Enable All AWS Organization Features
More Info:
Ensure that All Features is enabled within your Amazon Organizations to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). An SCP is a type of organization control policy that can be used to restrict what users and even administrators can do in affected AWS accounts. For example, the master account from an organization can apply SCPs that can prevent member accounts from leaving the organization. A Service Control Policy is similar to an IAM access policy except the SCP does not grant any access permissions but instead it acts like a filter that allows only the specified services and actions to be used within the organization. SCPs make use of whitelisting and blacklisting methods to filter the permissions that are available to member accounts. When whitelisting is used, you can explicitly specify the access that is allowed and all other access is implicitly blocked. When blacklisting is used, you can explicitly specify the access that is not allowed and all other access is grantedRisk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Enable All AWS Organization Features” for AWS using AWS console, follow these steps:
- Log in to your AWS Management Console.
- Navigate to the AWS Organizations service.
- Click on the “Settings” tab in the left navigation menu.
- Scroll down to the “Feature Configuration” section.
- Click on the “Enable All Features” button.
- Review the features that will be enabled and click “Confirm”.
- Wait for the process to complete.
Using CLI
Using CLI
To enable all AWS Organization features, you can follow these steps using AWS CLI:This should return a JSON object that includes information about your organization, including the status of all enabled features.
- Open the AWS CLI on your local machine or EC2 instance.
- Run the following command to enable all AWS Organization features:
- If you receive an error message that says “You don’t have permissions to enable all features,” you need to ensure that you have the necessary permissions to perform this action. You can check your permissions by running the following command:
- If you do not have the necessary permissions, you can add them by creating a new policy. For example, you can create a new policy called “EnableAllOrgFeatures” with the following permissions:
- Once you have the necessary permissions, you can run the command again to enable all AWS Organization features:
- Wait for a few minutes for the changes to take effect.
- Verify that all AWS Organization features are enabled by running the following command:
Using Python
Using Python
To enable all AWS Organization features, you can use the AWS Organizations API in Python. Here are the steps to remediate this misconfiguration:
- First, you need to install the
boto3library in Python. You can install it using the following command:
-
Next, you need to set up your AWS credentials in your Python environment. You can do this by creating a new profile in your
~/.aws/credentialsfile or by setting theAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables. - Once you have set up your credentials, you can use the following Python code to enable all AWS Organization features:
- Finally, you can run the Python script to enable all AWS Organization features. Once the script has completed, all features will be enabled for your AWS Organization.