More Info:

Ensure that All Features is enabled within your Amazon Organizations to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). An SCP is a type of organization control policy that can be used to restrict what users and even administrators can do in affected AWS accounts. For example, the master account from an organization can apply SCPs that can prevent member accounts from leaving the organization. A Service Control Policy is similar to an IAM access policy except the SCP does not grant any access permissions but instead it acts like a filter that allows only the specified services and actions to be used within the organization. SCPs make use of whitelisting and blacklisting methods to filter the permissions that are available to member accounts. When whitelisting is used, you can explicitly specify the access that is allowed and all other access is implicitly blocked. When blacklisting is used, you can explicitly specify the access that is not allowed and all other access is granted.

Risk Level

Medium

Address

Security

Compliance Standards

NIST

Remediation

How to enable all AWS Organization features

Using AWS Console

  1. Create an AWS Organization: If you don’t have an organization already, you need to create one. Sign in to the AWS Management Console with your AWS account credentials, navigate to the AWS Organizations service, and follow the prompts to create a new organization.
  2. Enable consolidated billing: With AWS Organizations, you can consolidate the billing for all the member accounts under a single paying account. To enable consolidated billing, you need to designate one account as the master account and link other accounts as member accounts. Follow the instructions in the AWS Organizations console to set up consolidated billing.
  3. Set up service control policies (SCPs): SCPs allow you to establish fine-grained permissions and restrictions for member accounts within your organization. You can create SCPs that define which AWS services and actions are allowed or denied for organizational units (OUs) or accounts. Access the AWS Organizations console, navigate to the Policies section, and create and attach SCPs to the desired OUs or accounts.
  4. Implement organizational units (OUs): OUs are a way to organize and manage your AWS accounts within an organization. You can create hierarchical structures of OUs to reflect your organizational structure. Access the AWS Organizations console, navigate to the Organize accounts section, and create and manage OUs as needed.
  5. Establish service control policies for OUs: Once you have OUs set up, you can apply SCPs to control the permissions and access for the accounts within each OU. Navigate to the Policies section in the AWS Organizations console, create SCPs with the desired permissions, and attach them to the relevant OUs.
  6. Enable cross-account access: AWS Organizations allows you to enable cross-account access to simplify resource sharing across accounts within the organization. You can define trusted entities (accounts or organizations) and establish cross-account IAM roles to grant access. Access the AWS Organizations console, navigate to the Organize accounts section, and configure cross-account access as needed.
  7. Monitor and manage organization-wide services: AWS Organizations provides features like AWS Config, AWS CloudTrail, and AWS CloudWatch that allow you to monitor and manage the activities and configurations across your organization. Enable and configure these services to gain visibility and control over your organization’s resources.

Additional Reading: