NTC Organizations
Description
NTC Organizations provides a streamlined and scalable solution for managing AWS Organizations, enabling you to efficiently structure and govern multi-account environments. With a focus on security, compliance, and automation, this building block helps you define your organizational units (OUs), enforce Guardrails like Service Control Policies (SCPs) and Resource Control Polices (RCP), and implement foundational guardrails for your AWS accounts.
NTC Guardrail Templates provide a set of best practice Service Control Policies (SCPs) and Resource Control Policies (RCP) that can be easily customized and then applied via organization_policies
.
To configure the Organizational Cloudtrail via organization_trail
, an S3 bucket and KMS key is required.
Use NTC Log Archive to provision compliant S3 buckets for storing audit-relevant logs.
Service Control Policies (SCPs) and Resource Control Policies (RCPs) should always be thoroughly tested before they are applied organization-wide to avoid major outages (e.g. apply new policies to test accounts first).
Usage
Latest Release | 1.5.0 |
---|
- AWS Organizations
- Service Quotas
- Admin Delegations
# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS
# --------------------------------------------------------------------------------------------------
module "ntc_organizations" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations?ref=X.X.X"
# enable sharing resources within your organization
enable_ram_sharing_in_organization = true
# list of services which should be enabled in Organizations
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
# the following services will be enabled by default, but can be overwritten
service_access_principals = [
"account.amazonaws.com",
"servicequotas.amazonaws.com",
"cloudtrail.amazonaws.com",
"securityhub.amazonaws.com",
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"malware-protection.guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"access-analyzer.amazonaws.com",
"sso.amazonaws.com",
"ipam.amazonaws.com",
]
# list of nested (up to 5 levels) organizational units
organizational_unit_paths = [
"/root/core",
"/root/sandbox",
"/root/suspended",
"/root/transitional",
"/root/workloads",
"/root/workloads/prod",
"/root/workloads/dev",
"/root/workloads/test"
]
# DEPRECATED: use 'organization_policies' instead
service_control_policies = []
# apply governance policies across organizational units (OUs) and member accounts
# there are different types of policies like RESOURCE_CONTROL_POLICY, SERVICE_CONTROL_POLICY, AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, and TAG_POLICY
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types
organization_policies = [
# {
# policy_name = "scp_deny_all_outside_eu_regions"
# policy_type = "SERVICE_CONTROL_POLICY"
# target_ou_paths = ["/root/workloads"]
# target_account_ids = []
# policy_json = "INSERT_SCP_JSON"
# }
module.ntc_guardrail_templates.service_control_policies["scp_root_ou"],
module.ntc_guardrail_templates.service_control_policies["scp_suspended_ou"],
module.ntc_guardrail_templates.service_control_policies["scp_sandbox_ou"],
module.ntc_guardrail_templates.service_control_policies["scp_workloads_ou"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_confused_deputy_protection"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_principal_access_from_organization"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_secure_transport"],
module.ntc_guardrail_templates.resource_control_policies["rcp_enforce_s3_encryption_and_tls_version"],
]
# after centralizing root access, you can delete root user credentials from member accounts
# new accounts you create in Organizations will have no root user credentials by default
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
centralize_root_access = {
enabled = true
features = [
# You can delete and audit root credentials of member accounts. You can also allow password recovery for specific member accounts.
