More Info:

Amazon Organizations changes should be monitored using AWS CloudWatch alarms.

Risk Level

Low

Address

Security

Compliance Standards

HIPAA, HITRUST, CISAWS, CBP

Triage and Remediation

Remediation

Using Console

The AWS Organizations Changes Alarm is triggered when there is a change in the AWS Organizations structure, such as adding or removing accounts, or changing the root email address. To remediate this misconfiguration, you can follow these steps:
  1. Log in to your AWS Management Console.
  2. Navigate to the CloudWatch service.
  3. Click on “Alarms” in the left-hand menu.
  4. Find the “AWS Organizations Changes Alarm” in the list of alarms.
  5. Click on the alarm to view its details.
  6. Click on the “Actions” dropdown menu and select “Disable Alarm Actions”.
  7. Click “Save” to disable the alarm.
This will stop the alarm from being triggered when there is a change in the AWS Organizations structure. However, it is important to regularly review and update your AWS Organizations structure to ensure that it is properly configured and secure.

The AWS Organizations Changes Alarm is triggered when there are changes made to the AWS Organizations service. To remediate this issue, you can follow the below steps using AWS CLI:
  1. Log in to your AWS account using AWS CLI.
  2. Run the following command to create an SNS topic that will be used to send notifications when the alarm is triggered: 
aws sns create-topic --name <topic-name>
  1. Run the following command to create a new CloudWatch alarm:
aws cloudwatch put-metric-alarm --alarm-name <alarm-name> --alarm-description "AWS Organizations Changes Alarm" --metric-name Organizations --namespace AWS/Organizations --statistic Sum --period 300 --evaluation-periods 1 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --dimensions Name=Operation,Value=All --alarm-actions <sns-topic-arn>
Replace the <alarm-name> with a name of your choice, <sns-topic-arn> with the ARN of the SNS topic created in step 2.
  1. Verify that the alarm has been created successfully by running the following command:
aws cloudwatch describe-alarms --alarm-names <alarm-name>
This should return the details of the alarm that you just created.
  1. Finally, you can test the alarm by making a change to your AWS Organizations service. If the alarm is triggered, you should receive a notification via the SNS topic created in step 2.
By following these steps, you can remediate the AWS Organizations Changes Alarm issue using AWS CLI.
The AWS Organizations Changes Alarm is triggered when there are changes made to the AWS Organizations service. To remediate this issue using Python, you can follow these steps:
  1. Create an SNS topic: You can create an SNS topic using the AWS SDK for Python (boto3). This topic will be used to send notifications whenever there is a change in the AWS Organizations service.
import boto3

sns = boto3.client('sns')

response = sns.create_topic(Name='organizations-changes')

topic_arn = response['TopicArn']
  1. Create a CloudWatch Events rule: You can create a CloudWatch Events rule to monitor changes to the AWS Organizations service. This rule will trigger an AWS Lambda function whenever there is a change.
import boto3

events = boto3.client('events')

response = events.put_rule(
    Name='organizations-changes',
    EventPattern='{"source": ["aws.organizations"]}'
)

rule_arn = response['RuleArn']
  1. Create an AWS Lambda function: You can create an AWS Lambda function using the AWS SDK for Python (boto3). This function will be triggered by the CloudWatch Events rule and will send a notification to the SNS topic.
import boto3

lambda_client = boto3.client('lambda')

response = lambda_client.create_function(
    FunctionName='organizations-changes',
    Runtime='python3.7',
    Role='arn:aws:iam::123456789012:role/lambda-role',
    Handler='lambda_function.lambda_handler',
    Code={
        'ZipFile': b'bytes',
    },
    Environment={
        'Variables': {
            'SNS_TOPIC_ARN': topic_arn,
        }
    },
)

function_arn = response['FunctionArn']
  1. Add permissions to the Lambda function: You need to add permissions to the Lambda function to allow it to publish messages to the SNS topic.
import boto3

lambda_client = boto3.client('lambda')

response = lambda_client.add_permission(
    FunctionName='organizations-changes',
    StatementId='sns-publish',
    Action='lambda:InvokeFunction',
    Principal='sns.amazonaws.com',
    SourceArn=topic_arn,
)
  1. Create a CloudWatch alarm: You can create a CloudWatch alarm to monitor the SNS topic. This alarm will be triggered whenever a message is published to the SNS topic.
import boto3

cloudwatch = boto3.client('cloudwatch')

response = cloudwatch.put_metric_alarm(
    AlarmName='organizations-changes',
    AlarmActions=[topic_arn],
    MetricName='NumberOfMessagesPublished',
    Namespace='AWS/SNS',
    Statistic='Sum',
    Period=60,
    EvaluationPeriods=1,
    Threshold=1,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
)
These steps will help you remediate the AWS Organizations Changes Alarm issue using Python.

Additional Reading: