NTC Organizations

Release Notes Source Code Implementation Blueprint

Description

NTC Organizations provides a streamlined and scalable solution for managing AWS Organizations, enabling you to efficiently structure and govern multi-account environments. With a focus on security, compliance, and automation, this building block helps you define your organizational units (OUs), enforce Guardrails like Service Control Policies (SCPs) and Resource Control Polices (RCP), and implement foundational guardrails for your AWS accounts.

info

NTC Guardrail Templates provide a set of best practice Service Control Policies (SCPs) and Resource Control Policies (RCP) that can be easily customized and then applied via organization_policies.

info

To configure the Organizational Cloudtrail via organization_trail, an S3 bucket and KMS key is required.

Use NTC Log Archive to provision compliant S3 buckets for storing audit-relevant logs.

warning

Service Control Policies (SCPs) and Resource Control Policies (RCPs) should always be thoroughly tested before they are applied organization-wide to avoid major outages (e.g. apply new policies to test accounts first).

Usage

Latest Release	1.5.0

AWS Organizations

# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS
# --------------------------------------------------------------------------------------------------
module "ntc_organizations" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations?ref=X.X.X"

  # enable sharing resources within your organization
  enable_ram_sharing_in_organization = true

  # list of services which should be enabled in Organizations
  # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
  # the following services will be enabled by default, but can be overwritten
  service_access_principals = [
    "account.amazonaws.com",
    "servicequotas.amazonaws.com",
    "cloudtrail.amazonaws.com",
    "securityhub.amazonaws.com",
    "config.amazonaws.com",
    "config-multiaccountsetup.amazonaws.com",
    "guardduty.amazonaws.com",
    "malware-protection.guardduty.amazonaws.com",
    "inspector2.amazonaws.com",
    "access-analyzer.amazonaws.com",
    "sso.amazonaws.com",
    "ipam.amazonaws.com",
  ]

  # list of nested (up to 5 levels) organizational units
  organizational_unit_paths = [
    "/root/core",
    "/root/sandbox",
    "/root/suspended",
    "/root/transitional",
    "/root/workloads",
    "/root/workloads/prod",
    "/root/workloads/dev",
    "/root/workloads/test"
  ]

  # DEPRECATED: use 'organization_policies' instead
  service_control_policies = []

  # apply governance policies across organizational units (OUs) and member accounts
  # there are different types of policies like RESOURCE_CONTROL_POLICY, SERVICE_CONTROL_POLICY, AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, and TAG_POLICY 
  # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types
  organization_policies = [
    # {
    #   policy_name        = "scp_deny_all_outside_eu_regions" 
    #   policy_type        = "SERVICE_CONTROL_POLICY"
    #   target_ou_paths    = ["/root/workloads"]
    #   target_account_ids = []
    #   policy_json        = "INSERT_SCP_JSON"
    # }
    module.ntc_guardrail_templates.service_control_policies["scp_root_ou"],
    module.ntc_guardrail_templates.service_control_policies["scp_suspended_ou"],
    module.ntc_guardrail_templates.service_control_policies["scp_sandbox_ou"],
    module.ntc_guardrail_templates.service_control_policies["scp_workloads_ou"],
    module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_confused_deputy_protection"],
    module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_principal_access_from_organization"],
    module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_secure_transport"],
    module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_s3_encryption_and_tls_version"],
  ]

  # after centralizing root access, you can delete root user credentials from member accounts
  # new accounts you create in Organizations will have no root user credentials by default
  # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
  centralize_root_access = {
    enabled = true
    features = [
      # You can delete and audit root credentials of member accounts. You can also allow password recovery for specific member accounts.
      "RootCredentialsManagement",
      # You can take certain root actions in member accounts like deleting misconfigured policies in Amazon SQS or Amazon S3.
      "RootSessions",
    ]
  }

  # 'ntc-log-archive' must be provisioned before creating the organization trail
  organization_trail = {
    kms_key_arn    = local.ntc_parameters["log-archive"]["log_bucket_kms_key_arns"]["org_cloudtrail"]
    s3_bucket_name = local.ntc_parameters["log-archive"]["log_bucket_ids"]["org_cloudtrail"]
    # (optional) log cloudtrail to cloudwatch for real time analysis
    cloud_watch_logs_enable = false
    # cloud_watch_logs_existing   = false
    # cloud_watch_logs_group_name = "organization-trail-logs"
    # cloud_watch_logs_role_name  = "organization-trail-logs"
  }

