By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Risks of joining an account to an organization

0

I have a basic organization set up with a handful of OUs. These OUs only have one SCP to restrict member account root users. I also have an AWS account that's not part of the organization which runs production and critical workloads. Currently, users login with IAM users but the organization has SSO enabled.

My assumption is that the risks associated with joining the account to the organization are almost non-existent. Meaning the workloads will remain unaffected and existing IAM users will continue to work as they do now. Of course, the root user of the account will stop working because of the SCP.

Can anyone think of any other risks I should account for? Has anyone experienced issued?

Topics
Management & Governance
Tags
AWS OrganizationsAWS Account Management
Language
English
rePost-User-9358417
asked a year ago357 views
1 Answer
1

If the only SCP you have enabled is to disable root for member accounts then no non-root functionality inside the account should stop working. Joining an Organization is also a two way door. You can remove the account from the Organization if there are unintended issues. Is the SCP at the root level of the Org or at each OU? One best practice is to have a transitional OU with limited controls for bringing in new accounts. Once the account is in the Org without issues and everything is working, you can move it to its permanent OU with the SCP(s) in place.

AWS
GrantAWS
answered a year ago
  • rePost-User-9358417
    a year ago

    Thanks for posting! The SCP is applied at the individual OUs and not at the root. This was on purpose so that when the account joins, it will initially join without the SCP taking effect. The plan is to move the account into the OU once it has joined without issues. I like the idea of a transitional OU, can you invite an account into an initial OU? So far I've only seen them join the root.

  • GrantAWS
    a year ago

    You are correct. However that should not be a concern since root SCPs are inherited regardless. Once the account is added just move it to the Transitional OU. This way any additional OU level policies for standard accounts won't apply to the new account until you are ready.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content