AWS_PROFILE=myorg-master aws organizations create-organization --feature-set ALL
The response should look as follows:
{
"Organization": {
"Id": "o-grbsdfkldsf",
"Arn": "arn:aws:organizations::1234567:organization/o-grbsdfkldsf",
"FeatureSet": "ALL",
"MasterAccountArn": "arn:aws:organizations::1234567:account/o-grbsdfkldsf/1234567",
"MasterAccountId": "1234567",
"MasterAccountEmail": "user@domain.org",
"AvailablePolicyTypes": [
{
"Type": "SERVICE_CONTROL_POLICY",
"Status": "ENABLED"
}
]
}
}
You should get an email to verify the specified master account email address.
Please click on the link on this mail.
Get the root id of your organization:
AWS_PROFILE=myorg-master aws organizations list-roots --query 'Roots[].Id' --output text
Export the id to your shell:
export ROOT_ID=r-sdfs
Create the Core organization unit:
AWS_PROFILE=myorg-master aws organizations create-organizational-unit --parent-id ${ROOT_ID} --name Core
Create the Custom organization unit:
AWS_PROFILE=myorg-master aws organizations create-organizational-unit --parent-id ${ROOT_ID} --name Custom
Enable Service Control Policies by the following command:
AWS_PROFILE=myorg-master aws organizations enable-policy-type --root-id ${ROOT_ID} --policy-type SERVICE_CONTROL_POLICY
Create the temporary file DenyOutsideEUCentral1AndUSEast1.json with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyOutsideEUCentral1AndUSEast1",
"Effect": "Deny",
"NotAction": [
"budgets:*",
"cloudfront:*",
"cloudtrail:*",
"cloudwatch:*",
"config:*",
"globalaccelerator:*",
"iam:*",
"importexport:*",
"kms:*",
"lambda:*",
"logs:*",
"organizations:*",
"route53:*",
"support:*",
"waf:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"us-east-1"
]
}
}
}
]
}
Create the service control policy:
AWS_PROFILE=myorg-master aws organizations create-policy --content file://DenyOutsideEUCentral1AndUSEast1.json --name DenyOutsideEUCentral1AndUSEast1 --type SERVICE_CONTROL_POLICY --description "Denies access to any operations outside of the eu-central-1 & us-east-1 region (except for global services)"
Export the id of this policy unit to your shell:
export POLICY_ID=p-sfdfdsf
Attach the policy to the Root of your Organization.
AWS_PROFILE=myorg-master aws organizations attach-policy --policy-id ${POLICY_ID} --target-id ${ROOT_ID}
Create the temporary file DenyNewRegions.json with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNewRegions",
"Effect": "Deny",
"Action": [
"account:EnableRegion",
"account:DisableRegion"
],
"Resource": "*"
}
]
}
Create the service control policy:
AWS_PROFILE=myorg-master aws organizations create-policy --content file://DenyNewRegions.json --name DenyNewRegions --type SERVICE_CONTROL_POLICY --description "Denies access to new AWS regions"
Export the id of this policy unit to your shell:
export POLICY_ID=p-sdfsfdfsd
Attach the policy to the Root of your Organization.
AWS_PROFILE=myorg-master aws organizations attach-policy --policy-id ${POLICY_ID} --target-id ${ROOT_ID}
Create the temporary file DenyLeaveOrganization.json with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
Create the service control policy:
AWS_PROFILE=myorg-master aws organizations create-policy --content file://DenyLeaveOrganization.json --name DenyLeaveOrganization --type SERVICE_CONTROL_POLICY --description "This SCP prevents users or roles in any affected account from leaving AWS Organizations"
Export the id of this policy unit to your shell:
export POLICY_ID=p-sdfsfdfsd
Attach the policy to the Root of your Organization.
AWS_PROFILE=myorg-master aws organizations attach-policy --policy-id ${POLICY_ID} --target-id ${ROOT_ID}