  # create an organization reader IAM role which can be assumed by specified principals
  organization_reader = {
    enabled = true
    # list of IAM principals which can assume the org_reader role (e.g. account ids)
    allowed_principals = [
      local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"],
    ]
    iam_role_name   = "ntc-org-account-reader"
    iam_role_path   = "/"
    iam_policy_name = "ntc-org-account-reader-policy"
  }
}

Service Quotas

# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS - SERVICE QUOTAS
# --------------------------------------------------------------------------------------------------
module "ntc_organization_quotas" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/service-quotas?ref=X.X.X"

  # increase service quotas for the org management account
  increase_aws_service_quotas = {
    organizations_maximum_number_of_accounts = 100
  }

  # service quota templates will apply service quotas to all new organization accounts
  # WARNING: existing accounts won't be updated
  aws_service_quota_templates = [
    # {
    #   regions      = ["eu-central-1"]
    #   quota_name   = "Services per namespace"
    #   service_code = "ecs"
    #   new_value    = 120
    # }
  ]

  providers = {
    # organization service quotas and service quota templates must be created in us-east-1
    aws.us_east_1 = aws.use1
  }
}

Admin Delegations

locals {
  # some services like 'aws config' and 'iam access analyzer' are delegated once and not for each region
  global_delegated_administrators = [
    {
      service_principal = "config.amazonaws.com"
      admin_account_id  = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
    },
    {
      service_principal = "access-analyzer.amazonaws.com"
      admin_account_id  = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
    },
  ]
  
  # some services like amazon guardduty need to be delegated for each region
  regional_delegated_administrators = [
    {
      service_principal = "securityhub.amazonaws.com"
      admin_account_id  = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
    },
    {
      service_principal = "guardduty.amazonaws.com"
      admin_account_id  = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
    },
    {
      service_principal = "inspector2.amazonaws.com"
      admin_account_id  = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
    },
  ]
}

# organizations integration of iam access analyzer requires a service linked role in org management account
# this role gets created when creating up an access analyzer for the first time (analyzer can be deleted afterwards)
# https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-using-service-linked-roles.html#create-slr

# resource "aws_accessanalyzer_analyzer" "init" {
#   analyzer_name = "init-service-linked-role"
# }

# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS - ADMIN DELEGATIONS
# --------------------------------------------------------------------------------------------------
module "ntc_delegated_admins_euc1" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"

  delegated_administrators = concat(local.global_delegated_administrators, local.regional_delegated_administrators)

  providers = {
    aws = aws.euc1
  }
}

module "ntc_delegated_admins_euc2" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"

  delegated_administrators = local.regional_delegated_administrators

  providers = {
    aws = aws.euc2
  }
}

module "ntc_delegated_admins_use1" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"

  delegated_administrators = local.regional_delegated_administrators

  providers = {
    aws = aws.use1
  }
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.5.0)

• aws (>= 5.78)

Providers

The following providers are used by this module:

• aws (>= 5.78)

Modules

The following Modules are called:

org_cloudtrail

Source: ./modules/cloudtrail

Version:

Resources

The following resources are used by this module:

• aws_cloudwatch_log_group.ntc_cloudtrail_cw_logs (resource)
• aws_iam_organizations_features.ntc_centralize_root_access (resource)
• aws_iam_role.ntc_cloudtrail_cw_logs (resource)
• aws_iam_role.ntc_org_account_reader (resource)
• aws_iam_role_policy.ntc_cloudtrail_cw_logs (resource)
• aws_iam_role_policy.ntc_org_account_reader (resource)
• aws_kms_key.ntc_cloudtrail_cw_logs_encryption (resource)
• aws_organizations_organization.ntc_org (resource)
• aws_organizations_organizational_unit.ntc_nested_ou_level1 (resource)
• aws_organizations_organizational_unit.ntc_nested_ou_level2 (resource)
• aws_organizations_organizational_unit.ntc_nested_ou_level3 (resource)
• aws_organizations_organizational_unit.ntc_nested_ou_level4 (resource)
• aws_organizations_organizational_unit.ntc_nested_ou_level5 (resource)
• aws_organizations_policy.ntc_org_policy (resource)
• aws_organizations_policy.ntc_scp (resource)
• aws_organizations_policy_attachment.ntc_org_policy_account_attachment (resource)
• aws_organizations_policy_attachment.ntc_org_policy_ou_attachment (resource)
• aws_organizations_policy_attachment.ntc_scp_account_attachment (resource)
• aws_organizations_policy_attachment.ntc_scp_ou_attachment (resource)
• aws_ram_sharing_with_organization.ntc_org (resource)
• aws_caller_identity.current (data source)
• aws_cloudwatch_log_group.ntc_cloudtrail_cw_logs (data source)
• aws_iam_policy_document.ntc_cloudtrail_cw_logs (data source)
• aws_iam_policy_document.ntc_cloudtrail_cw_logs_assume (data source)
• aws_iam_policy_document.ntc_cloudtrail_cw_logs_encryption (data source)
• aws_iam_policy_document.ntc_org_account_reader (data source)
• aws_iam_policy_document.ntc_org_account_reader_trust (data source)
• aws_iam_role.ntc_cloudtrail_cw_logs (data source)
• aws_organizations_organization.existing_org (data source)
• aws_partition.current (data source)
• aws_region.current (data source)

