AWS
Organizations

AWS OrganizationsをAWS CLIでひととおり操作してみた

More than 1 year has passed since last update.

ひととおり操作してみました。

アカウント作成が簡単になるので非常に助かる。


注意点


  • エンドポイントは"us-east-1"のみ

  • アカウント作成時に必要な権限や作成したアカウントの削除可否など、いくつか注意点があるのでドキュメントをよく読みましょう。




準備作業


リージョンの指定


command

export AWS_DEFAULT_REGION="us-east-1"



Organizationの作成


Organizationの作成


command

aws organizations create-organization \

--feature-set ALL


result

{

"Organization": {
"AvailablePolicyTypes": [
{
"Status": "ENABLED",
"Type": "SERVICE_CONTROL_POLICY"
}
],
"MasterAccountId": "************",
"MasterAccountArn": "arn:aws:organizations::************:account/o-**********/************",
"FeatureSet": "ALL",
"MasterAccountEmail": "********@*******.jp",
"Id": "o-**********",
"Arn": "arn:aws:organizations::************:organization/o-**********"
}
}


Organizationの確認


command

aws organizations describe-organization



result

{

"Organization": {
"AvailablePolicyTypes": [
{
"Status": "ENABLED",
"Type": "SERVICE_CONTROL_POLICY"
}
],
"MasterAccountId": "************",
"MasterAccountArn": "arn:aws:organizations::************:account/o-**********/************",
"FeatureSet": "ALL",
"MasterAccountEmail": "********@*******.jp",
"Id": "o-**********",
"Arn": "arn:aws:organizations::************:organization/o-**********"
}
}


Root Accountの確認


command

aws organizations list-roots



result

{

"Roots": [
{
"PolicyTypes": [],
"Id": "r-****",
"Arn": "arn:aws:organizations::************:root/o-**********/r-****",
"Name": "Root"
}
]
}


Organization Unit(以下、OU)の作成


Root AccountのIDを取得


command

ROOT_ID=$(aws organizations list-roots \

--query Roots[].Id \
--output text) \
&& echo ${ROOT_ID}


result

r-****



OU名の指定


command

OU_NAME="test-ou"



OUの作成


command

aws organizations create-organizational-unit \

--parent-id ${ROOT_ID} \
--name ${OU_NAME}


result

{

"OrganizationalUnit": {
"Id": "ou-****-********",
"Arn": "arn:aws:organizations::************:ou/o-**********/ou-****-********",
"Name": "test-ou"
}
}


OUの確認


OUのIDを取得


command

OU_ID=$(aws organizations list-organizational-units-for-parent \

--parent-id ${ROOT_ID} \
--query OrganizationalUnits[].Id \
--output text) \
&& echo ${OU_ID}


result

ou-****-********



OUの確認


command

aws organizations describe-organizational-unit \

--organizational-unit-id ${OU_ID}


result

{

"OrganizationalUnit": {
"Id": "ou-****-********",
"Arn": "arn:aws:organizations::************:ou/o-**********/ou-****-********",
"Name": "test-ou"
}
}


Policyの作成


Policyの作成


Policy Documentのファイル名を指定


command

POLICY_FILE_NAME="scp.json"



Policy Documentの生成


command

cat << EOF > ${POLICY_FILE_NAME}

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"config:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"aws-portal:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"budgets:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
"*"
]
}
]
}
EOF


Policy Documentの確認


command

cat ${POLICY_FILE_NAME}



Policy Documentの検証


command

jsonlint -q ${POLICY_FILE_NAME}



Policy名の指定


command

POLICY_NAME="test-policy"

POLICY_DESCRIPTION="This is test policy."


Policyの作成


command

aws organizations create-policy \

--content file://${POLICY_FILE_NAME} \
--description "${POLICY_DESCRIPTION}" \
--name ${POLICY_NAME} \
--type SERVICE_CONTROL_POLICY


result

{

"Policy": {
"Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"config:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"aws-portal:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"budgets:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sns:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sts:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n }\n ]\n}\n",
"PolicySummary": {
"AwsManaged": false,
"Description": "This is test policy.",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-********",
"Arn": "arn:aws:organizations::************:policy/o-**********/service_control_policy/p-********",
"Name": "test-policy"
}
}
}


Policyの確認


Policyの一覧


command

aws organizations list-policies \

--filter SERVICE_CONTROL_POLICY


result

{

"Policies": [
{
"AwsManaged": true,
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess"
},
{
"AwsManaged": false,
"Description": "This is test policy.",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-********",
"Arn": "arn:aws:organizations::************:policy/o-**********/service_control_policy/p-********",
"Name": "test-policy"
}
]
}


Policyの詳細を表示


command

POLICY_ID=$(aws organizations list-policies \

--filter SERVICE_CONTROL_POLICY \
--query Policies[?Name==\`${POLICY_NAME}\`].Id \
--output text) \
&& echo ${POLICY_ID}


result

p-********



command

aws organizations describe-policy \

--policy-id ${POLICY_ID}


result

{

"Policy": {
"Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"config:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"aws-portal:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"budgets:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sns:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sts:*\"\n ],\n \"Resource\": [\n \"*\"\n ]\n }\n ]\n}\n",
"PolicySummary": {
"AwsManaged": false,
"Description": "This is test policy.",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-********",
"Arn": "arn:aws:organizations::************:policy/o-**********/service_control_policy/p-********",
"Name": "test-policy"
}
}
}