"RootCredentialsManagement",
# You can take certain root actions in member accounts like deleting misconfigured policies in Amazon SQS or Amazon S3.
"RootSessions",
]
}
# 'ntc-log-archive' must be provisioned before creating the organization trail
organization_trail = {
kms_key_arn = local.ntc_parameters["log-archive"]["log_bucket_kms_key_arns"]["org_cloudtrail"]
s3_bucket_name = local.ntc_parameters["log-archive"]["log_bucket_ids"]["org_cloudtrail"]
# (optional) log cloudtrail to cloudwatch for real time analysis
cloud_watch_logs_enable = false
# cloud_watch_logs_existing = false
# cloud_watch_logs_group_name = "organization-trail-logs"
# cloud_watch_logs_role_name = "organization-trail-logs"
}
# create an organization reader IAM role which can be assumed by specified principals
organization_reader = {
enabled = true
# list of IAM principals which can assume the org_reader role (e.g. account ids)
allowed_principals = [
local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"],
]
iam_role_name = "ntc-org-account-reader"
iam_role_path = "/"
iam_policy_name = "ntc-org-account-reader-policy"
}
}
# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS - SERVICE QUOTAS
# --------------------------------------------------------------------------------------------------
module "ntc_organization_quotas" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/service-quotas?ref=X.X.X"
# increase service quotas for the org management account
increase_aws_service_quotas = {
organizations_maximum_number_of_accounts = 100
}
# service quota templates will apply service quotas to all new organization accounts
# WARNING: existing accounts won't be updated
aws_service_quota_templates = [
# {
# regions = ["eu-central-1"]
# quota_name = "Services per namespace"
# service_code = "ecs"
# new_value = 120
# }
]
providers = {
# organization service quotas and service quota templates must be created in us-east-1
aws.us_east_1 = aws.use1
}
}
locals {
# some services like 'aws config' and 'iam access analyzer' are delegated once and not for each region
global_delegated_administrators = [
{
service_principal = "config.amazonaws.com"
admin_account_id = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
},
{
service_principal = "access-analyzer.amazonaws.com"
admin_account_id = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
},
]
# some services like amazon guardduty need to be delegated for each region
regional_delegated_administrators = [
{
service_principal = "securityhub.amazonaws.com"
admin_account_id = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
},
{
service_principal = "guardduty.amazonaws.com"
admin_account_id = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
},
{
service_principal = "inspector2.amazonaws.com"
admin_account_id = local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"]
},
]
}
# organizations integration of iam access analyzer requires a service linked role in org management account
# this role gets created when creating up an access analyzer for the first time (analyzer can be deleted afterwards)
# https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-using-service-linked-roles.html#create-slr
# resource "aws_accessanalyzer_analyzer" "init" {
# analyzer_name = "init-service-linked-role"
# }
# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS - ADMIN DELEGATIONS
# --------------------------------------------------------------------------------------------------
module "ntc_delegated_admins_euc1" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"
delegated_administrators = concat(local.global_delegated_administrators, local.regional_delegated_administrators)
providers = {
aws = aws.euc1
}
}
module "ntc_delegated_admins_euc2" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"
delegated_administrators = local.regional_delegated_administrators
providers = {
aws = aws.euc2
}
}
module "ntc_delegated_admins_use1" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"
delegated_administrators = local.regional_delegated_administrators
providers = {
aws = aws.use1
}
}
Requirements
The following requirements are needed by this module:
-
terraform (>= 1.5.0)
-
aws (>= 5.78)
Providers
The following providers are used by this module:
- aws (>= 5.78)
Modules
The following Modules are called:
org_cloudtrail
Source: ./modules/cloudtrail
Version:
Resources
The following resources are used by this module:
- aws_cloudwatch_log_group.ntc_cloudtrail_cw_logs (resource)
- aws_iam_organizations_features.ntc_centralize_root_access (resource)
- aws_iam_role.ntc_cloudtrail_cw_logs (resource)
- aws_iam_role.ntc_org_account_reader (resource)
- aws_iam_role_policy.ntc_cloudtrail_cw_logs (resource)
- aws_iam_role_policy.ntc_org_account_reader (resource)
- aws_kms_key.ntc_cloudtrail_cw_logs_encryption (resource)
- aws_organizations_organization.ntc_org (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level1 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level2 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level3 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level4 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level5 (resource)
- aws_organizations_policy.ntc_org_policy (resource)
- aws_organizations_policy.ntc_scp (resource)
- aws_organizations_policy_attachment.ntc_org_policy_account_attachment (resource)
- aws_organizations_policy_attachment.ntc_org_policy_ou_attachment (resource)
- aws_organizations_policy_attachment.ntc_scp_account_attachment (resource)
- aws_organizations_policy_attachment.ntc_scp_ou_attachment (resource)
- aws_ram_sharing_with_organization.ntc_org (resource)
- aws_caller_identity.current (data source)
- aws_cloudwatch_log_group.ntc_cloudtrail_cw_logs (data source)
- aws_iam_policy_document.ntc_cloudtrail_cw_logs (data source)
- aws_iam_policy_document.ntc_cloudtrail_cw_logs_assume (data source)
- aws_iam_policy_document.ntc_cloudtrail_cw_logs_encryption (data source)
- aws_iam_policy_document.ntc_org_account_reader (data source)
- aws_iam_policy_document.ntc_org_account_reader_trust (data source)
- aws_iam_role.ntc_cloudtrail_cw_logs (data source)
- aws_organizations_organization.existing_org (data source)
- aws_partition.current (data source)
- aws_region.current (data source)
Required Inputs
No required inputs.