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

centralize_root_access

Description: Manages centralized root access features across AWS member accounts.

Type:

object({
    enabled  = optional(bool, false)
    features = optional(list(string), ["RootCredentialsManagement", "RootSessions"])
  })

Default: {}

enable_ram_sharing_in_organization

Description: Set to true to enable sharing with your organization without using invitations.

Type: bool

Default: false

enabled_policy_types

Description: DEPRECATED - policy types will be automatically detected from 'organization_policies'.

Type: list(string)

Default:

[
  "SERVICE_CONTROL_POLICY"
]

organization_policies

Description: List of organization policies that should be applied to member accounts. Organization policies are inherited to nested OUs from parent OU to child OUs.

Type:

list(object({
    policy_name        = string
    policy_description = optional(string, null)
    policy_type        = string
    target_ou_paths    = optional(list(string), [])
    target_account_ids = optional(list(string), [])
    policy_json        = string
  }))

Default: []

organization_reader

Description: Create organization reader IAM role which can be assumed by specified principals.

Type:

object({
    enabled            = optional(bool, false)
    allowed_principals = optional(list(string), [])
    iam_role_name      = optional(string, "ntc-org-account-reader")
    iam_role_path      = optional(string, "/") # validation: must end with '/'
    iam_policy_name    = optional(string, "ntc-org-account-reader-policy")
  })

Default: {}

organization_trail

Description: Create organization cloudtrail by providing s3_bucket_name (log archive) and kms_key_arn (server side encryption).

Type:

object({
    trail_name                  = optional(string, "organization-trail")
    kms_key_arn                 = optional(string, "")
    s3_bucket_name              = optional(string, "")
    s3_key_prefix               = optional(string, null)
    cloud_watch_logs_enable     = optional(bool, false)
    cloud_watch_logs_existing   = optional(bool, false)
    cloud_watch_logs_group_name = optional(string, "organization-trail-logs")
    cloud_watch_logs_role_name  = optional(string, "organization-trail-logs")
  })

Default: {}

organizational_unit_paths

Description: List of organizational units (OU) that should be added under the root organization path.
The path "/root/infrastructure" will create a new "infrastructure" OU directly under the root organization path.
The path "/root/workloads/prod" will create a new "prod" OU directly under the "workloads" OU path.
https://aws.amazon.com/de/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/

Type: list(string)

Default: []

service_access_principals

Description: List of AWS service principal names for which you want to enable integration with your organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html

Type: list(string)

Default:

[
  "iam.amazonaws.com",
  "account.amazonaws.com",
  "servicequotas.amazonaws.com",
  "cloudtrail.amazonaws.com",
  "securityhub.amazonaws.com",
  "config.amazonaws.com",
  "config-multiaccountsetup.amazonaws.com",
  "guardduty.amazonaws.com",
  "inspector2.amazonaws.com",
  "macie.amazonaws.com",
  "malware-protection.guardduty.amazonaws.com",
  "access-analyzer.amazonaws.com",
  "sso.amazonaws.com",
  "ipam.amazonaws.com"
]

service_control_policies

Description: DEPRECATED: use 'organization_policies' instead.

Type:

list(object({
    policy_name        = string
    target_ou_paths    = optional(list(string), [])
    target_account_ids = optional(list(string), [])
    policy_json        = string
  }))

Default: []

Outputs

The following outputs are exported:

master_account_arn

Description: ARN of the master account.

master_account_email

Description: Email address of the master account.

master_account_id

Description: Identifier of the master account.

org_arn

Description: ARN of the organization.

org_id

Description: Identifier of the organization.

org_root_ou_id

Description: Identifier of the organization root path.

organization_cloudtrail_arn

Description: ARN of organization cloudtrail.

organizational_unit_ids

Description: Map of organization unit identifiers by ou path.