Generic Methods for Enabling and Disabling Services for an AWS Organization
ACM.395 Quickly configure trusted access for services across your organization with some simple code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: AWS Security | Secure Code | AWS Organizations
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post we checked out delegated access for Account Management in AWS Organizations to see what functionality it provides.
While we’re at it I’m going to write a quick (hopefully) post on functions to enable any service available for an AWS Organization.
If you take a look at this documentation page you can see all the services that you can use with AWS Organizations to manage resources across the organization instead of in each individual account.
I’m showing three here but the list is much longer. The second to last column shows you whether trusted access is allowed so you can use the service with AWS Organizations.
If you look at the two functions I created to enable account management and Cloud Trail, they are essentially the same with a different service principal.
I can pretty easily write a generic function for that:
I can also create a disable service function:
Now I can call the function like this:
And in fact I can enable and disable all the services I want to use or not use in one place. But I need the service identifier. Unfortunately it does not appear in that table so we’ll have to click each link to get the service principal:
But that’s pretty easy and then I can have a list of services in one place and enable or disable them.
You’ll notice that artifacts and stacksets are commented out above. That’s because I got an error that said I specified an invalid service when I ran my script. Perhaps the error message meant to say the service is already disabled but that’s not what it said. It says I’m passing in an invalid service principal and according to the documentation I’m not. Either way seems like a bug. Be aware that if you enable those services, you may not be able to disable them. At least not through the AWS CLI.
Other than that my script worked like a charm. You can see I added some comments and links at the bottom for services that need to be manually enabled. I also disabled most services, because I don’t want to turn them on and get hit with a whopping bill so I need to review that first. I enable a few things I will definitely use — like AWS GuardDuty and AWS Trusted Advisor has a free tier so why not.
Hopefully I’ll get a chance to write about all these later.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab