avatarTeri Radichel

Summary

Teri Radichel discusses the development of a function to move AWS accounts between organizational units (OUs) within an AWS Organization, detailing the challenges faced and the solutions implemented, along with related resources for further learning.

Abstract

In a detailed blog post, Teri Radichel outlines the process of creating a function to move AWS accounts between different OUs in an AWS Organization. The post begins with an acknowledgment of the unexpected complexity of the task, followed by a recap of a series on automating cybersecurity metrics and a mention of related stories on application security, cloud governance, and AWS security. Radichel provides links to her previous work on multi-person processes for domain name updates and obtaining account numbers by name using the AWS CLI. The author encountered issues with the AWS CLI, such as the need for OU IDs instead of names and shell behavior quirks, which were resolved and documented in her ou_functions.sh file. The post includes code snippets and explanations of parameter checks, query methods, and the use of the list-parents function to determine an account's current OU. Radichel concludes by mentioning her work on deploying a static website in an S3 bucket and invites followers to stay updated on her cybersecurity insights and services offered by 2nd Sight Lab.

Opinions

  • The author initially underestimated the complexity of moving AWS accounts between OUs but persevered to develop a working solution.
  • Radichel emphasizes the importance of using OU IDs over names when executing AWS CLI commands, highlighting a common pitfall.
  • The author shares personal experience with shell behavior issues, expressing a desire for improvements in this area.
  • Radichel values thorough documentation and parameter validation in her scripts, as evidenced by her detailed approach and code examples.
  • She acknowledges the learning curve and potential for error messages that may mislead, advocating for clearer error communication from AWS.
  • The author is actively engaged in sharing knowledge, as seen by her invitations to follow her work and sign up for her email list.
  • Radichel's work reflects a commitment to cybersecurity education and best practices, with references to her certifications, presentations, and recognition in the field.

Function to Move AWS Accounts Between Organizational Units

ACM.240 Governance by unlocking an account for a deployment and locking it back up after

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Application Security | Cloud Governance | AWS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sometimes I think things are going to be really simply but they’re not. Well that seems to be most of the time lately. I wanted to write a quick function to move an account between two Organizational Units in an AWS Organization.

I’m going to implement a simplified process of the one I described here to deploy changes to NS records in an AWS account.

It started out with a problem because one of the accounts I’m working with was migrated in, not deployed by my framework. I need to change the function that gets an account ID for an account number. I did that in the last post.

When I tried to use the command to move accounts I started by passing in OU names. Oops. That’s wrong. This command needs Organization Unit IDs.

I tried to use a similar method to get the id for an organizational unit that I used to get an ID for an account. That led to some fun with wonky shell behavior I wrote about here:

It’s not relevant to solving our problem but cost me time and I wish someone would fix it.

Finally, I got the function to look up an OU id working. It looks like this and is in my ou_functions.sh file under /Org/stacks/OU.

As always, I’m checking to see the required parameters are passed in using a method I wrote many posts back.

I’m using the query method I covered in the last post.

I also needed the root id:

Once I had the OU IDs my move accounts function worked great, though the command gives you an incorrect error message if you pass in the destination OU twice. But it’s easy to figure out what’s going on. This is in the account_functions.sh file under Org/stacks/Account/.

That worked. I am now able to move an account from one OU to another fairly easily.

Only one move to start. Then I tested moving out and moving back.

I get a scary error message when the account isn’t in the OU. It says the account does not exist, but it means it doesn’t exist in that specific OU.

Next I needed a mechanism to look up the OU for an account. The list-parents function did the trick.

This worked:

So I check to see which OU the account is in before I move it and only move it if it is not in the OU I’m about to move it into.

I’ll check this code in as soon as I get through creating a website. I’m working on that in this sub series on deploying a static website in an S3 bucket — without a public bucket!

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Governance
AWS
Ou
Deployments
Access
Recommended from ReadMedium