Function to Move AWS Accounts Between Organizational Units
ACM.240 Governance by unlocking an account for a deployment and locking it back up after
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Application Security | Cloud Governance | AWS Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sometimes I think things are going to be really simply but they’re not. Well that seems to be most of the time lately. I wanted to write a quick function to move an account between two Organizational Units in an AWS Organization.
I’m going to implement a simplified process of the one I described here to deploy changes to NS records in an AWS account.
It started out with a problem because one of the accounts I’m working with was migrated in, not deployed by my framework. I need to change the function that gets an account ID for an account number. I did that in the last post.
When I tried to use the command to move accounts I started by passing in OU names. Oops. That’s wrong. This command needs Organization Unit IDs.
I tried to use a similar method to get the id for an organizational unit that I used to get an ID for an account. That led to some fun with wonky shell behavior I wrote about here:
It’s not relevant to solving our problem but cost me time and I wish someone would fix it.
Finally, I got the function to look up an OU id working. It looks like this and is in my ou_functions.sh file under /Org/stacks/OU.
As always, I’m checking to see the required parameters are passed in using a method I wrote many posts back.
I’m using the query method I covered in the last post.
I also needed the root id:
Once I had the OU IDs my move accounts function worked great, though the command gives you an incorrect error message if you pass in the destination OU twice. But it’s easy to figure out what’s going on. This is in the account_functions.sh file under Org/stacks/Account/.
That worked. I am now able to move an account from one OU to another fairly easily.
Only one move to start. Then I tested moving out and moving back.
I get a scary error message when the account isn’t in the OU. It says the account does not exist, but it means it doesn’t exist in that specific OU.
Next I needed a mechanism to look up the OU for an account. The list-parents function did the trick.
This worked:
So I check to see which OU the account is in before I move it and only move it if it is not in the OU I’m about to move it into.
I’ll check this code in as soon as I get through creating a website. I’m working on that in this sub series on deploying a static website in an S3 bucket — without a public bucket!
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab