How To Manage AWS Organization Using API
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In Today’s blog post, we will discuss how to manage AWS Organization using API. We will use AWS CLI to make those API call but the concept remains the same if you are using any other SDK. Below is the target landscape that we are going to create using API (AWS CLI).
If you want to know more about AWS organization, follow below link
https://cloudaffaire.com/what-is-aws-organization/
Prerequisites:
- Three active AWS account with admin access.
- AWS CLI and jq installed and configured with admin access to each account.
I have already configured three AWS CLI profile for each account as below
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
## AWS CLI configuration cat .aws/credentials [management] aws_access_key_id = aws_secret_access_key = [member1] aws_access_key_id = aws_secret_access_key = [member2] aws_access_key_id = aws_secret_access_key = cat .aws/config [management] region = ap-south-1 output = json [member1] region = ap-south-1 output = json [member2] region = ap-south-1 output = json aws sts get-caller-identity --profile management aws sts get-caller-identity --profile member1 aws sts get-caller-identity --profile member2 |
You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create A New AWS Organization using AWS CLI.
|
1 2 3 |
## Create a new AWS Organization aws organizations create-organization \ --profile management |
Step 2: Validate your management account email id (if not validated already).
Login to your email id associated with your management account and click on the link to validate your email id.
Step 3: Invite members account to join AWS organization using email id
|
1 2 3 4 5 6 7 8 9 10 11 |
## Invite member one account to your organization (by email id) aws organizations invite-account-to-organization \ --target '{"Type": "EMAIL", "Id": " --notes "Request to join organization debjeet" \ --profile management ## Invite member two account to your organization (by account id) aws organizations invite-account-to-organization \ --target '{"Type": "ACCOUNT", "Id": " --notes "Request to join organization debjeet" \ --profile management |
Step 4: In members account, accept the invite to join AWS organization
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
## Accept the invite from member one account MEMBER1_HANDSAKE_ID=$(aws organizations list-handshakes-for-account \ --profile member1 | jq -r .Handshakes[0].Id) && aws organizations accept-handshake \ --handshake-id $MEMBER1_HANDSAKE_ID \ --profile member1 ## Accept the invite from member two account MEMBER2_HANDSAKE_ID=$(aws organizations list-handshakes-for-account \ --profile member2 | jq -r .Handshakes[0].Id) && aws organizations accept-handshake \ --handshake-id $MEMBER2_HANDSAKE_ID \ --profile member2 |
Step 4: Create new Organizational Unit (OU) using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
## Get your Root OU ID ROOT_OU_ID=$(aws organizations list-roots \ --profile management | jq -r .Roots[0].Id) && echo $ROOT_OU_ID ## Create new OU named "Foundation" under "Root" OU FOUNDATION_OU_ID=$(aws organizations create-organizational-unit \ --parent-id $ROOT_OU_ID \ --name Foundation \ --profile management | jq -r .OrganizationalUnit.Id) ## Create new OU named "Regulatory" under OU "Foundation" REGULATORY_OU_ID=$(aws organizations create-organizational-unit \ --parent-id $FOUNDATION_OU_ID \ --name Regulatory \ --profile management | jq -r .OrganizationalUnit.Id) |
Step 5: Move member accounts to specific OU (refer landscape diagram)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
## Move member1 account under "Foundation" OU MEMBER1_ACC_ID=$(aws sts get-caller-identity \ --profile member1 | jq -r .Account) && aws organizations move-account \ --account-id $MEMBER1_ACC_ID \ --source-parent-id $ROOT_OU_ID \ --destination-parent-id $FOUNDATION_OU_ID \ --profile management ## Move member2 account under "Regulatory" OU MEMBER2_ACC_ID=$(aws sts get-caller-identity \ --profile member2 | jq -r .Account) && aws organizations move-account \ --account-id $MEMBER2_ACC_ID \ --source-parent-id $ROOT_OU_ID \ --destination-parent-id $REGULATORY_OU_ID \ --profile management |
Step 6: Enable organization policy
|
1 2 3 4 5 |
## Enable a policy using AWS CLI aws organizations enable-policy-type \ --root-id $ROOT_OU_ID \ --policy-type TAG_POLICY \ --profile management |
Step 7: Create a new organization policy
