More Info:

Ensure that All Features is enabled within your Amazon Organizations to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). An SCP is a type of organization control policy that can be used to restrict what users and even administrators can do in affected AWS accounts. For example, the master account from an organization can apply SCPs that can prevent member accounts from leaving the organization. A Service Control Policy is similar to an IAM access policy except the SCP does not grant any access permissions but instead it acts like a filter that allows only the specified services and actions to be used within the organization. SCPs make use of whitelisting and blacklisting methods to filter the permissions that are available to member accounts. When whitelisting is used, you can explicitly specify the access that is allowed and all other access is implicitly blocked. When blacklisting is used, you can explicitly specify the access that is not allowed and all other access is granted

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Enable All AWS Organization Features” for AWS using AWS console, follow these steps:
  1. Log in to your AWS Management Console.
  2. Navigate to the AWS Organizations service.
  3. Click on the “Settings” tab in the left navigation menu.
  4. Scroll down to the “Feature Configuration” section.
  5. Click on the “Enable All Features” button.
  6. Review the features that will be enabled and click “Confirm”.
  7. Wait for the process to complete.
Once the process is complete, all the AWS organization features will be enabled and the misconfiguration will be remediated.

To enable all AWS Organization features, you can follow these steps using AWS CLI:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Run the following command to enable all AWS Organization features: 
aws organizations enable-all-features
  1. If you receive an error message that says “You don’t have permissions to enable all features,” you need to ensure that you have the necessary permissions to perform this action. You can check your permissions by running the following command:
aws iam list-policies --scope Local | grep "AWSServiceRoleForOrganizations"
  1. If you do not have the necessary permissions, you can add them by creating a new policy. For example, you can create a new policy called “EnableAllOrgFeatures” with the following permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnableAllOrgFeatures",
            "Effect": "Allow",
            "Action": [
                "organizations:EnableAllFeatures"
            ],
            "Resource": "*"
        }
    ]
}
  1. Once you have the necessary permissions, you can run the command again to enable all AWS Organization features:
aws organizations enable-all-features
  1. Wait for a few minutes for the changes to take effect.
  2. Verify that all AWS Organization features are enabled by running the following command: 
aws organizations describe-organization
This should return a JSON object that includes information about your organization, including the status of all enabled features.
To enable all AWS Organization features, you can use the AWS Organizations API in Python. Here are the steps to remediate this misconfiguration:
  1. First, you need to install the boto3 library in Python. You can install it using the following command:
pip install boto3
  1. Next, you need to set up your AWS credentials in your Python environment. You can do this by creating a new profile in your ~/.aws/credentials file or by setting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
  2. Once you have set up your credentials, you can use the following Python code to enable all AWS Organization features: 
import boto3

# Create a new AWS Organizations client
org_client = boto3.client('organizations')

# Enable all features for the organization
org_client.enable_all_features()
  1. Finally, you can run the Python script to enable all AWS Organization features. Once the script has completed, all features will be enabled for your AWS Organization.
Note: Before enabling all features, make sure that you understand the implications of doing so and that it is appropriate for your organization.

Additional Reading: