS STS stands for AWS Security Token Service. It is a web service that allows you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). These temporary security credentials can be used to access AWS resources for a limited time period, typically up to an hour.
STS is a useful service for a variety of scenarios, including:
- Cross-account access: You can use STS to grant users in one AWS account access to resources in another AWS account. This can be useful for scenarios where you need to share resources between teams or departments.
- Federated access: You can use STS to grant users access to AWS resources based on their identity in a different system, such as Active Directory or LDAP. This can be useful for scenarios where you want to allow users to access AWS resources without having to create IAM users for them.
- Temporary access: You can use STS to grant users temporary access to AWS resources, such as during a disaster recovery event. This can help to prevent unauthorized access to your resources after the event has passed.
- Global availability: STS is available in all AWS Regions. This means that you can use it to access resources in any AWS Region.
Incorporate federation into AWS account
If users have an auth method, you can incorporate federation into AWS account
Users use STS to request session for authorization when you incorporate federation.
Use cases
Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.