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
## Create a new tag policy file cat < { "tags": { "environment": { "tag_key": { "@@assign": "Environment" }, "tag_value": { "@@assign": [ "Production", "Development", "Test" ] }, "enforced_for": { "@@assign": [ "ec2:vpc" ] } } } } EOF ## Create a new tag policy aws organizations create-policy \ --content file://tag_policy.json \ --name EnforceVPCTags, \ --type TAG_POLICY \ --description "Enforce Environment Tags On VPC" \ --profile management |
Step 8: Attach the policy to “Regulatory” OU
|
1 2 3 4 5 6 7 8 |
## Attach the tag policy to the "Regulatory" OU TAG_POLICY_ID=$(aws organizations list-policies \ --filter TAG_POLICY \ --profile management | jq -r .Policies[0].Id ) && aws organizations attach-policy \ --policy-id $TAG_POLICY_ID \ --target-id $REGULATORY_OU_ID \ --profile management |
Step 9: Get details of your organization
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
## Get details on your organization aws organizations describe-organization \ --profile management ## Get details for root OU aws organizations list-roots \ --profile management ## Get details for a child OU aws organizations describe-organizational-unit \ --organizational-unit-id $REGULATORY_OU_ID \ --profile management ## Get details for a organization policy aws organizations describe-policy \ --policy-id $TAG_POLICY_ID \ --profile management ## Get effective organization policy details aws organizations describe-effective-policy \ --policy-type TAG_POLICY \ --profile management ## Get details on management or member accounts aws organizations describe-account \ --account-id $MEMBER1_ACC_ID \ --profile management ## List all accounts that are part of your organization aws organizations list-accounts \ --profile management ## List all accounts that are part of a OU aws organizations list-accounts-for-parent \ --parent-id $REGULATORY_OU_ID \ --profile management ## List AWS services enabled to integrate with your organization aws organizations list-aws-service-access-for-organization \ --profile management ## List all OU under a OU aws organizations list-children \ --child-type ORGANIZATIONAL_UNIT \ --parent-id $FOUNDATION_OU_ID \ --profile management ## List all accounts under a OU aws organizations list-children \ --child-type ACCOUNT \ --parent-id $FOUNDATION_OU_ID \ --profile management ## List delegated administrator aws organizations list-delegated-administrators \ --profile management ## List delegated administrator for a specific AWS service aws organizations list-delegated-administrators \ --service-principal config.amazonaws.com \ --profile management ## List the AWS services for which the specified account is a delegated administrator ## aws organizations list-delegated-services-for-account \ ## --account-id $MEMBER1_ACC_ID \ ## --profile management ## Lists the OU in a parent OU or root. aws organizations list-organizational-units-for-parent \ --parent-id $FOUNDATION_OU_ID \ --profile management ## List parent OU details for a OU aws organizations list-parents \ --child-id $REGULATORY_OU_ID \ --profile management ## List all organization policy of specific type aws organizations list-policies \ --filter TAG_POLICY \ --profile management ## List all OU, accounts a policy is attached aws organizations list-targets-for-policy \ --policy-id $TAG_POLICY_ID \ --profile management |
Step 10: Cleanup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
## Detach an organization policy from OU/Account aws organizations detach-policy \ --target-id $REGULATORY_OU_ID \ --policy-id $TAG_POLICY_ID \ --profile management ## Delete an organization policy aws organizations delete-policy \ --policy-id $TAG_POLICY_ID \ --profile management ## Do not perform below steps if you want to continue with this series. ## Remove a member account from Organization (1st Method) aws organizations remove-account-from-organization \ --account-id $MEMBER2_ACC_ID \ --profile management ## Remove a member account from Organization (2nd Method) aws organizations leave-organization \ --profile member1 ## Delete an Organization aws organizations delete-organization \ --profile management |
Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation
https://docs.aws.amazon.com/organizations/index.html