More Info:

Ensure that Amazon Organizations service is currently in use to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the security and compliance policies within your company. AWS Organizations is an account management tool that enables you to centralize multiple AWS accounts into an organization that you create and administer. Amazon Organizations is available to all customers at no additional cost and has two main feature sets: Consolidated Billing features – which provides basic management tools that you can use to centrally manage all the accounts (master and member accounts) within your organization. With this feature you can get a combined view of AWS charges incurred by all your accounts and also take advantage of pricing benefits from aggregated usage.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

The misconfiguration “AWS Organizations Should Be Used” is related to the lack of proper organization and management of AWS accounts. This can lead to security and compliance risks, as well as increased costs and complexity. To remediate this misconfiguration, you can follow the below steps:
  1. Log in to the AWS Management Console and navigate to the AWS Organizations service.
  2. Click on the “Create organization” button to create a new organization.
  3. Follow the prompts to set up your organization, including creating a root account and adding member accounts.
  4. Once your organization is set up, you can use the AWS Organizations console to manage and govern your AWS accounts, including setting policies and controls to ensure compliance and security.
  5. You can also use AWS Organizations to simplify billing and cost management across your accounts, by consolidating billing and using cost allocation tags.
  6. Finally, make sure to regularly review and update your organization’s policies and controls to ensure they are up-to-date and effective in mitigating risks and maintaining compliance.
By following these steps, you will be able to remediate the “AWS Organizations Should Be Used” misconfiguration and ensure that your AWS accounts are properly organized and managed.

To remediate the misconfiguration “AWS Organizations should be used”, you can follow the below steps using AWS CLI:
  1. Create an AWS Organization by running the following command:
aws organizations create-organization --feature-set ALL
  1. Move all the AWS accounts under the organization by running the following command:
aws organizations move-account --account-id <account-id> --source-parent ou-<source-ou-id> --destination-parent ou-<destination-ou-id>
Note: Replace <account-id>, <source-ou-id>, and <destination-ou-id> with the actual values.
  1. Enable AWS Organizations service control policies (SCPs) by running the following command:
aws organizations enable-policy-type --root-id <root-id> --policy-type SERVICE_CONTROL_POLICY
Note: Replace <root-id> with the actual value.
  1. Create and attach an SCP to the organization root to enforce the desired policies. For example, to restrict access to certain AWS services, you can create an SCP using the AWS Organizations console or AWS CLI and attach it to the organization root.
aws organizations create-policy --content file://policy.json --name "MyPolicy" --description "My Policy" --type SERVICE_CONTROL_POLICY
aws organizations attach-policy --policy-id <policy-id> --target-id <root-id>
Note: Replace <policy-id> and <root-id> with the actual values.By following these steps, you can remediate the misconfiguration “AWS Organizations should be used” and ensure that all AWS accounts are managed centrally under an organization with appropriate policies enforced.
The misconfiguration “AWS Organizations Should Be Used” suggests that AWS Organizations is not being used to manage multiple AWS accounts. AWS Organizations is a service that allows you to consolidate multiple AWS accounts into an organization that you create and centrally manage. By using AWS Organizations, you can automate account creation, apply policies across accounts, and simplify billing.To remediate this misconfiguration for AWS using Python, follow these steps:
  1. Install the AWS SDK for Python (Boto3) on your local machine.
  2. Create a new AWS account to act as the master account for your organization, if you don’t already have one.
  3. Create a new IAM user in the master account and give it the necessary permissions to create and manage AWS Organizations. You can do this using the AWS Management Console or the AWS CLI.
  4. Write a Python script that uses the Boto3 library to create a new AWS organization. Here’s an example script: 
import boto3

# Set up the AWS Organizations client
org_client = boto3.client('organizations')

# Create the organization
response = org_client.create_organization(FeatureSet='ALL')

# Print the response
print(response)
  1. Run the Python script to create the new organization. This will automatically create a root account for the organization and allow you to start adding member accounts.
  2. Use the AWS Management Console or the AWS CLI to add existing AWS accounts to your new organization as member accounts.
  3. Once all accounts are added, you can use AWS Organizations to apply policies across accounts, automate account creation, and simplify billing.
Note: It is important to thoroughly test any scripts or changes in a non-production environment before applying them to your production environment.

Additional Reading: