Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0
This code is now deprecated. For the updated AWS Solution, please refer Account Assessment for AWS Organizations: https://aws.amazon.com/solutions/implementations/account-assessment-for-aws-organizations/
Many enterprise customers use AWS Organizations for the management of AWS Accounts and often times they come across a scenario when there is a need to migrate AWS Accounts from one AWS Organization to another AWS Organization.
AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. In addition, AWS Organizations is integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization. As we work with customers who may have an acquisition use case or a need to move from one AWS Organization to another, they ask "what can break?"
There are a few things that must be considered for analyzing the impact when migrating AWS Accounts from one AWS Organization to another: So, during the course of migrating AWS Accounts from one AWS Organization to another it is imperative to understand the central configurations, organizational dependencies and assess the environment before the actual migration.
AWS Organizations dependency checker
This repository provides the automation to check for references to Organizational resources in policies across some or all the accounts in an AWS Organization. Specifically, the tool looks for
PrincipalOrgPaths - see documentation here docs for those here. This is used in analyzing the dependencies when AWS Accounts are migrated from one AWS Organization to another. Please review the Customer Advisory before using the Dependency Checker.
This repository will provide the
- CloudFormation template to deploy the IAM role via stacksets to all accounts in the Org (required by lambda to assume)
- SAM application to:
- Deploy Lambda function for scanning the AWS Resources for Org Id and Org Path conditions
- Create S3 bucket for storing generated reports
- Deploy role for lambda to assume to master account.
For ease of deployment, the architecture has been wrapped into an AWS SAM application.
- SAM CLI installed
- AWS CLI installed (with credentials/profile set for the master account of the AWS Organization)
Add policy to IAM user
The following IAM policy should be assigned to the IAM user or role which will be used to execute the included dependency scanner code. The goal of this policy is to limit create/update/delete actions from being performed on any AWS resources other than the specific named resources that the dependency scanner code will itself need to deploy. Please carefully review this policy with your own security and/or access teams to ensure no additional safeguards are required.
Deploy SAM application to master account
Build and Deploy:
First build the app:
(if using Windows, use the
--use-containeroption to the above command)
Ensuring you are using credentials for the master account of the Org, deploy the app using the guided mode:
sam deploy -g --capabilities CAPABILITY_NAMED_IAM
Follow the prompts to deploy the application. Name the application
Make a note of the value of
LambdaRolewhich is output after successful stack deployment.
Deploy role to Org accounts
The SAM application deploys a lambda which needs to assume a role in the accounts within your Org. This role needs to exist. Deploy this role to multiple accounts by creating a StackSet within the master account.
The quickest and most customisable way to do this is via the CloudFormation console
- Open the CloudFormation Console
- Click "StackSets" in the left pane
- Click "Create StackSet" in the centre pane
- Choose "Upload template file" and then select
org-dep-checker-role-stackset.yamlfrom this repository, then "Next"
- For stackset name, enter "org-dep-checker-role"
- For parameter "LambdaRole", enter the ARN noted from the output of the
sam deploycommand named
LambdaRole(or alternatively, navigate to the Output of the cfn stack in CloudFormation console for the SAM app). Click "Next"
- In Step 3, leave "Service Managed Permissions" checked, and click "Next"
- In Step 4, leave deployment targets as "Deploy to Organization". This will deploy the role to all accounts in the Org. Alternatively, you can specify individual OUs instead of all the Org.
- Specify the regions, eg. ap-southeast-2 and ap-southeast-1
- Optionally change the concurrent accounts and failure tolerance as desired.
- Click "Next", Review config, then "Submit"
The lambda trigger is manual, and therefore the easiest initiation is via the AWS Lambda console.
It can take some time to analyse each account, and therefore alhough it is possible to run against all accounts in the Org, it is suggested to specify lists of accounts instead. Otherwise there is a risk of hitting the 15 min timeout. This option be configured via lambda Env Vars (see next section)
Configuring the lambda
- Navigate to the AWS Lambda console, choose "Functions" in left pane
- Find function beginning with
- In the function window, click on tab "Configuration", then "Environment Variables"
- If you wish to run on all accounts, set
- Recommended: Set
USE_ORG_FOR_ACCOUNT_LISTto false, and enter accounts in
ACCOUNT_LISTas comma separated string. Start with one account to test everything is ok.
Executing the lambda
In the lambda console:
- Navigate to the
- Click "Test".
- For payload, enter any name (eg. 'test') and hit "Save". There is no payload needed but one is required to execute.
- Click "Test" to execute the code.
- Monitor the progress through the lamdba console, or in realtime through CloudWatch logs (click on "Monitor" tab and "View logs in CloudWatch")
- Once complete, results are stored in S3 in bucket
_accountid_-org-check-resource-reports(where accountID is the mgmt account id)
Reading the reports
The CSV / XLS files generated contain a column for
OrgPath Dependency Found and
OrgPath Dependency Found
If any row has this set to True, then a plan needs to be put in place for migration of this account. When removing from the existing Org these resources will be affected.
Important to know: Please find the list of AWS Services that support resource based policies https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#deploy_svcs