Hi I am using boto3 and I am attempting to get OU name for each account in my organization.
Can you advise?
Here is what I have tried so far:
I am listing accounts in organization using paginator.
I am able to get account ID, ARN, Join time etc.
I checked documentation and I found out
DescribeOraniazational-unit
List-organizational-units-for-parent
This methods are usefull, but I do not know OU id....
I am looking for something that will accept account ID and return the name of OU for it.
Does something like this exists? If not any ideas for alternative way of getting OU name for each of accounts in my organization?
Can you do the following?
list-organizational-units-for-parent on root. Now you have all the OUs
For each OU, then list-accounts-for-parent
And then you will know the OU for every account.
This method is obviously not convenient if you want the OU of just one AWS account, but you said you wanted "to get OU name for each account in my organization"
Related
Our AWS account has been hacked due to someone wrongly supplying an Administrator level access key.
We didn't have an Organisation set up, but the attackers created one. They have then created linked accounts within the organisation and created EC2 instances within them.
The problem I have is that I can't see any way to:
Delete the linked accounts (it says I need to add a payment method to the linked account)
View or terminate the EC2 instances on the other accounts
Can someone please tell me if it's possible to use my root login to access the EC2 instances on the linked accounts? This is costing us a lot of money in the last few hours unfortunately. I have a support case with AWS but they have mentioned that it could take 2-3 business days...
I have disabled users via IAM and made keys inactive.
Thank you in advance.
Based on the comments.
Since the OP already contacted the support, the one thing to do was to access the compromised accounts from the master account and disable the instances. The procedure to do it is explained in the AWS docs:
After I use AWS Organizations to create a member account, how do I access that account?
When you create a AWS account in an Organization you set up a roles that the organization account can use to assume access into that account. If you can see what role is used for these accounts use that role and and assume access into it and take down what you need.
To get the concept of it better you can try to create your own account with organization and assume that role.
This should work as long as the hacker haven't done anything to the role.
Here is docs on how to do this:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
I am trying to create a tool to easily create and destroy AWS accounts in my AWS organization (or at least remove them from the organisation if they can not be deleted). Those accounts are going to be sandbox with a small budget and destroyed after a couple of weeks.
I found that Terraform has a specific resource for that called aws_organizations_account.
However, this is mentioned that deleting this Terraform resource will only remove an AWS account from an organization. Terraform will not close the account. The member account must be prepared to be a standalone account beforehand. See the AWS Organizations documentation for more information.
I deployed an aws_organizations_account resource using terraform, it worked. But when I am trying to delete that resource, I am a warning issue that The member account must be configured with a valid payment method, such as a credit card
main.tf
resource "aws_organizations_account" "account" {
name = "sandbox1"
email = "first.last+sandbox1#company.com"
role_name = "myOrganizationRole"
}
Is there any way to get around this issue?
Is there any way to get around this issue?
Sadly, no. When you remove AWS Account from AWS org, it becomes normal standalone account. You need custom solution for removing accounts from AWS Org, which would require you to full-fill all its prerequisites listed here. One of them is having valid contact and payment info associated with the account to be removed.
You can delete the account (its different them removing from AWS org), but this can't be done from AWS Org. Account has too be closed from inside, using root.
We have a very similar situation (sandbox accounts). We still need to be able to deprovision accounts as team members off-board. To account for consolidated billing and the inability to remove or delete member accounts, we are allowing those to remain while we remove IAM users and login profiles. The way we do this is to use one set of data for users and another for accounts. This leaves a different type of state that doesn’t fail during user removal.
I wrote about and shared our terraform setup: https://cromwellhaus.com/leaving-aws-subaccounts-behind
You could be more nuanced with the accounts side of you wanted.
Deleting an account is now available with the close account api. This functionality is enabled on terraform via the close_on_deletion flag.
Please I need to retrieve group list for a given user account, the only solution I found is to use google-admin-sdk, but unfortuantly it needs to have an admin account, but for me I have only a free gmail.com account, when i use it I get Not Authorized to access this resource/api.
So my question now is :
Is it mandatory to have an admin account for a specific domain to use this
api.
Can I get an admin account from my gmail.com account.
Thank you for your help in advance.
Answer:
In order to use groups.list (part of Google Workspace Admin SDK), you need to have a Google Workspace account.
Any Workspace account in your domain that has been granted Group privileges can list groups in that domain using this API.
Reference:
Group privileges
I have access to the organization and I'm trying to add someone as owner but system prompts message:
"You are missing at least one of the following required permissions:"
Question is how can I know who the owner of this organization?
By design it's not possible to check who's the owner of the organisation (it would pose too much of a theret for them).
If you don't have a proper permissions just ask your IT department / superiors - someone has a required permissions (Organization Administrator) and will be able to assign required role to your account for you to be able to add another users.
I know i can create roles and switch between them and I've done a bit a research and it seems the answer is no but I just wanted to make sure.
So i was hoping that when a account joins my organisation, there would be some way for me to use my master account to login to the new OU, e.g. without me having to login and create new roles / users etc. Is this possible?
In order to access the new account from your existing “master” account, the new account that joins your org needs to have a role which allows cross-account access from your master account.
Its worth noting that many organizations automate the creation of accounts, and then use CloudFormation to configure the account (which you could use to create a cross account role for you to use to access the new account). You can learn more about this in the AWS tutorial here.