Skip to content

Organizational Unit (OU)⚓︎

AWS Account Organizational Unit Migration⚓︎

Overview⚓︎

AWS Account Organizational Unit (OU) migration involves transferring a member account from one organization to another. Here are the key steps to ensure a smooth migration.

Migration Steps⚓︎

  • Remove from Former Organization:

    • Access the member account with either root or IAM credentials in both the former and prospective organizations.
    • Remove the member account from the former organization.

  • Send Invitation:

    • In the prospective organization, send an invitation to the member account for migration.

  • Accept Invitation:

    • On the member account, accept the invitation from the prospective organization.

  • OrganizationAccountAccessRole:

    • Ensure that the OrganizationAccountAccessRole is added to the member account for proper access and integration within the new organization.

AWS Control Tower⚓︎

Overview⚓︎

AWS Control Tower simplifies the setup and governance of a secure, compliant multi-account AWS environment, leveraging best practices and AWS OUs for creating accounts.

Key Features⚓︎

  • Ease of Setup:

    • Provides a straightforward process for setting up environments with just a few clicks.

  • Policy Management Automation:

    • Automates ongoing policy management using guardrails.
      • SCP (Service Control Policies): Offers preventative guardrails.
      • AWS Config: Provides detective guardrails.

  • Violation Detection and Remediation:

    • Detects policy violations and takes automated steps to remediate them.

  • Compliance Monitoring:

    • Offers dashboards for monitoring compliance across the AWS environment.

Service Control Policies (SCP)⚓︎

Overview⚓︎

Service Control Policies (SCPs) are essential for managing permissions within AWS Organizational Units (OUs), ensuring that accounts stay within control settings and guardrails.

Key Points⚓︎

  • Permission Management:

    • SCPs manage permissions within OUs but do not grant permissions. The effective permissions result from the intersection of IAM, SCP, and IAM permissions boundaries.

  • Feature Dependency:

    • OUs must have all features enabled to utilize SCPs effectively.

  • Scope of Impact:

    • Affects member accounts and attached users and roles within, including root users, but not management accounts.

  • Exclusions:

    • Does not directly affect resource-based policies or service-linked roles.

  • Disabling and Re-Enabling:

    • If disabled at the root account, all SCPs are automatically detached from the OU. Re-enabling restores full AWS access (default).

  • Explicit Allow Requirement:

    • Requires an explicit allow, similar to IAM permissions boundaries. If not within the boundary, access is denied.

These measures ensure effective governance and control over AWS resources within an organizational structure.