Use a web UI to view resource-based policy dependencies for your AWS Organizations AWS accounts
Publication date: November 2022 (last update: June 2024)
This solution allows customers
to better understand
AWS Organizations
Businesses are increasing their adoption of AWS Organizations to easily create accounts, allocate resources, create group accounts, and apply governance policies to accounts or groups. However, when businesses need to consolidate AWS Organizations or move AWS accounts between AWS Organizations, system administrators are often challenged to clearly understand the business impact of their account integrations. The process to manually evaluate AWS Organizations dependencies can be time consuming—potentially involving reviews of tens or even hundreds of AWS resources of individual accounts.
The Account Assessment for AWS Organizations solution performs the following functions:
-
Programmatically scans all AWS accounts in an AWS Organization for identity-based and resource-based policies with AWS Organization-based conditions.
-
Presents scan results in a web user interface (UI) that tracks resources in your AWS Organization and the number of accounts with dependencies.
-
Allows you to configure the scan by selecting specific AWS accounts, AWS services, and AWS Regions.
This implementation guide provides an overview of the Account Assessment for AWS Organizations solution, its reference architecture and components, considerations for planning the deployment, and configuration steps for deploying the solution to the Amazon Web Services (AWS) Cloud.
Use this navigation table to quickly find answers to these questions:
| If you want to . . . | Read . . . |
|---|---|
|
Know the cost for running this solution. The estimated baseline cost for running this solution in the US East (Northern Virginia) Region is USD $20 per month, depending on your specific implementation. |
Cost |
| Understand the security considerations for this solution. | Security |
| Know how to plan for quotas for this solution. | Quotas |
| Know which AWS Regions are supported for this solution. | Supported AWS Regions |
| View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the “stack”) for this solution. | AWS CloudFormation template |
| Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution. | GitHub
repository |
This guide is intended for solution architects, DevOps engineers, data scientists, and cloud professionals who want to implement Account Assessment for AWS Organizations solution in their environment.
Important
We designed this solution to aggregate scan findings for customers. This solution does not check the validity or correctness of your underlying resource-based policies. When changing policies that allow account migration to another AWS Organization, we recommend:
-
Verifying that your policies work as intended before making changes.
-
Using AWS Identity and Access Management
(IAM) Access Analyzer to verify that your policies achieve your desired permissions. -
Reviewing and updating the
Conditionpolicy element to meet your security requirements. Do not delete theConditionwithout reviewing the underlying impact. -
Engaging with AWS Solutions Architects, Technical Account Managers, and AWS Professional Services to review your AWS Organizations-based dependencies identified by the solution before initiating account migration.
Note
Dependencies outside the
scope of this solution can impact the account migration between AWS Organizations (for example,
quotas
for AWS Organizations, resources shared by
AWS Resource Access
Manager
