{"id":2308,"date":"2020-12-14T20:43:30","date_gmt":"2020-12-14T17:43:30","guid":{"rendered":"https:\/\/artem.services\/?p=2128"},"modified":"2022-06-08T23:12:34","modified_gmt":"2022-06-08T20:12:34","slug":"2308","status":"publish","type":"post","link":"https:\/\/artem.services\/?p=2308&lang=en","title":{"rendered":"\u00a0AWS Organization &#8212; Automatic adding Sign-in URL for new accounts"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-214\" src=\"https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo.png\" alt=\"\" width=\"975\" height=\"450\" srcset=\"https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo.png 975w, https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo-300x138.png 300w, https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo-768x354.png 768w, https:\/\/artem.services\/wp-content\/uploads\/2018\/11\/AWS-Logo-954x440.png 954w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/p>\n<p><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">To automatically generate a &quot;<strong>Sign-in URL<\/strong>&quot; to a newly added <strong>Control Tower<\/strong> account, you will need the following:<\/span><\/span><\/span><\/p>\n<ul>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">create a Lambda function on the master account (the region must be <strong>us-east-1<\/strong> &#8212; <strong>Virginia<\/strong>, so we will use <strong>CloudTrail<\/strong> as a trigger);<\/span><\/span><\/span><\/li>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">create a policy that allows you to assign a role and attach it to the Lambda role;<\/span><\/span><\/span><\/li>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">create a CloudWatch Event Rule and specify a lambda as a target;<\/span><\/span><\/span><\/li>\n<li><span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">create a StackSet on the master account to create the necessary role and policy on the new account in the OU;<\/span><\/span><\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3>StackSet:<\/h3>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\nAWSTemplateFormatVersion: 2010-09-09\r\nDescription: &#039;Template create IAM Roles and Policies for access from Control Tower master account&#039;\r\n\r\nResources:\r\n  ControlTowerMaster:\r\n    Type: &#039;AWS::IAM::Role&#039;\r\n    Properties:\r\n      RoleName: &#039;ControlTower-Master&#039;\r\n      AssumeRolePolicyDocument:\r\n        Version: 2012-10-17\r\n        Statement:\r\n          - Effect: Allow\r\n            Principal:\r\n              AWS:\r\n              - &quot;arn:aws:iam::XXXXXXXXXXXX:root&quot;\r\n            Action:\r\n              - &#039;sts:AssumeRole&#039;\r\n      Policies:\r\n        - PolicyName: &#039;ControlTower-Master&#039;\r\n          PolicyDocument:\r\n            Version: 2012-10-17\r\n            Statement:\r\n              - Effect: Allow\r\n                Action:\r\n                  - &#039;iam:CreateAccountAlias&#039;\r\n                Resource: &#039;*&#039;\r\n      MaxSessionDuration: 3600\r\n      Path: \/\r\n<\/pre>\n<p>&nbsp;<\/p>\n<blockquote><p>Where &quot;<strong>XXXXXXXXXXXX<\/strong>&quot; &#8212;\u00a0<span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">master account <strong>ID<\/strong><\/span><\/span><\/span><\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3>Lambda:<\/h3>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">\r\nimport boto3\r\nimport re\r\n\r\ndef get_account_name(account_id):\r\n    account_name = boto3.client(&#039;organizations&#039;).describe_account(AccountId = account_id).get(&#039;Account&#039;).get(&#039;Name&#039;)\r\n    create_account_alias(account_id, account_name)\r\n\r\ndef create_account_alias(account_id, account_name):\r\n    account_name = re.sub(&#039;[^A-Za-z0-9]+&#039;, &#039;-&#039;, account_name)\r\n    sts_client = boto3.client(&#039;sts&#039;)\r\n\r\n    response = sts_client.assume_role(\r\n        RoleArn = &quot;arn:aws:iam::&quot; + str(account_id) + &quot;:role\/AIT-ControlTower-Master&quot;,\r\n        RoleSessionName = &#039;assume_role_session&#039;\r\n    )\r\n\r\n    iam_client = boto3.client(\r\n        &#039;iam&#039;,\r\n        aws_access_key_id = response[&#039;Credentials&#039;][&#039;AccessKeyId&#039;],\r\n        aws_secret_access_key = response[&#039;Credentials&#039;][&#039;SecretAccessKey&#039;],\r\n        aws_session_token = response[&#039;Credentials&#039;][&#039;SessionToken&#039;]\r\n    )\r\n\r\n    # Create an account alias\r\n    iam_client.create_account_alias(\r\n        AccountAlias = account_name.lower()\r\n    )\r\n\r\ndef main(event, context):\r\n    account_id = (event[&quot;detail&quot;][&quot;requestParameters&quot;][&quot;accountId&quot;])\r\n    get_account_name(account_id)\r\n \r\nif __name__ == &#039;__main__&#039;:\r\n    main()\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>Lambda Policy:<\/h3>\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\n{\r\n    &quot;Version&quot;: &quot;2012-10-17&quot;,\r\n    &quot;Statement&quot;: {\r\n        &quot;Effect&quot;: &quot;Allow&quot;,\r\n        &quot;Action&quot;: &quot;sts:AssumeRole&quot;,\r\n        &quot;Resource&quot;: &quot;*&quot;\r\n    }\r\n}\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>CloudWatch Event Rule:<\/h3>\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\n{\r\n  &quot;source&quot;: [\r\n    &quot;aws.organizations&quot;\r\n  ],\r\n  &quot;detail-type&quot;: [\r\n    &quot;AWS API Call via CloudTrail&quot;\r\n  ],\r\n  &quot;detail&quot;: {\r\n    &quot;eventSource&quot;: [\r\n      &quot;organizations.amazonaws.com&quot;\r\n    ],\r\n    &quot;eventName&quot;: [\r\n      &quot;MoveAccount&quot;\r\n    ],\r\n    &quot;requestParameters&quot;: {\r\n      &quot;sourceParentId&quot;: [\r\n        &quot;r-xxx&quot;\r\n      ],\r\n      &quot;destinationParentId&quot;: [\r\n        &quot;ou-xxx-yyyyyyyy&quot;\r\n      ]\r\n    }\r\n  }\r\n}\r\n<\/pre>\n<p>&nbsp;<\/p>\n<blockquote><p>Where &quot;<strong>r-xxx<\/strong>&quot; &#8212; y<span class=\"VIiyi\" lang=\"en\"><span class=\"JLqJ4b ChMk0b\" data-language-for-alternatives=\"en\" data-language-to-translate-into=\"ru\" data-phrase-index=\"0\" data-number-of-phrases=\"1\"><span class=\"Q4iAWc\">our organization <strong>ID<\/strong><\/span><\/span><\/span>, and &quot;<strong>ou-xxx-yyyyyyyy<\/strong>&quot; &#8212; OU ID<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>To automatically generate a &quot;Sign-in URL&quot; to a newly added Control Tower account, you will need the following: create a Lambda function on the master account (the region must be us-east-1 &#8212; Virginia, so we will use CloudTrail as a trigger); create a policy that allows you to assign a role and attach it to &hellip; <a href=\"https:\/\/artem.services\/?p=2308&#038;lang=en\" class=\"more-link\">\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c<span class=\"screen-reader-text\"> &quot;\u00a0AWS Organization &#8212; Automatic adding Sign-in URL for new accounts&quot;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[599],"tags":[1875,543,1439,1877,885,1747,1879,1881],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2308"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2308"}],"version-history":[{"count":2,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2308\/revisions"}],"predecessor-version":[{"id":2310,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2308\/revisions\/2310"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}