How To Enable Trusted Service In AWS Organization

How To Enable Trusted Service In AWS Organization

How To Enable Trusted Service In AWS Organization

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed AWS tag policy.

https://cloudaffaire.com/aws-tag-policy-with-examples/

In this blog post, we will discuss how to enable trusted service in AWS organization. You can use trusted access to enable a supported AWS service that you specify, called the trusted service, to perform tasks in your organization and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM users or roles.

When you enable access, the trusted service can create an IAM role called a service-linked role in every account in your organization whenever that role is needed. That role has a permissions policy that allows the trusted service to do the tasks that are described in that service’s documentation. This enables you to specify settings and configuration details that you would like the trusted service to maintain in your organization’s accounts on your behalf. The trusted service only creates service-linked roles when it needs to perform management actions on accounts, and not necessarily in all accounts of the organization.

Key Concepts:

  • Trusted Access: You can enable a compatible AWS service to perform operations across all of the AWS accounts in your organization.
  • Trusted Service: Supported services like AWS Backup, Resource Access Manage etc. that can be enabled in your organization to manage your member accounts.
  • Delegated Administrator: A compatible AWS service can register an AWS member account in the organization as an administrator for the organization’s accounts in that service.

AWS Services Supported In AWS Organization:

  • AWS Artifact: Can be used to accept agreements on behalf of all accounts within your organization.
  • AWS Audit Manager: Can be used to continuously audit your AWS use across multiple accounts in your organization to simplify how you assess risk and compliance.
  • AWS Backup: Can be used to configure and manage backup plans for your entire organization, or for groups of accounts in your organization units (OUs). You can centrally monitor backups for all of your accounts.
  • AWS CloudFormation Stacksets: Can be used to create a stack set with service-managed permissions that deploys stack instances to accounts in your organization.
  • AWS CloudTrail: Can be used to create an organization trail that logs all events for all accounts in that organization.
  • Amazon CloudWatch Events: Can be used to enable sharing of all CloudWatch Events across all accounts in your organization.
  • AWS Compute Optimizer: Can be used to analyze all resources that are in your organization’s accounts to get optimization recommendations.
  • AWS Config: Can be used to get an organization-wide view of your compliance status.
  • AWS Control Tower: Can be used to set up a landing zone, a multi-account environment for all of your AWS resources. This environment includes an organization and organization entities. You can use this environment to enforce compliance regulations on all of your AWS accounts.
  • AWS Directory Services: Can be used to integrate AWS Directory Service with AWS Organizations for seamless directory sharing across multiple accounts and any VPC in a Region.
  • AWS Firewall Manager: Can be used to centrally configure and manage AWS WAF rules across the accounts in your organization.
  • Amazon GuardDuty: Can be used to continuous security monitoring to analyzes and processes information from a variety of data sources.
  • AWS Health: Can be used to get visibility into events that might affect your resource performance or availability issues for AWS services.
  • AWS IAM: Can be used to help you better understand AWS activity across your organization.
  • IAM Access Analyzer: Can be used to analyze resource-based policies in your AWS environment to identify any policies that grant access to a principal outside of your zone of trust.
  • AWS Licence Manager: Can be used to enable cross-account discovery of computing resources throughout your organization.
  • Amazon Macie: Can be used to discover and classify your business-critical content using machine learning to help you meet data security and privacy requirements. It continuously evaluates your content stored in Amazon S3 and notifies you of potential issues.
  • AWS Marketplace: Can be used to share licenses for your AWS Marketplace subscriptions and purchases across the accounts in your organization.
  • AWS Resource Access Manager: Can be used to share resources within your organization without exchanging additional invitations. Resources you can share include Route 53 Resolver rules, on-demand capacity reservations, and more.
  • AWS Security Hub: Can be used to view your security state in AWS and check your environment against security industry standards and best practices.
  • Amazon S3 Storage Lens: Can be used to get visibility into your Amazon S3 storage usage and activity metrics with actionable recommendations to optimize storage.
  • AWS Service Catalog: Can be used to create and manage catalogs of IT services that are approved for use on AWS.
  • Service Quotas: Can be used to view and manage your service quotas, also referred to as limits, from a central location.
  • AWS Single Sign-On: Can be used to provide single sign-on services for all of your accounts and cloud applications.
  • AWS Systems Manager: Can be used to synchronize operations data across all AWS accounts in your organization by using Systems Manager Explorer.
  • Tag policies: Can be used to standardize tags across resources in your organization’s accounts.
  • AWS Trusted Advisor: Can be used to inspects your AWS environment and makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps.

Next, we are going to enable a trusted service in AWS organization using API.

Prerequisite:

AWS Organization created with multiple OU and member accounts. You can refer below blog post to create the organization. This blog is a continuation from below blog post.

https://cloudaffaire.com/how-to-manage-aws-organization-using-api/

How To Get List Of Enabled Service In AWS Organization Using AWS CLI:

How To Enable Trusted Service In AWS Organization Using AWS CLI:

How To Create A Delegated Administrator In AWS Organization Using AWS CLI

How To Remove A Delegated Administrator From AWS Organization Using AWS CLI

How To Disable Trusted Service In AWS Organization Using AWS CLI

Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation

https://docs.aws.amazon.com/organizations/index.html

Leave a Reply

Close Menu