Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3812

Abstract

se the AWS Organizations role with an SCP to limit what each administrator can do with it.</b></p><p id="8f0b">I can also give the organizational role a different name in each environment. That way when I grant permissions, I can <b>limit an administrator to assume the AWS Organizations role only in specific environments using the<i> [env]-*</i> construct in the ARN </b>as I’ve demonstrated before for limiting access to CloudFormation stacks.</p><p id="fcd2"><b>AWS has some constructs for allowing permissions in particular OUs</b> as well but I have had problems with the implementation in the past. I’ll probably revisit that but the naming convention feels easier to implement and use.</p><p id="b599">The one thing I have to figure out is adding administrators to the AWS Organization Role trust policy. Can I do that? If not I still may need to add one role to every account to allow administrator access with a controlling SCP.</p><p id="bef5">It may cause some issues if we need to iterate through every single account — the code will need to account for different organizational roles — <b><i>so we’ll minimize the number of environments while maintaining the major trust boundaries and minimizing risk to a reasonable degree</i></b>. In my case, it’s <i>root,</i> <i>org</i>, <i>prod</i> and <i>nonprod</i> but you may have a more granular breakdown in a larger environment with different stages of SDLC and different lines of business.</p><p id="b762">As mentioned in prior posts, I will have completely separate administrators for backup and domain name management.</p><div id="63c2" class="link-block"> <a href="https://readmedium.com/dns-security-d7e88bde9d7d"> <div> <div> <h2>DNS Security</h2> <div><h3>Articles on DNS Security by Teri Radichel</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*cQq3z3H2FQkGXk4JFzNn3A.png)"></div> </div> </div> </a> </div><div id="bb3d" class="link-block"> <a href="https://readmedium.com/creating-an-aws-backup-account-ea0d3c8e25b8"> <div> <div> <h2>Creating an AWS Backup Account</h2> <div><h3>ACM.186 Prevent Ransomware and other malicious actors from accessing your backups</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*xapNUxeg1pubIC8oZh6sjA.png)"></div> </div> </div> </a> </div><p id="837d">My OUs can include the environment name like this. If the OU doesn’t have a dash in it then the OU name is the environment name.</p><figure id="a3d9"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*LwOAAj4RpQEy24Q3BtekWA.png"><figcaption></figcaption></figure><p id="84c7">This makes my code a bit easier to write.</p><div id="5417"><pre><span class="hljs-built_in">env</span>= $(<span class="hljs-built_in">echo</span> <span class="hljs-variable">$ name</span> | <span class="hljs-built_in">cut</span> -d <span class="hljs-string">'-'</span> -f1)</pre></div><p id="a890">That works whether the OU or account has a dash in it or not.</p><p id="6746">I use the <b><i>org-admin</i></b> user in the <b><i>root-org</i></b> account to build out the organization using the cross-account role: <b><i>root-adminrole</i></b>.</p><figure id="776c"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*ufmi4015AT34GdpIsfqT0w.png"><figcaption></figcaption></figure><p id="a282">The organizational environment has the followin

Options

g OUs:</p><figure id="ab61"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6BYkf2S1rOH-3w24-vP0FQ.png"><figcaption></figcaption></figure><p id="c2b9">Accounts for the <i>org-governance</i> OU:</p><p id="619f">Note that I was going to try to have the billing administrator create the accounts but that proved to be challenging for various reasons.</p><figure id="5336"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*FjPRDyT74zBDsUBaRzT-5w.png"><figcaption></figcaption></figure><p id="cce8">The<i> org-security</i> and<i> org-backup</i> OUs:</p><figure id="ae1b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*ZHYM8ZlkabR-Vp1TxWYw4A.png"><figcaption></figcaption></figure><p id="49ad">Accounts in the <i>org-deploy </i>OU:</p><p id="e51c">The <i>org-deploy</i> account processes can move code between environments and validate code integrity in the process.</p><figure id="bc84"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lQF5tCdY_XQ9x45T029cwA.png"><figcaption></figcaption></figure><p id="5fbe">Sample <i>nonprod</i> accounts:</p><p id="147d">Note that I am separating non-prod, prod, and org backups.</p><figure id="6e89"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*7OL0tSlLgtviLaeTJD02ag.png"><figcaption></figcaption></figure><p id="b517">So now that I’ve thought that out, I can redeploy all my OUs and accounts using the method for doing so in parallel that I wrote about in this post.</p><div id="5be2" class="link-block"> <a href="https://readmedium.com/parallel-processing-for-cloudformation-micro-templates-239dfd4690f3"> <div> <div> <h2>Parallel Processing for CloudFormation Micro-Templates</h2> <div><h3>ACM.408 Speed up deployments by executing multiple templates at the same time using simple Bash constructs</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*JqQU0lh4dLWvMrdFQrwYrA.png)"></div> </div> </div> </a> </div><p id="0d9f">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="1e17"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="843d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Naming Conventions That Minimize Complexity for Policies and Roles

