Skip to main content

NTC Organizations

Release Notes Source Code Implementation Blueprint

Description

NTC Organizations provides a streamlined and scalable solution for managing AWS Organizations, enabling you to efficiently structure and govern multi-account environments. With a focus on security, compliance, and automation, this building block helps you define your organizational units (OUs), enforce Guardrails like Service Control Policies (SCPs) and Resource Control Polices (RCP), and implement foundational guardrails for your AWS accounts.

info

NTC Guardrail Templates provide a set of best practice Service Control Policies (SCPs) and Resource Control Policies (RCP) that can be easily customized and then applied via organization_policies.

info

To configure the Organizational Cloudtrail via organization_trail, an S3 bucket and KMS key is required.

Use NTC Log Archive to provision compliant S3 buckets for storing audit-relevant logs.

warning

Service Control Policies (SCPs) and Resource Control Policies (RCPs) should always be thoroughly tested before they are applied organization-wide to avoid major outages (e.g. apply new policies to test accounts first).

Usage

Latest Release1.5.0
# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS
# --------------------------------------------------------------------------------------------------
module "ntc_organizations" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations?ref=X.X.X"

# enable sharing resources within your organization
enable_ram_sharing_in_organization = true

# list of services which should be enabled in Organizations
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
# the following services will be enabled by default, but can be overwritten
service_access_principals = [
"account.amazonaws.com",
"servicequotas.amazonaws.com",
"cloudtrail.amazonaws.com",
"securityhub.amazonaws.com",
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"malware-protection.guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"access-analyzer.amazonaws.com",
"sso.amazonaws.com",
"ipam.amazonaws.com",
]

# list of nested (up to 5 levels) organizational units
organizational_unit_paths = [
"/root/core",
"/root/sandbox",
"/root/suspended",
"/root/transitional",
"/root/workloads",
"/root/workloads/prod",
"/root/workloads/dev",
"/root/workloads/test"
]

# DEPRECATED: use 'organization_policies' instead
service_control_policies = []

# apply governance policies across organizational units (OUs) and member accounts
# there are different types of policies like RESOURCE_CONTROL_POLICY, SERVICE_CONTROL_POLICY, AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, and TAG_POLICY
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types
organization_policies = [
# {
# policy_name = "scp_deny_all_outside_eu_regions"
# policy_type = "SERVICE_CONTROL_POLICY"
# target_ou_paths = ["/root/workloads"]
# target_account_ids = []
# policy_json = "INSERT_SCP_JSON"
# }
module.ntc_guardrail_templates.service_control_policies["scp_root_ou"],
module.ntc_guardrail_templates.service_control_policies["scp_suspended_ou"],
module.ntc_guardrail_templates.service_control_policies["scp_sandbox_ou"],
module.ntc_guardrail_templates.service_control_policies["scp_workloads_ou"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_confused_deputy_protection"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_principal_access_from_organization"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_secure_transport"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_s3_encryption_and_tls_version"],
]

# after centralizing root access, you can delete root user credentials from member accounts
# new accounts you create in Organizations will have no root user credentials by default
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
centralize_root_access = {
enabled = true
features = [
# You can delete and audit root credentials of member accounts. You can also allow password recovery for specific member accounts.
"RootCredentialsManagement",
# You can take certain root actions in member accounts like deleting misconfigured policies in Amazon SQS or Amazon S3.
"RootSessions",
]
}

# 'ntc-log-archive' must be provisioned before creating the organization trail
organization_trail = {
kms_key_arn = local.ntc_parameters["log-archive"]["log_bucket_kms_key_arns"]["org_cloudtrail"]
s3_bucket_name = local.ntc_parameters["log-archive"]["log_bucket_ids"]["org_cloudtrail"]
# (optional) log cloudtrail to cloudwatch for real time analysis
cloud_watch_logs_enable = false
# cloud_watch_logs_existing = false
# cloud_watch_logs_group_name = "organization-trail-logs"
# cloud_watch_logs_role_name = "organization-trail-logs"
}