Policyの適用


アタッチされているPolicyを確認


command

aws organizations list-policies-for-target \

--target-id ${OU_ID} \
--filter SERVICE_CONTROL_POLICY


result

{

"Policies": [
{
"AwsManaged": true,
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess"
}
]
}


Policy Typeの有効化(?)


command

aws organizations enable-policy-type \

--root-id ${ROOT_ID} \
--policy-type SERVICE_CONTROL_POLICY


result

{

"Root": {
"PolicyTypes": [],
"Id": "r-****",
"Arn": "arn:aws:organizations::************:root/o-**********/r-****",
"Name": "Root"
}
}


PolicyをOUにアタッチ


command

aws organizations attach-policy \

--policy-id ${POLICY_ID} \
--target-id ${OU_ID}


result

(返値無し)



Policyがアタッチされたことを確認


command

aws organizations list-policies-for-target \

--target-id ${OU_ID} \
--filter SERVICE_CONTROL_POLICY


result

{

"Policies": [
{
"AwsManaged": true,
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess"
},
{
"AwsManaged": false,
"Description": "This is test policy.",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-********",
"Arn": "arn:aws:organizations::************:policy/o-**********/service_control_policy/p-********",
"Name": "test-policy"
}
]
}


既存のPolicyのデタッチ


command

aws organizations detach-policy \

--policy-id "p-FullAWSAccess" \
--target-id ${OU_ID}


result

(返値無し)



Policyがデタッチされたことを確認


command

aws organizations list-policies-for-target \

--target-id ${OU_ID} \
--filter SERVICE_CONTROL_POLICY


result

{

"Policies": [
{
"AwsManaged": false,
"Description": "This is test policy.",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-********",
"Arn": "arn:aws:organizations::************:policy/o-**********/service_control_policy/p-********",
"Name": "test-policy"
}
]
}


Accountの作成


command

EMAIL="***@***.jp"

ACCOUNT_NAME="test-account"


command

aws organizations create-account \

--email ${EMAIL} \
--account-name ${ACCOUNT_NAME} \
--iam-user-access-to-billing ALLOW


result

{

"CreateAccountStatus": {
"RequestedTimestamp": 1488639507.841,
"State": "IN_PROGRESS",
"Id": "car-********************************",
"AccountName": "test-account"
}
}


command

aws organizations describe-create-account-status \

--create-account-request-id car-********************************


result

{

"CreateAccountStatus": {
"AccountName": "test-account",
"State": "SUCCEEDED",
"RequestedTimestamp": 1488639508.084,
"CompletedTimestamp": 1488639513.734,
"Id": "car-********************************",
"AccountId": "************"
}
}


command

aws organizations list-accounts



result

{

"Accounts": [
{
"Status": "ACTIVE",
"Name": "test-account",
"JoinedMethod": "CREATED",
"JoinedTimestamp": 1488639510.79,
"Id": "************",
"Arn": "arn:aws:organizations::************:account/o-**********/************"
},
{
"Status": "ACTIVE",
"Name": "Nobuhiro Nakayama",
"JoinedMethod": "INVITED",
"JoinedTimestamp": 1488633570.287,
"Id": "************",
"Arn": "arn:aws:organizations::************:account/o-**********/************"
}
]
}


command

ACCOUNT_ID=$(aws organizations list-accounts \

--query Accounts[?Name==\`${ACCOUNT_NAME}\`].Id \
--output text) \
&& echo ${ACCOUNT_ID}


command

aws organizations describe-account \

--account-id ${ACCOUNT_ID}


result

{

"Account": {
"Status": "ACTIVE",
"Name": "test-account",
"JoinedMethod": "CREATED",
"JoinedTimestamp": 1488639510.79,
"Id": "************",
"Arn": "arn:aws:organizations::************:account/o-**********/************"
}
}


AccountをOUに移動


Account移動前の親リソースを確認

Account作成直後はRoot配下になることが確認できます。


command

aws organizations list-parents \

--child-id ${ACCOUNT_ID}


result

{

"Parents": [
{
"Type": "ROOT",
"Id": "r-****"
}
]
}


Accountの移動


command

aws organizations move-account \

--account-id ${ACCOUNT_ID} \
--source-parent-id ${ROOT_ID} \
--destination-parent-id ${OU_ID}


result

(返値無し)



Account移動後の親リソースを確認


command

aws organizations list-parents \

--child-id ${ACCOUNT_ID}


result

{

"Parents": [
{
"Type": "ORGANIZATIONAL_UNIT",
"Id": "ou-****-********"
}
]
}


(動作確認)作成したAccountにアクセス

デフォルトでは"OrganizationAccountAccessRole"というRoleが作成されているため、このRoleにAssume Roleします。


command

aws sts assume-role \

--role-arn "arn:aws:iam::${ACCOUNT_ID}:role/OrganizationAccountAccessRole" \
--role-session-name "test-session"


result

{

"AssumedRoleUser": {
"AssumedRoleId": "A********************:test-session",
"Arn": "arn:aws:sts::************:assumed-role/OrganizationAccountAccessRole/test-session"
},
"Credentials": {
"SecretAccessKey": "****************************************",
"SessionToken": "****************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
"Expiration": "2017-03-04T16:37:55Z",
"AccessKeyId": "********************"
}
}

以上