Optional Inputs
The following input variables are optional (have default values):
centralize_root_access
Description: Manages centralized root access features across AWS member accounts.
Type:
object({
enabled = optional(bool, false)
features = optional(list(string), ["RootCredentialsManagement", "RootSessions"])
})
Default: {}
enable_ram_sharing_in_organization
Description: Set to true to enable sharing with your organization without using invitations.
Type: bool
Default: false
enabled_policy_types
Description: DEPRECATED - policy types will be automatically detected from 'organization_policies'.
Type: list(string)
Default:
[
"SERVICE_CONTROL_POLICY"
]
organization_policies
Description: List of organization policies that should be applied to member accounts. Organization policies are inherited to nested OUs from parent OU to child OUs.
Type:
list(object({
policy_name = string
policy_description = optional(string, null)
policy_type = string
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
policy_json = string
}))
Default: []
organization_reader
Description: Create organization reader IAM role which can be assumed by specified principals.
Type:
object({
enabled = optional(bool, false)
allowed_principals = optional(list(string), [])
iam_role_name = optional(string, "ntc-org-account-reader")
iam_role_path = optional(string, "/") # validation: must end with '/'
iam_policy_name = optional(string, "ntc-org-account-reader-policy")
})
Default: {}
organization_trail
Description: Create organization cloudtrail by providing s3_bucket_name (log archive) and kms_key_arn (server side encryption).
Type:
object({
trail_name = optional(string, "organization-trail")
kms_key_arn = optional(string, "")
s3_bucket_name = optional(string, "")
s3_key_prefix = optional(string, null)
cloud_watch_logs_enable = optional(bool, false)
cloud_watch_logs_existing = optional(bool, false)
cloud_watch_logs_group_name = optional(string, "organization-trail-logs")
cloud_watch_logs_role_name = optional(string, "organization-trail-logs")
})
Default: {}
organizational_unit_paths
Description: List of organizational units (OU) that should be added under the root organization path.
The path "/root/infrastructure" will create a new "infrastructure" OU directly under the root organization path.
The path "/root/workloads/prod" will create a new "prod" OU directly under the "workloads" OU path.
https://aws.amazon.com/de/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/
Type: list(string)
Default: []
service_access_principals
Description: List of AWS service principal names for which you want to enable integration with your organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
Type: list(string)
Default:
[
"iam.amazonaws.com",
"account.amazonaws.com",
"servicequotas.amazonaws.com",
"cloudtrail.amazonaws.com",
"securityhub.amazonaws.com",
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"macie.amazonaws.com",
"malware-protection.guardduty.amazonaws.com",
"access-analyzer.amazonaws.com",
"sso.amazonaws.com",
"ipam.amazonaws.com"
]
service_control_policies
Description: DEPRECATED: use 'organization_policies' instead.
Type:
list(object({
policy_name = string
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
policy_json = string
}))
Default: []
Outputs
The following outputs are exported:
master_account_arn
Description: ARN of the master account.
master_account_email
Description: Email address of the master account.
master_account_id
Description: Identifier of the master account.
org_arn
Description: ARN of the organization.
org_id
Description: Identifier of the organization.
org_root_ou_id
Description: Identifier of the organization root path.
organization_cloudtrail_arn
Description: ARN of organization cloudtrail.
organizational_unit_ids
Description: Map of organization unit identifiers by ou path.