# create an organization reader IAM role which can be assumed by specified principals
organization_reader = {
enabled = true
# list of IAM principals which can assume the org_reader role (e.g. account ids)
allowed_principals = [
local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"],
]
iam_role_name = "ntc-org-account-reader"
iam_role_path = "/"
iam_policy_name = "ntc-org-account-reader-policy"
}
}

Requirements

The following requirements are needed by this module:

  • terraform (>= 1.5.0)

  • aws (>= 5.78)

Providers

The following providers are used by this module:

  • aws (>= 5.78)

Modules

The following Modules are called:

org_cloudtrail

Source: ./modules/cloudtrail

Version:

Resources

The following resources are used by this module:

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

centralize_root_access

Description: Manages centralized root access features across AWS member accounts.

Type:

object({
enabled = optional(bool, false)
features = optional(list(string), ["RootCredentialsManagement", "RootSessions"])
})

Default: {}

enable_ram_sharing_in_organization

Description: Set to true to enable sharing with your organization without using invitations.

Type: bool

Default: false

enabled_policy_types

Description: DEPRECATED - policy types will be automatically detected from 'organization_policies'.

Type: list(string)

Default:

[
"SERVICE_CONTROL_POLICY"
]

organization_policies

Description: List of organization policies that should be applied to member accounts. Organization policies are inherited to nested OUs from parent OU to child OUs.

Type:

list(object({
policy_name = string
policy_description = optional(string, null)
policy_type = string
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
policy_json = string
}))

Default: []

organization_reader

Description: Create organization reader IAM role which can be assumed by specified principals.

Type:

object({
enabled = optional(bool, false)
allowed_principals = optional(list(string), [])
iam_role_name = optional(string, "ntc-org-account-reader")
iam_role_path = optional(string, "/") # validation: must end with '/'
iam_policy_name = optional(string, "ntc-org-account-reader-policy")
})

Default: {}

organization_trail

Description: Create organization cloudtrail by providing s3_bucket_name (log archive) and kms_key_arn (server side encryption).

Type:

object({
trail_name = optional(string, "organization-trail")
kms_key_arn = optional(string, "")
s3_bucket_name = optional(string, "")
s3_key_prefix = optional(string, null)
cloud_watch_logs_enable = optional(bool, false)
cloud_watch_logs_existing = optional(bool, false)
cloud_watch_logs_group_name = optional(string, "organization-trail-logs")
cloud_watch_logs_role_name = optional(string, "organization-trail-logs")
})

Default: {}

organizational_unit_paths

Description: List of organizational units (OU) that should be added under the root organization path.
The path "/root/infrastructure" will create a new "infrastructure" OU directly under the root organization path.
The path "/root/workloads/prod" will create a new "prod" OU directly under the "workloads" OU path.
https://aws.amazon.com/de/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/

Type: list(string)

Default: []

service_access_principals

Description: List of AWS service principal names for which you want to enable integration with your organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html

Type: list(string)

Default:

[
"iam.amazonaws.com",
"account.amazonaws.com",
"servicequotas.amazonaws.com",
"cloudtrail.amazonaws.com",
"securityhub.amazonaws.com",
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"macie.amazonaws.com",
"malware-protection.guardduty.amazonaws.com",
"access-analyzer.amazonaws.com",
"sso.amazonaws.com",
"ipam.amazonaws.com"
]

service_control_policies

Description: DEPRECATED: use 'organization_policies' instead.

Type:

list(object({
policy_name = string
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
policy_json = string
}))

Default: []

Outputs

The following outputs are exported:

master_account_arn

Description: ARN of the master account.

master_account_email

Description: Email address of the master account.

master_account_id

Description: Identifier of the master account.

org_arn

Description: ARN of the organization.

org_id

Description: Identifier of the organization.

org_root_ou_id

Description: Identifier of the organization root path.

organization_cloudtrail_arn

Description: ARN of organization cloudtrail.

organizational_unit_ids

Description: Map of organization unit identifiers by ou path.