Skip to content

AWS Organizations & AccountsΒΆ

AWS Account SetupΒΆ

  • Testing CLI access: 

    ORG_MASTER_PROFILE='ou-shared-services_ou-prod_aws-admin'
ORG_UNIT_NAME='ou-nz-applications'
ACCOUNT_PROFILE='ou-nz-applications_ou-prod_bluecurrent-nz-assetmanagement-jde'
ACCOUNT_NAME="nz-assetmanagement-jde"

AWS_PROFILE=$ORG_MASTER_PROFILE aws sts get-caller-identity

  • The Organizational Units: 

    ## Get the Root ID of your organization:
AWS_PROFILE=$ORG_MASTER_PROFILE aws organizations list-roots --query 'Roots[].Id' --output text

# ROOT_ID=r-jwu0

## Get the id of the organizational unit "ou-nz-applications":
AWS_PROFILE=$ORG_MASTER_PROFILE aws organizations list-organizational-units-for-parent --parent-id ${ROOT_ID} --query 'OrganizationalUnits[?Name==`ou-nz-applications`].Id' --output text

## Get the id of an AWS account:
AWS_PROFILE=$ORG_MASTER_PROFILE aws organizations list-accounts --query 'Accounts[?Name==`bluecurrent-nz-assetmanagement-jde`].Id' --output text

  • Setup DNS zone in Route53

    ORG_SHARED_SERVICES='ou-shared-services'

## 1. Get the id of your hosted zone from Route53:
AWS_PROFILE=myorg-shared-services aws route53 list-hosted-zones-by-name --dns-name aws.myorg.com --query 'HostedZones[].Id' --output text

## 2. Then get the assigned nameservers of your new Route53 zone:
AWS_PROFILE=myorg-shared-services aws route53 get-hosted-zone --id ${HOSTED_ZONE_ID}

dig SOA multifuel.dev.vectormetering.co.nz

  • Using the AWS Extend Switch Roles plugin

    [myorg-master]
aws_account_id = ${MASTER_AWS_ACCOUNT_ALIAS}

[myorg-playground]
aws_account_id = ${PLAYGROUND_AWS_ACCOUNT_ID}
role_name = Administrator
color = 45C421
source_profile = myorg-master

[myorg-shared-services]
aws_account_id = ${SHARED_SERVICES_AWS_ACCOUNT_ID}
role_name = Administrator
color = 354B8C
source_profile = myorg-master

[myorg-log-archive]
aws_account_id = ${LOG_ARCHIVE_AWS_ACCOUNT_ID}
role_name = d9400d
color = C0403B
source_profile = myorg-master

[myorg-app-staging]
aws_account_id = ${APP_STAGING_AWS_ACCOUNT_ID}
role_name = Administrator
color = B88C14
source_profile = myorg-master

[myorg-app-prod]
aws_account_id = ${APP_PROD_AWS_ACCOUNT_ID}
role_name = Administrator
color = D9400D
source_profile = myorg-master

The Transit AccountΒΆ

  • RAM on the AWS Organization

    ## Enable RAM on the AWS Organization
AWS_PROFILE=myorg-master aws organizations enable-aws-service-access --service-principal ram.amazonaws.com

## Enable sharing within your AWS Organization:
AWS_PROFILE=myorg-master aws ram enable-sharing-with-aws-organization --region eu-central-1

  • Transit Gateway

  • VPN

AWS Single Sign-OnΒΆ

  • Shared services account VPC

  • Active Directory

  • Active Directory Connector

  • Enabling SSO