ACM.416 Revisiting the names of AWS Organizational Units, Accounts, and Roles

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: AWS Organizations | IAM | Deploying a Static Website

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I documented the process for changing an email in an AWS Organizations account because it’s kind of painful that you can’t rename a role or change an email address easily, and if you don’t change the email before you close an account you can’t rename it.

How to Change the AWS Account Email in an AWS Organizations Account

ACM.415 Can’t change the name of the AWS Organizations role or duplicate emails, so change the email, close, and create…

medium.com

In this post I want to explain why I’m renaming things and how I’m going to rename my OUs and accounts to try to make policy and role management easier (I think — to be tested.)

I was thinking about all the different roles I need for different administrators. But do I really need all those roles? Some administrators can administer a single account and specific kinds of resources. Some administrators need to be able to manage entire environments if something goes wrong. Yet ideally if things are breaking in the non-prod environment due to a developer action, hopefully that’s not affecting your production environment and an administrative scope to fix the problem can be limited to nonprod.

I started thinking I could just use the organization role for all administrators — now that I sorted out how to enforce MFA without modifying the role itself in this post:

Requiring MFA in an AWS Service Control Policy

ACM.403 Denying non-role actions without MFA in your organization

medium.com

Instead of creating new roles for every type of administrator I think it will be possible to use the AWS Organizations role with an SCP to limit what each administrator can do with it.

I can also give the organizational role a different name in each environment. That way when I grant permissions, I can limit an administrator to assume the AWS Organizations role only in specific environments using the [env]-* construct in the ARN as I’ve demonstrated before for limiting access to CloudFormation stacks.

AWS has some constructs for allowing permissions in particular OUs as well but I have had problems with the implementation in the past. I’ll probably revisit that but the naming convention feels easier to implement and use.

The one thing I have to figure out is adding administrators to the AWS Organization Role trust policy. Can I do that? If not I still may need to add one role to every account to allow administrator access with a controlling SCP.

It may cause some issues if we need to iterate through every single account — the code will need to account for different organizational roles — so we’ll minimize the number of environments while maintaining the major trust boundaries and minimizing risk to a reasonable degree. In my case, it’s root, org, prod and nonprod but you may have a more granular breakdown in a larger environment with different stages of SDLC and different lines of business.

As mentioned in prior posts, I will have completely separate administrators for backup and domain name management.

DNS Security

Articles on DNS Security by Teri Radichel

medium.com

Creating an AWS Backup Account

ACM.186 Prevent Ransomware and other malicious actors from accessing your backups

medium.com

My OUs can include the environment name like this. If the OU doesn’t have a dash in it then the OU name is the environment name.

This makes my code a bit easier to write.

env=$(echo $name | cut -d '-' -f1)

That works whether the OU or account has a dash in it or not.

I use the org-admin user in the root-org account to build out the organization using the cross-account role: root-adminrole.

The organizational environment has the following OUs:

Accounts for the org-governance OU:

Note that I was going to try to have the billing administrator create the accounts but that proved to be challenging for various reasons.

The org-security and org-backup OUs:

Accounts in the org-deploy OU:

The org-deploy account processes can move code between environments and validate code integrity in the process.

Sample nonprod accounts:

Note that I am separating non-prod, prod, and org backups.

So now that I’ve thought that out, I can redeploy all my OUs and accounts using the method for doing so in parallel that I wrote about in this post.

Parallel Processing for CloudFormation Micro-Templates

ACM.408 Speed up deployments by executing multiple templates at the same time using simple Bash constructs

medium.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab