{"id":2128,"date":"2020-12-14T20:43:30","date_gmt":"2020-12-14T17:43:30","guid":{"rendered":"https:\/\/artem.services\/?p=2128"},"modified":"2020-12-14T20:52:49","modified_gmt":"2020-12-14T17:52:49","slug":"aws-organization-%d0%b0%d0%b2%d1%82%d0%be%d0%bc%d0%b0%d1%82%d0%b8%d1%87%d0%b5%d1%81%d0%ba%d0%be%d0%b5-%d0%b4%d0%be%d0%b1%d0%b0%d0%b2%d0%bb%d0%b5%d0%bd%d0%b8%d0%b5-sign-in-url-%d0%b4%d0%bb%d1%8f","status":"publish","type":"post","link":"https:\/\/artem.services\/?p=2128","title":{"rendered":"AWS Organization &#8212; \u0410\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u0435 Sign-in URL \u0434\u043b\u044f \u043d\u043e\u0432\u044b\u0445 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u043e\u0432"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-214\" src=\"https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo.png\" alt=\"\" width=\"975\" height=\"450\" srcset=\"https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo.png 975w, https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo-300x138.png 300w, https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo-768x354.png 768w, https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo-954x440.png 954w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/p>\n<p>\u0414\u043b\u044f \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f &quot;<strong>Sign-in URL<\/strong>&quot; \u0432 \u043d\u043e\u0432\u044b\u0439 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u0430\u043a\u043a\u0430\u0443\u043d\u0442 <strong>Control Tower<\/strong> \u043f\u043e\u043d\u0430\u0434\u043e\u0431\u0438\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435:<\/p>\n<ul>\n<li>\u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043d\u0430 \u043c\u0430\u0441\u0442\u0435\u0440 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0435 Lambda \u0444\u0443\u043d\u043a\u0446\u0438\u044e (\u0440\u0435\u0433\u0438\u043e\u043d \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e <strong>us-east-1<\/strong> &#8212; <strong>Virginia<\/strong>, \u0442\u0430\u043a \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c <strong>CloudTrail<\/strong> \u043a\u0430\u043a \u0442\u0440\u0438\u0433\u0433\u0435\u0440);<\/li>\n<li>\u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0449\u0443\u044e \u0430\u0441\u044e\u043c\u0438\u0442\u044c \u0440\u043e\u043b\u044c \u0438 \u043f\u0440\u0438\u0430\u0442\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u0435\u0435 \u043a \u041b\u044f\u043c\u0431\u0434\u0430 \u0440\u043e\u043b\u0438;<\/li>\n<li>\u0441\u043e\u0437\u0434\u0430\u0435\u043c CloudWatch Event Rule \u0438 \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0442\u0430\u0440\u0433\u0435\u0442\u0430 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u043b\u044f\u043c\u0431\u0434\u0443;<\/li>\n<li>\u043d\u0430 \u043c\u0430\u0441\u0442\u0435\u0440 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0435 \u0441\u043e\u0437\u0434\u0430\u0442\u044c StackSet \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0439 \u0440\u043e\u043b\u0438 \u0438 \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 \u043d\u0430 \u043d\u043e\u0432\u043e\u043c \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0435 \u0432 OU;<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3>StackSet:<\/h3>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\nAWSTemplateFormatVersion: 2010-09-09\r\nDescription: 'Template create IAM Roles and Policies for access from Control Tower master account'\r\n\r\nResources:\r\n  ControlTowerMaster:\r\n    Type: 'AWS::IAM::Role'\r\n    Properties:\r\n      RoleName: 'ControlTower-Master'\r\n      AssumeRolePolicyDocument:\r\n        Version: 2012-10-17\r\n        Statement:\r\n          - Effect: Allow\r\n            Principal:\r\n              AWS:\r\n              - &quot;arn:aws:iam::XXXXXXXXXXXX:root&quot;\r\n            Action:\r\n              - 'sts:AssumeRole'\r\n      Policies:\r\n        - PolicyName: 'ControlTower-Master'\r\n          PolicyDocument:\r\n            Version: 2012-10-17\r\n            Statement:\r\n              - Effect: Allow\r\n                Action:\r\n                  - 'iam:CreateAccountAlias'\r\n                Resource: '*'\r\n      MaxSessionDuration: 3600\r\n      Path: \/\r\n<\/pre>\n<p>&nbsp;<\/p>\n<blockquote><p>\u0413\u0434\u0435 &quot;<strong>XXXXXXXXXXXX<\/strong>&quot; &#8212; <strong>ID<\/strong> \u043c\u0430\u0441\u0442\u0435\u0440 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0430<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3>Lambda:<\/h3>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">\r\nimport boto3\r\nimport re\r\n\r\ndef get_account_name(account_id):\r\n    account_name = boto3.client('organizations').describe_account(AccountId = account_id).get('Account').get('Name')\r\n    create_account_alias(account_id, account_name)\r\n\r\ndef create_account_alias(account_id, account_name):\r\n    account_name = re.sub('[^A-Za-z0-9]+', '-', account_name)\r\n    sts_client = boto3.client('sts')\r\n\r\n    response = sts_client.assume_role(\r\n        RoleArn = &quot;arn:aws:iam::&quot; + str(account_id) + &quot;:role\/AIT-ControlTower-Master&quot;,\r\n        RoleSessionName = 'assume_role_session'\r\n    )\r\n\r\n    iam_client = boto3.client(\r\n        'iam',\r\n        aws_access_key_id = response['Credentials']['AccessKeyId'],\r\n        aws_secret_access_key = response['Credentials']['SecretAccessKey'],\r\n        aws_session_token = response['Credentials']['SessionToken']\r\n    )\r\n\r\n    # Create an account alias\r\n    iam_client.create_account_alias(\r\n        AccountAlias = account_name.lower()\r\n    )\r\n\r\ndef main(event, context):\r\n    account_id = (event[&quot;detail&quot;][&quot;requestParameters&quot;][&quot;accountId&quot;])\r\n    get_account_name(account_id)\r\n \r\nif __name__ == '__main__':\r\n    main()\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>Lambda Policy:<\/h3>\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\n{\r\n    &quot;Version&quot;: &quot;2012-10-17&quot;,\r\n    &quot;Statement&quot;: {\r\n        &quot;Effect&quot;: &quot;Allow&quot;,\r\n        &quot;Action&quot;: &quot;sts:AssumeRole&quot;,\r\n        &quot;Resource&quot;: &quot;*&quot;\r\n    }\r\n}\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>CloudWatch Event Rule:<\/h3>\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\n{\r\n  &quot;source&quot;: [\r\n    &quot;aws.organizations&quot;\r\n  ],\r\n  &quot;detail-type&quot;: [\r\n    &quot;AWS API Call via CloudTrail&quot;\r\n  ],\r\n  &quot;detail&quot;: {\r\n    &quot;eventSource&quot;: [\r\n      &quot;organizations.amazonaws.com&quot;\r\n    ],\r\n    &quot;eventName&quot;: [\r\n      &quot;MoveAccount&quot;\r\n    ],\r\n    &quot;requestParameters&quot;: {\r\n      &quot;sourceParentId&quot;: [\r\n        &quot;r-xxx&quot;\r\n      ],\r\n      &quot;destinationParentId&quot;: [\r\n        &quot;ou-xxx-yyyyyyyy&quot;\r\n      ]\r\n    }\r\n  }\r\n}\r\n<\/pre>\n<p>&nbsp;<\/p>\n<blockquote><p>\u0413\u0434\u0435 &quot;<strong>r-xxx<\/strong>&quot; &#8212; ID \u0432\u0430\u0448\u0435\u0439 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438, \u0430 &quot;<strong>ou-xxx-yyyyyyyy<\/strong>&quot; &#8212; OU ID<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>\u0414\u043b\u044f \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f &quot;Sign-in URL&quot; \u0432 \u043d\u043e\u0432\u044b\u0439 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u0430\u043a\u043a\u0430\u0443\u043d\u0442 Control Tower \u043f\u043e\u043d\u0430\u0434\u043e\u0431\u0438\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435: \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043d\u0430 \u043c\u0430\u0441\u0442\u0435\u0440 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0435 Lambda \u0444\u0443\u043d\u043a\u0446\u0438\u044e (\u0440\u0435\u0433\u0438\u043e\u043d \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e us-east-1 &#8212; Virginia, \u0442\u0430\u043a \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c CloudTrail \u043a\u0430\u043a \u0442\u0440\u0438\u0433\u0433\u0435\u0440); \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0449\u0443\u044e \u0430\u0441\u044e\u043c\u0438\u0442\u044c \u0440\u043e\u043b\u044c \u0438 \u043f\u0440\u0438\u0430\u0442\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u0435\u0435 \u043a \u041b\u044f\u043c\u0431\u0434\u0430 \u0440\u043e\u043b\u0438; \u0441\u043e\u0437\u0434\u0430\u0435\u043c CloudWatch Event Rule \u0438 \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0442\u0430\u0440\u0433\u0435\u0442\u0430 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u043b\u044f\u043c\u0431\u0434\u0443; \u043d\u0430 \u043c\u0430\u0441\u0442\u0435\u0440 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0435 \u0441\u043e\u0437\u0434\u0430\u0442\u044c &hellip; <a href=\"https:\/\/artem.services\/?p=2128\" class=\"more-link\">\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c<span class=\"screen-reader-text\"> &quot;AWS Organization &#8212; \u0410\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u0435 Sign-in URL \u0434\u043b\u044f \u043d\u043e\u0432\u044b\u0445 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u043e\u0432&quot;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[24],"tags":[1757,25,1423,1751,893,1743,1753,1755],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2128"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2128"}],"version-history":[{"count":3,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2128\/revisions"}],"predecessor-version":[{"id":2130,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2128\/revisions\/2130"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}