Hierarchy

1 Org, 2 OUs, 4 acounts

Hierarchy:

• Organization:

  • Organizational Units:

    • AWS Accounts

Organization:

• Can contain multiple OUs

• Can enable logging on an organization level (Organizational cloudtrail logging). Force logging on all OUs and accounts.

Organizational Units:

• Can dictate what goes on in OU.

Accounts:

• Should be separated by workloads:

  • Account for DBs

  • Account for front end services

  • Account for log storage

  • Account for IR and analysis

IR Specifics:

• Understand the scope and the extent of a compromise: Determine if the breach is limited to one AWS account or if an entire organization is compromised.

• Containment: If a breach occurs in a specific AWS account with no links to others, focus containment efforts on that account.

• Logging: If logging is enforced on the organization level in an AWS environment you can use that to investigate individual AWS accounts. Can also be used to enable logging on all future AWS accounts below Organization.

Recommendations:

• Use AWS Organizations instead of separate AWS accounts.

• Organizations allow you to setup Service Control Policies (SCP). These policies can disallow AWS services within accounts like EC2 instances.

• Don’t use your management account for day to day operations (Account is used to setup entire Organization). Break glass account.

• Your management account’s account root user is the break glass account for if everything else is broken protect it as such